Disabling Windows 2000 Dynamic DNS Updates Windows 2000
supports dynamic Domain Name System (DNS) updates as defined in RFC2136.
Dynamic DNS update is enabled by default for Windows 2000 DNS clients.
This behavior is distributed - there is not a single policy setting or
registry hack to control dynamic dns update. Dynamic DNS updates are
performed by: The DHCP Client service in W2K Pro and server performs dynamic DNS updates for adapters. The updates to DNS occur whether the adapter is configured by DHCP or is manually or statically configured.
To enable forward lookup (hostname A records)
but not reverse lookup records (PTR registrations) for a specific adapter
: DNS records are re-registered dynamically
every 24 hours by default. To modify the refresh interval for all
adapters, use the following hack : The default TTL (Time To Live) value used for dynamic
registrations is 20 minutes. To modify the refresh interval for all
adapters, use the following hack : DefaultRegistrationTTL specifies the default TTL value set in the header of outgoing DNS dynamic update registrations. The TTL value controls how long a packet that has not reached its destination can remain on the network before it is discarded. A small value for DefaultRegistrationTTL causes cached entries to expire sooner, which increases DNS traffic but decreases the risk of stale entries. Long retention times are useful for computers that renew their DHCP leases infrequently. MaxNumberOfAddressesToRegister controls
the maximum number of IP addresses that can be registered in DNS for an
adapter. Having multiple addresses on an adapter is common for web
servers. By default, only the first IP address for an adapter is
dynamically registered. To modify the number of IP addresses dynamically
registered for an adapter, use the following registry hack : To prevent an address being registered for the adapter, set MaxNumberOfAddressesToRegister to 0.
UpdateSecurityLevel determines whether the DNS client uses secure dynamic
update or standard dynamic update. Under secure dynamic update, the
authoritative name server accepts updates only from authorized clients and
servers. Non-secure dynamic DNS registrations are used by default. To
force secure registrations, use the following registry hack :
This registry hack is
designed for zones that do NOT use secure dynamic update. It prevents
unauthorized users from changing the IP address registration of a client
computer. DisableReplaceAddressesInConflicts prevents a DNS client from
overwriting an existing resource record when it discovers an address
conflict during dynamic update. An address conflict occurs when the DNS
client discovers that an existing A record associates its DNS name with
the IP address of a different computer. By default, the DNS client tries
to replace the original registration with a record associating the DNS
name to its own IP address. However, you can use this registry hack to
direct DNS back out of the registration process. An error in Event Viewer
is not logged. :
Windows 2000 servers supporting W2K DNS server service The DNS Server service registers
forward lookup ( hostname A ) records for all the adapters it is listening
on if it is authoritative (SOA) for a given name. When a server running
the DNS Service has multiple adapters, unwanted addresses can be published
automatically. Common scenarios include disconnected or unused network
adapters publishing AutoNet addresses and private or DMZ interfaces
publishing unreachable addresses. If the Network Load Balancing (NLB)
service is installed on a DNS server, both the virtual network adapter
address and the dedicated network adapter address will be registered by
the DNS Server service. The adapters on which the DNS server is listening
on can be changed by using the DNS snap-in. In Server properties, click
the Adapters tab. In circumstances in which the list of IP addresses the
DNS server listens to and serves is different from the list of IP
addresses published (registered by the DNS Server service), use the
following registry hack : This specifies the IP addresses you want to publish for the computer. The DNS server creates hostname A records only for the address in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an hostname A record for each of the computer's IP addresses. This entry is designed for computers with multiple IP addresses, when you prefer to publish only a subset of the available addresses. Typically, this is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address. DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server service.
Windows 2000 domain controllers have Netlogon
service Netlogon A registrations By default, Netlogon on a DC registers SRV, domain A, and GC ( Global Catalog ) A records every hour. SRV records are mapped to a FQDN and hostname A records are mapped to an IP address. Registration of domain A records for all adapters by Netlogon and subsequent re-registration every hour (by default) can be problematic if clients resolve the domain name to an unreachable IP address. The following registry key enables/disables the registration of hostname A records by Netlogon for a domain controller. The domain A records are not required by Windows 2000, but are registered for the benefit of LDAP implementations that do not support SRV records. Note that this registry key disables all hostname A record registrations performed by Netlogon, which includes the gc._msdcs.DnsForestName records. Registration of gc._msdcs.DnsForestName records is required and must be performed manually if the RegisterDnsARecords registry key is set to disabled. Hive:
HKEY_LOCAL_MACHINE 0 Does not register DNS A records. LDAP implementations that do
not support SRV records will not be able to locate the LDAP server on this
domain controller. You might consider setting this value to 0 if DNS does not complete its dynamic updates because it cannot update hostname A records. DNS stops updating when an update attempt does not succeed. Windows 2000 workstation RAS clients
|
|
About NPI |
Contact Us |
Services | Tools |
Site Map |
Reseller Programs
Professional Ethics |
Privacy
Copyright 1993-2006 Network Partners, Inc. All rights reserved