Restrict the DNS resource records that are updated by Netlogon

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following procedure restricts Domain Name System (DNS) resource records that are registered by the Net Logon service for Active Directory domain controllers only.

Warning

It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Administrative credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.

To restrict the DNS resource records that are updated by NetlLogon

  1. Open Registry Editor.

  2. In Registry Editor, navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  3. Add the following multistring value (REG_MULTI_SZ) value:

    DnsAvoidRegisterRecords

  4. In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.

    Data Value Resource Record Type DNS Resource Record

    LdapIpAddress

    A

    DnsDomainName

    Ldap

    SRV

    _ldap._tcp.DnsDomainName

    LdapAtSite

    SRV

    _ldap._tcp.SiteNam._sites.DnsDomainName

    Pdc

    SRV

    _ldap._tcp.pdc._msdcs.DnsDomainName

    Gc

    SRV

    _ldap._tcp.gc._msdcs.DnsForestName

    GcAtSite

    SRV

    _ldap._tcp.SiteName._sites.gc._msdcs.DnsForestName

    DcByGuid

    SRV

    _ldap._tcp.DomainGuid.domains._msdcs.DnsForestName

    GcIpAddress

    A

    _gc._msdcs.DnsForestName

    DsaCname

    CNAME

    DsaGuid._msdcs.DnsForestName

    Kdc

    SRV

    _kerberos._tcp.dc._msdcs.DnsDomainName

    KdcAtSite

    SRV

    _kerberos._tcp.dc._msdcs.SiteName._sites.DnsDomainName

    Dc

    SRV

    _ldap._tcp.dc._msdcs.DnsDomainName

    DcAtSite

    SRV

    _ldap._tcp.SiteName._sites.dc._msdcs.DnsDomainName

    Rfc1510Kdc

    SRV

    _kerberos._tcp.DnsDomainName

    Rfc1510KdcAtSite

    SRV

    _kerberos._tcp.SiteName._sites.DnsDomainName

    GenericGc

    SRV

    _gc._tcp.DnsForestName

    GenericGcAtSite

    SRV

    _gc._tcp.SiteName._sites.DnsForestName

    Rfc1510UdpKdc

    SRV

    _kerberos._udp.DnsDomainName

    Rfc1510Kpwd

    SRV

    _kpasswd._tcp.DnsDomainName

    Rfc1510UdpKpwd

    SRV

    _kpasswd._udp.DnsDomainName

Notes

  • To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  • Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the delay is no later than 15 minutes after the Net Logon service starts.