How to Enable/Disable Windows 2000 Dynamic DNS Registrations [Q246804]
Tom Horan
thoran at esatclear.ie
Mon Nov 13 20:52:39 UTC 2000
I've seen a lot of questions regarding this topic. So here is the official TechNet article from Microsoft.
There should be a few to solve this - 3 ways to do it with - "regedit /s file.reg", kix script, and a .vbs script. You should be able to do it remotely using something like reg out of the NT resource kit.
Thanks,
Tom
PSS ID Number: Q246804
Article last modified on 08-02-2000
WINDOWS:2000
WINDOWS
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
-------------------------------------------------------------------------------
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the "Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help
topic in Regedt32.exe.
SUMMARY
=======
Windows 2000 supports dynamic Domain Name System (DNS) updates (per RFC 2136).
This behavior is enabled by default for Windows 2000 DNS clients.
Depending on the configuration and services running on a particular computer,
different components perform dynamic DNS updates. There is no centralized way
(such as a tool or registry keys) to manage the dynamic DNS update behavior of
all components. This article describes each component and how to modify that
particular component's behavior.
NOTE: After you change any of the registry keys listed in this article, you must
stop and restart the affected service(s). In some cases, you must reboot the
computer. These instances are noted.
MORE INFORMATION
================
WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that
problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it. If
you are running Windows NT or Windows 2000, you should also update your
Emergency Repair Disk (ERD).
The following components perform dynamic DNS updates:
- DHCP Client service (all Windows 2000-based computers)
- DNS Server service (Windows 2000-based DNS servers only)
- Netlogon service (Windows 2000-based domain controllers only)
- RAS client (Windows 2000-based RAS clients only)
- Dynamic Host Configuration Protocol (DHCP) Server service (Windows 2000-based
DHCP servers only)
DHCP Client Service
-------------------
The DHCP Client service performs dynamic DNS updates for adapters regardless of
whether the adapter is configured by using DHCP or is manually or statically
configured. This section describes how to enable/disable the following items:
- All adapters - forward (hostname A) and reverse (PTR)
- All adapters - reverse (PTR)
- Per adapter - advanced TCP/IP properties controls
- Per adapter - forward and reverse (hostname A and PTR)
- Per adapter - reverse (PTR)
- Other Settings
All Adapters - Forward (Hostname A) and Reverse (PTR)
-----------------------------------------------------
To disable both A and PTR registrations performed for all adapters by the DHCP
client service, use the following registry key:
DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 0
This key disables DNS dynamic update registration for all adapters on this
computer. With dynamic update, DNS client computers automatically register and
update their resource records whenever address changes occur.
Value Meaning
-------------------------------------------
0 Enables dynamic update registration
1 Disables dynamic update registration
NOTE: For dynamic update to operate on any adapter, it must be enabled at the
system level and at the adapter level. To disable DNS dynamic update for a
particular adapter, add DisableDynamicUpdate to an <interface-name> subkey
and set its value to 1. To disable dynamic update on all adapters in a computer,
add DisableDynamicUpdate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey and
set its value to 1.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
All Adapters - Reverse (PTR)
----------------------------
When you want forward lookup (A records) registrations but not reverse lookups
(PTR records) registrations, use the following registry key to disable
registrations of PTR records:
DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 0
This key disables DNS dynamic update registration of PTR records by this DNS
client. PTR ("pointer") records associate an IP address with a computer name.
This entry is designed for enterprises in which the primary DNS server that is
authoritative for the reverse lookup zone cannot or is configured not to perform
dynamic updates. It reduces unnecessary network traffic and eliminates event log
errors that record unsuccessful attempts to register PTR records.
Value Meaning
----------------------------------
0 Register PTR records
1 Do not register PTR records
NOTE: Windows 2000 does not add this entry to the registry. You can add it by
editing the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
Per Adapter - Advanced TCP/IP Properties Controls
-------------------------------------------------
DNS registrations performed by each adapter can be changed by using
adapter-specific advanced TCP/IP settings (on the DNS tab):
- DNS suffix for this connection (box)
- Register this connection's addresses in DNS (check box)
- Use this connection's DNS suffix in DNS registration (check box)
"Register this connection's addresses in DNS" (selected by default): This setting
registers A and PTR records for the first IP address configured on this adapter.
Clear this check box to disable the DHCP Client service from registering both A
and PTR records for this adapter.
"Use this connection's DNS suffix in DNS registration" (cleared by default): Each
computer has a primary DNS suffix (use the "ipconfig /all" (without the
quotation marks) command to view this suffix). Additionally, each adapter can
also have a separate DNS suffix configured for itself. An adapter-specific DNS
suffix can be configured manually or by using DHCP option 15 as part of the DHCP
lease process. For additional information, click the article number below to
view the article in the Microsoft Knowledge Base:
Q121005 DHCP Options Supported by Clients
Select this check box to enable the DHCP Client service to register A and PTR
records for the following fully qualified domain name (FQDN) in addition to
hostname.<PrimaryDnsSuffix>:
hostname.<dns_suffix_for_this_adapter>
Per Adapter - Forward and Reverse (Hostname A and PTR)
------------------------------------------------------
To disable A and PTR registrations performed for a specific adapter by the DHCP
Client service, use the following registry key:
DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface-name>
Data type: REG_DWORD
Range: 0 - 1
Default value: 0
This disables DNS dynamic update registration on this adapter. With dynamic
update, DNS client computers automatically register and update their resource
records whenever address changes occur.
