How to Enable/Disable Windows 2000 Dynamic DNS Registrations [Q246804]

Tom Horan thoran at esatclear.ie
Mon Nov 13 20:52:39 UTC 2000


I've seen a lot of questions regarding this topic. So here is the official TechNet article from Microsoft.

There should be a few to solve this - 3 ways to do it with - "regedit /s file.reg", kix script, and a .vbs script. You should be able to do it remotely using something like reg out of the NT resource kit.



Thanks,

Tom



PSS ID Number: Q246804

Article last modified on 08-02-2000


WINDOWS:2000


WINDOWS



======================================================================

-------------------------------------------------------------------------------

The information in this article applies to:


- Microsoft Windows 2000 Server 

- Microsoft Windows 2000 Advanced Server 

- Microsoft Windows 2000 Professional 

-------------------------------------------------------------------------------


IMPORTANT: This article contains information about editing the registry. 

Before you edit the registry, make sure you understand how to restore it if

a problem occurs. For information about how to do this, view the "Restoring 

the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help 

topic in Regedt32.exe.


SUMMARY

=======


Windows 2000 supports dynamic Domain Name System (DNS) updates (per RFC 2136).

This behavior is enabled by default for Windows 2000 DNS clients.


Depending on the configuration and services running on a particular computer,

different components perform dynamic DNS updates. There is no centralized way

(such as a tool or registry keys) to manage the dynamic DNS update behavior of

all components. This article describes each component and how to modify that

particular component's behavior.


NOTE: After you change any of the registry keys listed in this article, you must

stop and restart the affected service(s). In some cases, you must reboot the

computer. These instances are noted.


MORE INFORMATION

================


WARNING: Using Registry Editor incorrectly can cause serious problems that may

require you to reinstall your operating system. Microsoft cannot guarantee that

problems resulting from the incorrect use of Registry Editor can be solved. Use

Registry Editor at your own risk.


For information about how to edit the registry, view the "Changing Keys and

Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete

Information in the Registry" and "Edit Registry Data" Help topics in

Regedt32.exe. Note that you should back up the registry before you edit it. If

you are running Windows NT or Windows 2000, you should also update your

Emergency Repair Disk (ERD).


The following components perform dynamic DNS updates:


- DHCP Client service (all Windows 2000-based computers)


- DNS Server service (Windows 2000-based DNS servers only)


- Netlogon service (Windows 2000-based domain controllers only)


- RAS client (Windows 2000-based RAS clients only)


- Dynamic Host Configuration Protocol (DHCP) Server service (Windows 2000-based

DHCP servers only)


DHCP Client Service

-------------------


The DHCP Client service performs dynamic DNS updates for adapters regardless of

whether the adapter is configured by using DHCP or is manually or statically

configured. This section describes how to enable/disable the following items:


- All adapters - forward (hostname A) and reverse (PTR)


- All adapters - reverse (PTR)


- Per adapter - advanced TCP/IP properties controls


- Per adapter - forward and reverse (hostname A and PTR)


- Per adapter - reverse (PTR)


- Other Settings


All Adapters - Forward (Hostname A) and Reverse (PTR)

-----------------------------------------------------


To disable both A and PTR registrations performed for all adapters by the DHCP

client service, use the following registry key:


DisableDynamicUpdate

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0 - 1

Default value: 0


This key disables DNS dynamic update registration for all adapters on this

computer. With dynamic update, DNS client computers automatically register and

update their resource records whenever address changes occur.


Value Meaning

-------------------------------------------

0 Enables dynamic update registration

1 Disables dynamic update registration


NOTE: For dynamic update to operate on any adapter, it must be enabled at the

system level and at the adapter level. To disable DNS dynamic update for a

particular adapter, add DisableDynamicUpdate to an <interface-name> subkey

and set its value to 1. To disable dynamic update on all adapters in a computer,

add DisableDynamicUpdate to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey and

set its value to 1.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


All Adapters - Reverse (PTR)

----------------------------


When you want forward lookup (A records) registrations but not reverse lookups

(PTR records) registrations, use the following registry key to disable

registrations of PTR records:


DisableReverseAddressRegistrations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0 - 1

Default value: 0


This key disables DNS dynamic update registration of PTR records by this DNS

client. PTR ("pointer") records associate an IP address with a computer name.

