bind vs. MS DNS

Robert Lowe Robert.H.Lowe at lawrence.edu
Thu Jun 17 14:26:48 UTC 2004



Barry Finkel wrote:

> Kevin Darcy (I believe) responded to a posting:
> 
> 
>>>Now, if you want to make secure Dynamic 
>>>Updates directly from Win2K (or Win2K3) clients to the DNS of your main 
>>>domain, then you're not going to be able to use BIND for that. But
>>>technically that's not an Active Directory function; it's a Win2K* 
>>>function, and one that many folks find to be not worth the resources it 
>>>consumes. Depends on what you're trying to achieve.
> 
> 
> and Robert Lowe <Robert.H.Lowe at lawrence.edu> replied:
> 
> 
>>We turn off DDNS in all of our client images.  Client-initiated dynamic
>>updates is a bad idea anyway.  We use TSIG signed updates from ISC's
>>DHCP server for the few zones where we do DDNS.  DHCP is probably
>>another aspect of this discussion regarding migration too.  :-(
> 
> 
> We attempt to turn off DDNS on all our W2k machines.  But DCs need
> self-registration enabled in order for the DC to register its SRV
> records.

No, this can be turned off.  See the MS article I referenced earlier.
So that the archives pick it up, I'll insert the first part of the
appropriate section below, and a piece regarding Windows Server 2003.

-Robert


The Net Logon service (domain controller only)
By default, the Net Logon service registers certain SRV, CNAME, and
A resource records every hour even if some or all these records are
correctly registered in DNS. The list of records that the Net Logon
service tries to register is stored in the
%SystemRoot%\System32\Config\netlogon.dns file. This log file lists
records that are required to be registered for this domain controller.

The Net Logon service does not provide a mechanism to control
registrations that it performs on a per-adapter basis. This section
describes how to enable and disable the following items:

     * All registrations
     * Net Logon service A registrations

All registrations
To disable all registrations that are performed by the Net Logon service,
use the following registry subkey. (A restart of the Net Logon service is
required, although a restart of the computer is preferred.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\UseDynamicDns

Data type: REG_DWORD
Range: 0 - 1
Default value: 1

This determines whether the Net Logon service on this domain controller
uses DNS dynamic updates. The Net Logon service can use DNS dynamic
updates to register DNS names that identify the domain controller. DNS
dynamic updates provide automatic updates of zone data, such as DNS
names, on the zone's primary server whenever an authorized zone server
requests an update. It supplements the static, manual method of adding
and changing zone records. The DNS dynamic update protocol is defined
in RFC 2136.

    Value   Meaning

    -------------------------------------------------------------

    0       The Net Logon service does not use DNS dynamic updates. Records
            specified in the Netlogon.dns file must be registered
            manually in DNS.

    1       The Net Logon service uses DNS dynamic updates to register
            the names that identify this domain controller.

You might disable the Net Logon service's use of DNS dynamic updates if
your DNS servers do not support DNS dynamic updates or to remove the
network traffic that is associated with periodic registration of the
Net Logon service's DNS records.

This entry is supported on domain controllers only. Windows 2000 does
not add this entry to the registry. You can add it by editing the
registry or by using a program that edits the registry.

To make the changes to this value effective, delete
%SYSTEMROOT%\system32\config\netlogon.dnb, and then restart the Net
Logon service. A restart of Windows 2000 is preferred.

...........
<snip>
...........

How to enable DNS dynamic update in Windows Server 2003

By default, client computers that are running Windows Server 2003 have
dynamic update enabled. To disable DNS dynamic update for all network
interfaces, follow these steps:

    1. Click Start, and then click Run.
    2. In the Open box, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry
       subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters

    4. On the Edit menu, point to New, and then click DWORD Value.
    5. Type DisableDynamicUpdate, and then press ENTER two times.
    6. In the Edit DWORD Value dialog box, type 1 in the Value data box,
       and then click OK.

       Note By default, the DNS dynamic update is enabled (0).

    7. Quit Registry Editor.



To disable DNS dynamic update for a particular interface, follow these
steps:

    1. Click Start, and then click Run.
    2. In the Open box, type regedit, and then click OK.
    3. Locate and then click the following registry subkey:

       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
          Tcpip\Parameters\Interfaces\deviceID


       Note deviceID is the device ID of the network adapter for the
       interface.

    4. On the Edit menu, point to New, and then click DWORD Value.
    5. Type DisableDynamicUpdate, and then press ENTER two times.
    6. In the Edit DWORD Value dialog box, type 1 in the Value data box,
       and then click OK.
    7. Quit Registry Editor.

For additional information about configuring DNS dynamic update in Windows
Server 2003, click the following article number to view the article in the
Microsoft Knowledge Base:

816592 HOW TO: Configure DNS dynamic update in Windows 2003



More information about the bind-users mailing list