Value Meaning
--------------------------------------------
0 Enables dynamic update registration
1 Disables dynamic update registration
NOTE: For dynamic update to operate on any adapter, it must be enabled at the
system level and at the adapter level. To disable DNS dynamic update for a
particular adapter, add DisableDynamicUpdate to an <interface-name> subkey
and set its value to 1. To disable dynamic update on all adapters in a computer,
add DisableDynamicUpdate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey and
set its value to 1.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
Per Adapter - Reverse (PTR)
---------------------------
There is no mechanism to disable PTR registrations on a per-adapter basis.
Other Settings
--------------
This section lists other parameters used by the DHCP Client service as they
relate to DNS dynamic updates.
- DNS records are re-registered dynamically every 24 hours by default. You can
use the following registry key to modify the refresh interval:
DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0x0 - 0xFFFFFFFF seconds
Default value: 0x15180 (86,400 seconds = 24 hours)
Scope: Affects all adapters
This specifies the time interval between DNS dynamic update registration
refreshes.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
- The default Time To Live (TTL) value used for dynamic registrations is 20
minutes. You can use the following registry key to modify the TTL value:
DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0x0 - 0xFFFFFFFF seconds
Default value: 0x4B0 (1,200 seconds = 20 minutes)
Scope: Affects all adapters
This specifies the default TTL value set in the header of outgoing DNS dynamic
update registrations. The TTL value determines how long a packet that has not
reached its destination can remain on the network before it is discarded.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
- By default, only the first IP address is dynamically registered. You can use
the following registry key to modify the number of IP addresses dynamically
registered for an adapter that is configured with more than one IP address
(logically multihomed):
MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\<interface-name>\MaxNumberOfAddressesToRegister
Data type: REG_DWORD
Range: 0x0 - 0xFFFFFFFF
Default value: 0x1
Scope: Affects this adapter only
This determines the maximum number of IP addresses that can be registered in DNS
for this adapter.
If the value of this entry is 0, IP addresses cannot be registered for this
adapter.
To make the changes to this value effective, you must restart Windows 2000.
- By default, non-secure dynamic DNS registrations are attempted. You can use
the following registry key to modify this behavior:
UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0x0 | 0x10 | 0x100
Default value: 0x0
Scope: Affects all adapters
This determines whether the DNS client uses secure dynamic update or standard
dynamic update. Windows 2000 supports both dynamic update and secure dynamic
update. With secure dynamic update, the authoritative name server accepts
updates only from authorized clients and servers.
Value Meaning
-------------------------------------------------------------
0 (0x0) Send secure dynamic updates only when non-secure
dynamic updates are refused.
16 (0x10) Send only non-secure dynamic updates.
256 (0x100) Send only secure dynamic updates.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
- By default, the DNS client tries to replace the original registration with a
record associating the DNS name to its own IP address. You can use the
following registry key to modify this behavior:
DisableReplaceAddressesInConflicts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 0
Scope: Affects all adapters
This prevents the DNS client from overwriting an existing resource record when it
discovers an address conflict during dynamic update. An address conflict occurs
when the DNS client discovers that an existing A record associates its DNS name
with the IP address of a different computer.
By default, the DNS client tries to replace the original registration with a
record associating the DNS name to its own IP address. However, you can use this
entry to direct DNS back out of the registration process. An error in Event
Viewer is not logged.
This entry is designed for zones that do not use secure dynamic update. It
prevents unauthorized users from changing the IP address registration of a
client computer.
Value Meaning
---------------------------------------------------------------
0 The DNS client overwrites the existing A record with an A
record for its own IP address.
1 The DNS client backs out of the registration process.
No error is written to the Event Viewer log.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart Windows 2000.
DNS Server Service (DNS Server Only)
------------------------------------
The DNS Server service registers hostname A records for all the adapters it is
listening on if it is authoritative (SOA) for a given name.
When a server running the DNS Service has multiple adapters, unwanted addresses
can be published automatically. Common scenarios include disconnected or unused
network adapters publishing AutoNet addresses and private or DMZ interfaces
publishing unreachable addresses.
If the Network Load Balancing (NLB) service is installed on a DNS server, both
the virtual network adapter address and the dedicated network adapter address
will be registered by the DNS Server service.
The adapters on which the DNS server is listening on can be changed by using the
DNS snap-in. In Server properties, click the Adapters tab.
