If you change entries by editing the registry, the changes aren't effective until you restart the DNS server. The DNS server doesn't add this entry to the registry. This log file lists records that are required to be registered for this domain controller. The Net Logon service does not provide a mechanism to control registrations that it performs on a per-adapter basis. This section describes how to enable and disable the following items:. To disable all registrations that are performed by the Net Logon service, use the following registry subkey.
A restart of the Net Logon service is required, although a restart of the computer is preferred. Whenever an authorized zone server requests an update, DNS updates provide automatic updates of zone data, such as DNS names, on the zone's primary server.
DNS supplements the static, manual method of adding and changing zone records. The dynamic update protocol is defined in RFC This entry is supported on domain controllers only. Registration of domain A resource records for all adapters by the Net Logon service and subsequent re-registration every hour, by default, can be problematic if clients resolve the domain name to an unreachable IP address.
The following registry subkey enables or disables the registration of A resource records by the Net Logon service for a domain controller. These records include the gc.
DnsForestName records. Registration of gc. DnsForestName records is required and must be performed manually if the RegisterDnsARecords registry value is set to disabled.
If this domain controller is a global catalog resource, this entry also determines whether the domain controller registers global catalog DNS A resource records. This entry is used only when it appears in the registry of a domain controller. You might set this value to 0 if DNS does not complete its updates because it cannot update A resource records. DNS stops updating when an update try does not succeed. By default, client computers that are running Windows have DNS updates enabled.
To disable domain name system DNS dynamic update protocol registration for all network interfaces, use one of the following methods:. Click Start , click Run , type regedit , and then click OK. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.
Please rate your experience Yes No. Any additional feedback? Note After you change one of these components by modifying the registry keys that are listed in this article, you must stop and restart the affected services. Important This section, method, or task contains steps that tell you how to modify the registry.
Note Windows does not add this entry to the registry. Note For DNS updates to operate on any adapter, it must be enabled at the system level and at the adapter level. Note This entry is used only when it appears in the registry of a domain controller.
In this article. The DNS client backs out of the registration process. No error is written to the Event Viewer log. If Microsoft manages your DNS records , to route traffic to an existing public website hosted outside of Microsoft, after you add your domain to Microsoft, do the following:.
For IP Address , type the static IP address for your website where it's currently hosted for example, This must be a static IP address for the website, not a dynamic IP address. Check with site where your website is hosted to make sure you can get a static IP address for your public website.
For Points to address , type the fully qualified domain name FQDN for your website for example, contoso. Update your domain's NS records to point to Microsoft. When the NS records have been updated to point to Microsoft, your domain is all set up. The following examples show how this process varies in different cases.
For these DHCP clients, updates are typically handled in the following manner:. After you integrate a zone, you can use the access control list ACL editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record. For more information, search for the "To modify security for a resource record" topic or the "To modify security for a directory integrated zone" topic in Windows Server Help.
By default, dynamic update security for Windows Server DNS servers and clients is handled in the following manner:. Windows Server-based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.
Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security. By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates.
This enables all updates to be accepted by passing the use of secure updates. The secure dynamic updates functionality can be compromised if the following conditions are true:. For more information, see the "Security considerations when you use the DnsUpdateProxy group" section. The secure dynamic update functionality is supported only for Active Directory-integrated zones. If you configure a different zone type, change the zone type, and then integrate the zone before you secure it for DNS updates.
If you use secure dynamic updates in this configuration with Windows Server-based DNS servers, resource records may become stale. In some circumstances, this scenario may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because the server is not the owner of the name.
In another example, assume that the DHCP server performs dynamic updates for legacy clients. If you upgrade those clients to a version supporting dynamic updates, the upgraded client cannot take ownership or update its DNS records.
To solve this problem, a built-in security group named DnsUpdateProxy is provided. If all DHCP servers are added to the DnsUpdateProxy group, the records of one server can be updated by another server if the first server fails. Also, all the objects that are created by the members of the DnsUpdateProxy group are not secured. Therefore, the first user who is not a member of the DnsUpdateProxy group and that modifies the set of records that is associated with a DNS name becomes its owner.
When legacy clients are upgraded, they can take ownership of their name records at the DNS server. If every DHCP server that registers resource records for legacy clients is a member of the DnsUpdateProxy group, many problems are eliminated.
If you are using multiple DHCP servers for fault tolerance and secure dynamic updates, add each server to the DnsUpdateProxy global security group. Also, objects that are created by the members of the DnsUpdateProxy group are not secure.
Therefore, you cannot use this group effectively in an Active Directory-integrated zone that enables only secure dynamic updates unless you take additional steps to enable records that are created by members of the group to be secured. To help protect against nonsecure records or to enable members of the DnsUpdateProxy group to register records in zones that enable only secured dynamic updates, follow these steps:. A dedicated user account is a user account whose sole purpose is to supply DHCP servers with credentials for DNS dynamic update registrations.
Assume that you have created a dedicated user account and configured DHCP servers with the account credentials. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides.
The dedicated user account can also be located in another forest. However, the forest that the account resides in must have a forest trust established with the forest that contains the primary DNS server for the zone to be updated. When the DHCP Server service is installed on a domain controller, you can configure the DHCP server by using the credentials of the dedicated user account to prevent the server from inheriting, and possibly misusing, the power of the domain controller.
When the DHCP Server service is installed on a domain controller, it inherits the security permissions of the domain controller. The service also has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone. This includes records that were securely registered by other Windows-based computers, and by domain controllers.
The dynamic update functionality that is included in Windows follows RFC By default, the name that is used in the DNS registration is a concatenation of the computer name and the primary DNS suffix. Right-click the connection that you want to configure, and then click Properties. This default configuration causes the client to request that the client register the A resource record and the server register the PTR resource record.
0コメント