Restrict NS resource record registration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To restrict NS resource record registration

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Open Registry Editor.

    Caution

    • Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
  2. In Registry Editor, navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

  3. Add the following REG_DWORD value:

    DisableNSRecordsAutoCreation

  4. Assign a value of 0x1.

    The REG_DWORD value is a local DNS server setting and applies to DNS zones for which this DNS server is authoritative.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open Registry Editor, click Start, click Run, type regedit, and then click OK.

  • This procedure restricts NS resource records registered for Active Directory domain controllers only.

  • To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.

  • If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted.

  • Regardless of the settings of these registry entries, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are from an authoritative DNS server.

  • The registry key entry described here does not exist by default and must be created and configured according to this procedure.

Using a command line

  1. Open Command Prompt.

    Caution

    • In this procedure you will be editing the registry. Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
  2. Type:

    dnscmdServerName**/Config/DisableNSRecordsAutoCreation 0x1**

Value Description

dnscmd

Specifies the name of the command-line tool.

ServerName

Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.).

/Config

Specifies the configuration command.

/DisableNSRecordsAutoCreation

Determines the local DNS server configuration for registering NS resource records for authoritative zones.

0x1

Specifies that the DNS server specified in ServerName should not add NS resource records for authoritative zones.

To specify that the DNS server should add NS resource records for all its authoritative zones, type a value of 0x0.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • This procedure requires the Dnscmd Windows support tool. For information about installing Windows support tools, see Related Topics.

  • This procedure restricts NS resource records registered for Active Directory domain controllers only.

  • To view the complete syntax for this command, at a command prompt, type:

    dnscmd /config /?

  • The DWORD value is a local DNS server setting and applies to authoritative DNS zones hosted on this DNS server.

  • Regardless of the settings above, query responses sent to DNS clients from authoritative DNS servers and selected domain controllers will indicate that the responses are from authoritative DNS servers.

  • To configure the DNS server to automatically add NS resource records corresponding to itself when loading a zone, you may assign a value of 0x0 or enter no value (default setting). This setting has the same effect as not creating the DisableNSRecordsAutoCreation registry entry.

  • If you have configured the registry to restrict the DNS server from registering NS resource records for authoritative zones, any existing NS resource records for the authoritative zones located on the DNS server are automatically deleted.

  • Regardless of a NS resource record registration setting, query responses sent to DNS clients from the authoritative DNS server will indicate that the responses are authoritative.

  • The registry key entries described here do not exist by default and must be created and configured using this procedure.

Formatting legend

Format Meaning

Italic

Information that the user must supply

Bold

Elements that the user must type exactly as shown

Ellipsis (...)

Parameter that can be repeated several times in a command line

Between brackets ([])

Optional items

Between braces ({}); choices separated by pipe (|). Example: {even|odd}

Set of choices from which the user must choose only one

Courier font

Code or program output

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Managing authority records
Allow NS record creation for specific domain controllers
Install Windows Support Tools
Security information for DNS