In circumstances in which the list of IP addresses the DNS server listens to and
serves is different from the list of IP addresses published (registered by the
DNS Server service), use the following registry key:
PublishAddresses
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Data type: REG_SZ
Range: IP address [IP address]
Default value: blank
This specifies the IP addresses you want to publish for the computer. The DNS
server creates A records only for the address in this list. If this entry does
not appear in the registry, or if its value is blank, the DNS server creates an
A record for each of the computer's IP addresses.
This entry is designed for computers with multiple IP addresses, when you prefer
to publish only a subset of the available addresses. Typically, this is used to
prevent the DNS server from returning a private network address in response to a
query when the computer has a corporate network address.
DNS reads its registry entries only when it starts. You can change entries while
the DNS server is running by using the DNS console. If you change entries by
editing the registry, the changes are not effective until you restart the DNS
server.
The DNS server does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
Netlogon Service (Domain Controller Only)
-----------------------------------------
By default, Netlogon registers certain SRV, CNAME, and A records every hour even
if some or all of these records are correctly registered in DNS. The list of
records Netlogon attempts to register is stored in the
%SystemRoot%\System32\Config\Netlogon.dns file. This log file lists records that
are required to be registered for this domain controller.
Netlogon does not provide a mechanism to control registrations it performs on a
per-adapter basis. This section describes how to enable/disable the following
items:
- All registrations
- Netlogon A registrations
All Registrations
-----------------
To disable all registrations performed by Netlogon, use the following registry
key (a restart of the Netlogon service is required, although a reboot is
preferred):
UseDynamicDns
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 1
This determines whether the Netlogon service on this domain controller uses DNS
dynamic updates. Netlogon can use DNS dynamic updates to register DNS names
identifying the domain controller. DNS dynamic updates provide automatic updates
of zone data, such as DNS names, on the zone's primary server whenever an
authorized zone server requests an update. It supplements the static, manual
method of adding and changing zone records. The DNS dynamic update protocol is
defined in RFC 2136.
Value Meaning
-------------------------------------------------------------
0 Netlogon does not use DNS dynamic updates. Records
specified in the Netlogon.dns file must be registered
manually in DNS.
1 Netlogon uses DNS dynamic updates to register
the names identifying this domain controller.
You might consider disabling Netlogon's use of DNS dynamic updates if your DNS
servers do not support DNS dynamic updates or to eliminate the network traffic
associated with periodic registration of Net Logon's DNS records.
This entry is supported on domain controllers only. Windows 2000 does not add
this entry to the registry. You can add it by editing the registry or by using a
program that edits the registry.
To make the changes to this value effective, delete
"%SYSTEMROOT%\system32\config\netlogon.dnbyou", and then restart the Netlogon
service. A restart of Windows 2000 is preferred.
Netlogon A Registrations
------------------------
By default, Netlogon on a domain controller registers SRV, domain A, and GC
(Global Catalog) A records every hour. SRV records are mapped to a FQDN and A
records are mapped to an IP address.
Registration of domain A records for all adapters by Netlogon and subsequent
re-registration every hour (by default) can be problematic if clients resolve
the domain name to an unreachable IP address.
The following registry key enables/disables the registration of A records by
Netlogon for a domain controller. The domain A records are not required by
Windows 2000, but are registered for the benefit of Lightweight Directory Access
Protocol (LDAP) implementations that do not support SRV records.
Note that this registry key disables all A record registrations performed by
Netlogon, which includes the gc._msdcs.<DnsForestName> records.
Registration of gc._msdcs.<DnsForestName> records is required and must be
performed manually if the RegisterDnsARecords registry key is set to disabled.
For additional information, click the article number below to view the article
in the Microsoft Knowledge Base:
Q258213 Registration of gc._msdcs.DnsForestName Records Is Required
RegisterDnsARecords
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 1
This determines whether this domain controller registers DNS A (IP address)
records for the domain. If this domain controller is a global catalog resource,
this entry also determines whether the domain controller registers DNS A records
for the global catalog.
Value Meaning
-------------------------------------------------------------
0 Does not register DNS A records. LDAP implementations
that do not support SRV records will not be able to
locate the LDAP server on this domain controller.
1 Registers DNS A records.
NOTE: This entry is used only when it appears in the registry of a domain
controller. You might consider setting this value to 0 if DNS does not complete
its dynamic updates because it cannot update A records. DNS stops updating when
an update attempt does not succeed.
Windows 2000 does not add this entry to the registry. You can add it by editing
the registry or by using a program that edits the registry.
To make the changes to this value effective, you must restart the Netlogon
service. A restart of Windows 2000 is preferred.
RAS Client
----------
To configure individual RAS connection settings, use Advanced TCP/IP properties,
as in the "Per Adapter - Advanced TCP/IP Properties Controls" section of this
article.
Additional query words:
======================================================================
Keywords :
Technology : kbvcSearch
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo
=============================================================================
Copyright Microsoft Corporation 2000.
More information about the bind-users
mailing list