Disable NS resource record registration
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following procedure restricts name server (NS) resource records that are registered for Active Directory domain controllers only. You can perform this procedure by using the Registry Editor or by using the Dnscmd command-line tool.
To configure the Domain Name System (DNS) server to automatically add NS resource records corresponding to itself when loading a zone, you can assign a value of 0x0 to the registry key or enter no value (the default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.
If you configure the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones that are located on the DNS server are deleted automatically.
Regardless of the settings of these registry entries, query responses that are sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server.
The registry key entry that is described in this procedure does not exist by default. It must be created and configured according to this procedure.
Warning
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.
Disabling NS resource record registration
Using the Windows interface
Using the command line
To disable NS resource record registration using the Windows interface
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Add the following REG_DWORD value:
DisableNSRecordsAutoCreation
Assign a value of 0x1.
The REG_DWORD value is a local DNS server setting, and it applies to DNS zones for which this DNS server is authoritative.
Note
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
To disable NS resource record registration using the command line
At a command prompt, type the following command, and then press ENTER:
dnscmd ServerName /Config /DisableNSRecordsAutoCreation0x1
Value Description ServerName
Specifies the DNS host name of the DNS server. You can also type the Internet Protocol (IP) address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).
/DisableNSRecordsAutoCreation
Determines the local DNS server configuration for registering NS resource records for authoritative zones.
0x1
Specifies that the DNS server that is specified in ServerName should not add NS resource records for authoritative zones.
To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.