Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following procedure restricts Domain Name System (DNS) resource records that are registered by the Net Logon service for Active Directory domain controllers only.
Warning
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
Administrative credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.
To restrict the DNS resource records that are updated by NetlLogon
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Add the following multistring value (REG_MULTI_SZ) value:
DnsAvoidRegisterRecords
In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.
Data Value Resource Record Type DNS Resource Record LdapIpAddress
A
DnsDomainName
Ldap
SRV
_ldap._tcp.DnsDomainName
LdapAtSite
SRV
_ldap._tcp.SiteNam._sites.DnsDomainName
Pdc
SRV
_ldap._tcp.pdc._msdcs.DnsDomainName
Gc
SRV
_ldap._tcp.gc._msdcs.DnsForestName
GcAtSite
SRV
_ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName
DcByGuid
SRV
_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName
GcIpAddress
A
_gc._msdcs.DnsForestName
DsaCname
CNAME
DsaGuid._msdcs.DnsForestName
Kdc
SRV
_kerberos._tcp.dc._msdcs.DnsDomainName
KdcAtSite
SRV
_kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName
Dc
SRV
_ldap._tcp.dc._msdcs.DnsDomainName
DcAtSite
SRV
_ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName
Rfc1510Kdc
SRV
_kerberos._tcp.DnsDomainName
Rfc1510KdcAtSite
SRV
_kerberos._tcp.SiteName._sites.DnsDomainName
GenericGc
SRV
_gc._tcp.DnsForestName
GenericGcAtSite
SRV
_gc._tcp.SiteName._sites.DnsForestName
Rfc1510UdpKdc
SRV
_kerberos._udp.DnsDomainName
Rfc1510Kpwd
SRV
_kpasswd._tcp.DnsDomainName
Rfc1510UdpKpwd
SRV
_kpasswd._udp.DnsDomainName
Notes
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the delay is no later than 15 minutes after the Net Logon service starts.