Preventing a Domain Controller from Dynamically Registering All Resource Records

Posted: March 27, 2010 in Active Directory, Server, System Information
Tags:

Problem

You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register a domain controller’s resource records, you’ll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.

Solution

Using a command-line interface
	> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
	UseDynamicDNS /t REG_DWORD /d 0
	The operation completed successfully.

	> net stop netlogon
	The Net Logon service is stopping.
	The Net Logon service was stopped successfully.

	> del %SystemRoot%\system32\config\netlogon.dnb

	> net start netlogon
	The Net Logon service is starting.......
	The Net Logon service was started successfully.

Using VBScript
	' This code prevents a DC from registering resource records dynamically.
	' It must be run directly on the server.

	' Create Registry Value
	const HKLM = &H80000002
	set oReg=GetObject("winmgmts:root\default:StdRegProv")
	strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters"
	if oReg.SetDWORDValue(HKLM,strKeyPath,"UseDynamicDNS",1) <> 0 then
	   WScript.Echo "Error creating registry value"
	else
	   WScript.Echo "Created registry value successfully"
	end if

	' Stop Netlogon service
	strService = "Netlogon"
	set objService = GetObject("WinMgmts:root/cimv2:Win32_Service.Name='" & _
	                           strService & "'")
	if objService.StopService <> 0 then
	   WScript.Echo "Error stopping " & strService & " service"
	else
	   WScript.Echo "Stopped " & strService & " service successfully"
	end if

	' Delete netlogon.dnb file
	set WshShell = CreateObject("WScript.Shell")
	set objFSO = CreateObject("Scripting.FileSystemObject")
	set objFile = objFSO.GetFile( _
	                    WshShell.ExpandEnvironmentStrings("%SystemRoot%") _
	                    & "\system32\config\netlogon.dnb" )

	objFile.Delete
	WScript.Echo "Deleted netlogon.dnb successfully"

	' Start Netlogon service
	if objService.StartService <> 0 then
	   WScript.Echo "Error starting " & strService & " service"
	else
	   WScript.Echo "Started " & strService & " service successfully"
	end if

	WScript.Echo
	WScript.Echo "Done"

Discussion

By default, domain controllers attempt to dynamically register their Active Directoryrelated resource records every hour via the NetLogon service. You can prevent a domain controller from doing this by setting the UseDynamicDNS value to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters. After you set that value, you should stop the NetLogon service, remove the %SystemRoot%\system32\config\netlogon.dnb file, and then restart NetLogon. It is necessary to remove the netlogon.dnb file because it maintains a cache of the resource records that are dynamically updated. This file will get re-created when the NetLogon service restarts.

Advertisements
Comments
  1. Regina says:

    Thanks for your personal marvelous posting! I definitely enjoyed reading it,
    you could be a great author.I will ensure that I bookmark your blog and will eventually
    come back in the foreseeable future. I want to encourage you continue your great writing, have
    a nice morning!

  2. AlfredoCege says:

    явамыку

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s