This entry is designed for enterprises in which the primary DNS server that is

authoritative for the reverse lookup zone cannot or is configured not to perform

dynamic updates. It reduces unnecessary network traffic and eliminates event log

errors that record unsuccessful attempts to register PTR records.


Value Meaning

----------------------------------

0 Register PTR records

1 Do not register PTR records


NOTE: Windows 2000 does not add this entry to the registry. You can add it by

editing the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


Per Adapter - Advanced TCP/IP Properties Controls

-------------------------------------------------


DNS registrations performed by each adapter can be changed by using

adapter-specific advanced TCP/IP settings (on the DNS tab):


- DNS suffix for this connection (box)

- Register this connection's addresses in DNS (check box)


- Use this connection's DNS suffix in DNS registration (check box)


"Register this connection's addresses in DNS" (selected by default): This setting

registers A and PTR records for the first IP address configured on this adapter.

Clear this check box to disable the DHCP Client service from registering both A

and PTR records for this adapter.


"Use this connection's DNS suffix in DNS registration" (cleared by default): Each

computer has a primary DNS suffix (use the "ipconfig /all" (without the

quotation marks) command to view this suffix). Additionally, each adapter can

also have a separate DNS suffix configured for itself. An adapter-specific DNS

suffix can be configured manually or by using DHCP option 15 as part of the DHCP

lease process. For additional information, click the article number below to

view the article in the Microsoft Knowledge Base:


Q121005 DHCP Options Supported by Clients


Select this check box to enable the DHCP Client service to register A and PTR

records for the following fully qualified domain name (FQDN) in addition to

hostname.<PrimaryDnsSuffix>:


hostname.<dns_suffix_for_this_adapter>


Per Adapter - Forward and Reverse (Hostname A and PTR)

------------------------------------------------------


To disable A and PTR registrations performed for a specific adapter by the DHCP

Client service, use the following registry key:


DisableDynamicUpdate

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface-name>


Data type: REG_DWORD

Range: 0 - 1

Default value: 0


This disables DNS dynamic update registration on this adapter. With dynamic

update, DNS client computers automatically register and update their resource

records whenever address changes occur.


Value Meaning

--------------------------------------------

0 Enables dynamic update registration

1 Disables dynamic update registration


NOTE: For dynamic update to operate on any adapter, it must be enabled at the

system level and at the adapter level. To disable DNS dynamic update for a

particular adapter, add DisableDynamicUpdate to an <interface-name> subkey

and set its value to 1. To disable dynamic update on all adapters in a computer,

add DisableDynamicUpdate to the

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey and

set its value to 1.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


Per Adapter - Reverse (PTR)

---------------------------


There is no mechanism to disable PTR registrations on a per-adapter basis.


Other Settings

--------------


This section lists other parameters used by the DHCP Client service as they

relate to DNS dynamic updates.


- DNS records are re-registered dynamically every 24 hours by default. You can

use the following registry key to modify the refresh interval:


DefaultRegistrationRefreshInterval

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0x0 - 0xFFFFFFFF seconds

Default value: 0x15180 (86,400 seconds = 24 hours)

Scope: Affects all adapters


This specifies the time interval between DNS dynamic update registration

refreshes.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


- The default Time To Live (TTL) value used for dynamic registrations is 20

minutes. You can use the following registry key to modify the TTL value:


DefaultRegistrationTTL

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0x0 - 0xFFFFFFFF seconds

Default value: 0x4B0 (1,200 seconds = 20 minutes)

Scope: Affects all adapters


This specifies the default TTL value set in the header of outgoing DNS dynamic

update registrations. The TTL value determines how long a packet that has not

reached its destination can remain on the network before it is discarded.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


- By default, only the first IP address is dynamically registered. You can use

the following registry key to modify the number of IP addresses dynamically

registered for an adapter that is configured with more than one IP address

(logically multihomed):


MaxNumberOfAddressesToRegister

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\<interface-name>\MaxNumberOfAddressesToRegister


Data type: REG_DWORD

Range: 0x0 - 0xFFFFFFFF

Default value: 0x1

Scope: Affects this adapter only


This determines the maximum number of IP addresses that can be registered in DNS

for this adapter.


