Recipe 13.15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records

13.15.1 Problem

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

13.15.2 Solution

13.15.2.1 Using a command-line interface

This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]  DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress The operation completed successfully. > net stop netlogon The Net Logon service is stopping. The Net Logon service was stopped successfully. > del %SystemRoot%\system32\config\netlogon.dnb > net start netlogon The Net Logon service is starting....... The Net Logon service was started successfully.
13.15.2.2 Using VBScript
' This code prevents a DC from registering the resource records ' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run ' directly on the server. ' Create Registry Value const HKLM = &H80000002 set objReg = GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" ' prevent Ldap, Gc, and GCIpAddress records from being registered arrValues  = Array("Ldap","Gc","GcIpAddress") if objReg.SetMultiStringValue(HKLM,strKeyPath,"DnsAvoidRegisterRecords", _                               arrValues) <> 0 then    WScript.Echo "Error creating registry value" else    WScript.Echo "Created registry value successfully" end if ' Stop Netlogon service strService = "Netlogon" set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _                            strService & "'") if objService.StopService <> 0 then    WScript.Echo "Error stopping " & strService & " service" else    WScript.Echo "Stopped " & strService & " service successfully" end if  ' Delete netlogon.dnb file On Error Resume Next set WshShell = CreateObject("WScript.Shell") set objFSO = CreateObject("Scripting.FileSystemObject") set objFile = objFSO.GetFile( _                       WshShell.ExpandEnvironmentStrings("%systemroot%") _                       & "\system32\config\netlogon.dnb") objFile.Delete if (Err.Number <> 0) then    WScript.Echo "Error deleting netlogon.dnb: " & Err.Description else    WScript.Echo "Deleted netlogon.dnb successfully" end if ' Start Netlogon service if objService.StartService <> 0 then    WScript.Echo "Error starting " & strService & " service" else    WScript.Echo "Started " & strService & " service successfully" end if  WScript.Echo WScript.Echo "Done"

13.15.3 Discussion

The procedure to disable registration of certain resource records is very similar to that described in Recipe 13.14 for preventing all records from being dynamically registered, except in this case, you need to create a value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters key. The type for DnsAvoidRegisterRecords should be REG_MULTI_SZ and the data should be a whitespace separated list of mnemonics. Mnemonics are used to represent various resource records that domain controllers register. The complete list of mnemonics is included in Table 13-3.

Table 13-3. Registry mnemonics for resource records

Registry mnemonic

Resource record type

Resource record name

LdapIpAddress

A

<DnsDomainName>

Ldap

SRV

_ldap._tcp.<DnsDomainName>

LdapAtSite

SRV

_ldap._tcp.<SiteName>._sites.<DnsDomainName>

Pdc

SRV

_ldap._tcp.pdc._msdcs.<DnsDomainName>

Gc

SRV

_ldap._tcp.gc._msdcs.<DnsForestName>

GcAtSite

SRV

_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>

DcByGuid

SRV

_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>

GcIpAddress

A

_gc._msdcs.<DnsForestName>

DsaCname

CNAME

<DsaGuid>._msdcs.<DnsForestName>

Kdc

SRV

_kerberos._tcp.dc._msdcs.<DnsDomainName>

KdcAtSite

SRV

_kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>

Dc

SRV

_ldap._tcp.dc._msdcs.<DnsDomainName>

DcAtSite

SRV

_ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>

Rfc1510Kdc

SRV

_kerberos._tcp.<DnsDomainName>

Rfc1510KdcAtSite

SRV

_kerberos._tcp.<SiteName>._sites.<DnsDomainName>

GenericGc

SRV

_gc._tcp.<DnsForestName>

GenericGcAtSite

SRV

_gc._tcp.<SiteName>._sites.<DnsForestName>

Rfc1510UdpKdc

SRV

_kerberos._udp.<DnsDomainName>

Rfc1510Kpwd

SRV

_kpasswd._tcp.<DnsDomainName>

Rfc1510UdpKpwd

SRV

_kpasswd._udp.<DnsDomainName>

13.15.4 See Also

Recipe 13.14 for preventing all records from being dynamically registered, MS KB 246804 (How to Enable/Disable Windows 2000 Dynamic DNS Registrations), and MS KB 267855 (Problems with Many Domain Controllers with Active Directory Integrated DNS Zones)



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net