Restrict DNS resource records updated by Netlogon

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To restrict the DNS resource records updated by the Net Logon service

  1. Open Registry Editor.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.

  2. In Registry Editor, navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  3. Add the following multi-string value (REG_MULTI_SZ) value:

    DnsAvoidRegisterRecords

  4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The list of data include:

    Data Value Resource Record Type DNS Resource Record

    LdapIpAddress

    A

    <DnsDomainName>

    Ldap

    SRV

    _ldap._tcp.<DnsDomainName>

    LdapAtSite

    SRV

    _ldap._tcp.<SiteName>._sites.<DnsDomainName>

    Pdc

    SRV

    _ldap._tcp.pdc._msdcs.<DnsDomainName>

    Gc

    SRV

    _ldap._tcp.gc._msdcs.<DnsForestName>

    GcAtSite

    SRV

    _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

    DcByGuid

    SRV

    _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

    GcIpAddress

    A

    gc._msdcs.<DnsForestName>

    DsaCname

    CNAME

    <DsaGuid>._msdcs.<DnsForestName>

    Kdc

    SRV

    _kerberos._tcp.dc._msdcs.<DnsDomainName>

    KdcAtSite

    SRV

    _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

    Dc

    SRV

    _ldap._tcp.dc._msdcs.<DnsDomainName>

    DcAtSite

    SRV

    _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

    Rfc1510Kdc

    SRV

    _kerberos._tcp.<DnsDomainName>

    Rfc1510KdcAtSite

    SRV

    _kerberos._tcp.<SiteName>._sites.<DnsDomainName>

    GenericGc

    SRV

    _gc._tcp.<DnsForestName>

    GenericGcAtSite

    SRV

    _gc._tcp.<SiteName>._sites.<DnsForestName>

    Rfc1510UdpKdc

    SRV

    _kerberos._udp.<DnsDomainName>

    Rfc1510Kpwd

    SRV

    _kpasswd._tcp.<DnsDomainName>

    Rfc1510UdpKpwd

    SRV

    _kpasswd._udp.<DnsDomainName>

Important

  • This procedure restricts DNS resource records registered by the Net Logon service for Active Directory domain controllers only.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  • Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, then appropriate DNS updates may take place with a short delay; however, the delay is no later than 15 minutes after the Net Logon service starts.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Restrict NS resource record registration
Allow NS record creation for specific domain controllers
Security information for DNS