If the value of this entry is 0, IP addresses cannot be registered for this

adapter.


To make the changes to this value effective, you must restart Windows 2000.


- By default, non-secure dynamic DNS registrations are attempted. You can use

the following registry key to modify this behavior:


UpdateSecurityLevel

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0x0 | 0x10 | 0x100

Default value: 0x0

Scope: Affects all adapters


This determines whether the DNS client uses secure dynamic update or standard

dynamic update. Windows 2000 supports both dynamic update and secure dynamic

update. With secure dynamic update, the authoritative name server accepts

updates only from authorized clients and servers.


Value Meaning 

-------------------------------------------------------------

0 (0x0) Send secure dynamic updates only when non-secure 

dynamic updates are refused.

16 (0x10) Send only non-secure dynamic updates.

256 (0x100) Send only secure dynamic updates.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


- By default, the DNS client tries to replace the original registration with a

record associating the DNS name to its own IP address. You can use the

following registry key to modify this behavior:


DisableReplaceAddressesInConflicts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Data type: REG_DWORD

Range: 0 - 1

Default value: 0

Scope: Affects all adapters


This prevents the DNS client from overwriting an existing resource record when it

discovers an address conflict during dynamic update. An address conflict occurs

when the DNS client discovers that an existing A record associates its DNS name

with the IP address of a different computer.


By default, the DNS client tries to replace the original registration with a

record associating the DNS name to its own IP address. However, you can use this

entry to direct DNS back out of the registration process. An error in Event

Viewer is not logged.


This entry is designed for zones that do not use secure dynamic update. It

prevents unauthorized users from changing the IP address registration of a

client computer.


Value Meaning 

---------------------------------------------------------------

0 The DNS client overwrites the existing A record with an A 

record for its own IP address.

1 The DNS client backs out of the registration process. 

No error is written to the Event Viewer log.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart Windows 2000.


DNS Server Service (DNS Server Only)

------------------------------------


The DNS Server service registers hostname A records for all the adapters it is

listening on if it is authoritative (SOA) for a given name.


When a server running the DNS Service has multiple adapters, unwanted addresses

can be published automatically. Common scenarios include disconnected or unused

network adapters publishing AutoNet addresses and private or DMZ interfaces

publishing unreachable addresses.


If the Network Load Balancing (NLB) service is installed on a DNS server, both

the virtual network adapter address and the dedicated network adapter address

will be registered by the DNS Server service.


The adapters on which the DNS server is listening on can be changed by using the

DNS snap-in. In Server properties, click the Adapters tab.


In circumstances in which the list of IP addresses the DNS server listens to and

serves is different from the list of IP addresses published (registered by the

DNS Server service), use the following registry key:


PublishAddresses

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters


Data type: REG_SZ

Range: IP address [IP address]

Default value: blank


This specifies the IP addresses you want to publish for the computer. The DNS

server creates A records only for the address in this list. If this entry does

not appear in the registry, or if its value is blank, the DNS server creates an

A record for each of the computer's IP addresses.


This entry is designed for computers with multiple IP addresses, when you prefer

to publish only a subset of the available addresses. Typically, this is used to

prevent the DNS server from returning a private network address in response to a

query when the computer has a corporate network address.


DNS reads its registry entries only when it starts. You can change entries while

the DNS server is running by using the DNS console. If you change entries by

editing the registry, the changes are not effective until you restart the DNS

server.


The DNS server does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


Netlogon Service (Domain Controller Only)

-----------------------------------------


By default, Netlogon registers certain SRV, CNAME, and A records every hour even

if some or all of these records are correctly registered in DNS. The list of

records Netlogon attempts to register is stored in the

%SystemRoot%\System32\Config\Netlogon.dns file. This log file lists records that

are required to be registered for this domain controller.


