13.15. Preventing a Domain Controller from Dynamically Registering Certain Resource Records

Problem

You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.

Solution

Using a command-line interface

This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
                  [RETURN]
                   DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress
The operation completed successfully.

> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.

> del %SystemRoot%\system32\config\netlogon.dnb

> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.

Using VBScript

' This code prevents a DC from registering the resource records ' associated with the Ldap, Gc, and GcIpAddress mnemonics and must be run ' directly on the server. ' Create Registry Value const HKLM = &H80000002 set objReg = GetObject("winmgmts:root\default:StdRegProv") strKeyPath = "System\CurrentControlSet\Services\Netlogon\Parameters" ' prevent Ldap, Gc, and GCIpAddress records from being registered ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.