Netlogon does not provide a mechanism to control registrations it performs on a

per-adapter basis. This section describes how to enable/disable the following

items:


- All registrations


- Netlogon A registrations


All Registrations

-----------------


To disable all registrations performed by Netlogon, use the following registry

key (a restart of the Netlogon service is required, although a reboot is

preferred):


UseDynamicDns

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters


Data type: REG_DWORD

Range: 0 - 1

Default value: 1


This determines whether the Netlogon service on this domain controller uses DNS

dynamic updates. Netlogon can use DNS dynamic updates to register DNS names

identifying the domain controller. DNS dynamic updates provide automatic updates

of zone data, such as DNS names, on the zone's primary server whenever an

authorized zone server requests an update. It supplements the static, manual

method of adding and changing zone records. The DNS dynamic update protocol is

defined in RFC 2136.


Value Meaning

-------------------------------------------------------------

0 Netlogon does not use DNS dynamic updates. Records 

specified in the Netlogon.dns file must be registered

manually in DNS.

1 Netlogon uses DNS dynamic updates to register 

the names identifying this domain controller.


You might consider disabling Netlogon's use of DNS dynamic updates if your DNS

servers do not support DNS dynamic updates or to eliminate the network traffic

associated with periodic registration of Net Logon's DNS records.


This entry is supported on domain controllers only. Windows 2000 does not add

this entry to the registry. You can add it by editing the registry or by using a

program that edits the registry.


To make the changes to this value effective, delete

"%SYSTEMROOT%\system32\config\netlogon.dnbyou", and then restart the Netlogon

service. A restart of Windows 2000 is preferred.


Netlogon A Registrations

------------------------


By default, Netlogon on a domain controller registers SRV, domain A, and GC

(Global Catalog) A records every hour. SRV records are mapped to a FQDN and A

records are mapped to an IP address.


Registration of domain A records for all adapters by Netlogon and subsequent

re-registration every hour (by default) can be problematic if clients resolve

the domain name to an unreachable IP address.


The following registry key enables/disables the registration of A records by

Netlogon for a domain controller. The domain A records are not required by

Windows 2000, but are registered for the benefit of Lightweight Directory Access

Protocol (LDAP) implementations that do not support SRV records.


Note that this registry key disables all A record registrations performed by

Netlogon, which includes the gc._msdcs.<DnsForestName> records.

Registration of gc._msdcs.<DnsForestName> records is required and must be

performed manually if the RegisterDnsARecords registry key is set to disabled.

For additional information, click the article number below to view the article

in the Microsoft Knowledge Base:


Q258213 Registration of gc._msdcs.DnsForestName Records Is Required


RegisterDnsARecords

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters


Data type: REG_DWORD

Range: 0 - 1

Default value: 1


This determines whether this domain controller registers DNS A (IP address)

records for the domain. If this domain controller is a global catalog resource,

this entry also determines whether the domain controller registers DNS A records

for the global catalog.


Value Meaning

-------------------------------------------------------------

0 Does not register DNS A records. LDAP implementations 

that do not support SRV records will not be able to 

locate the LDAP server on this domain controller.

1 Registers DNS A records.


NOTE: This entry is used only when it appears in the registry of a domain

controller. You might consider setting this value to 0 if DNS does not complete

its dynamic updates because it cannot update A records. DNS stops updating when

an update attempt does not succeed.


Windows 2000 does not add this entry to the registry. You can add it by editing

the registry or by using a program that edits the registry.


To make the changes to this value effective, you must restart the Netlogon

service. A restart of Windows 2000 is preferred.


RAS Client

----------


To configure individual RAS connection settings, use Advanced TCP/IP properties,

as in the "Per Adapter - Advanced TCP/IP Properties Controls" section of this

article.


Additional query words:


======================================================================

Keywords : 

Technology : kbvcSearch

Version : WINDOWS:2000

Platform : WINDOWS

Issue type : kbinfo

=============================================================================

Copyright Microsoft Corporation 2000.










More information about the bind-users mailing list