Disable Windows 2000 Dynamic DNS Registrations

Registry Tip #36: Disable Windows 2000 Dynamic DNS Registrations

Hits: Failed to execute CGI : Win32 Error Code = 3

Windows 2000 supports dynamic Domain Name System (DNS) updates as defined in RFC2136 . Dynamic DNS update is enabled by default for Windows 2000 DNS clients. This behavior is distributed - there is not single policy setting or registry hack to control dynamic dns update. Dynamic DNS updates is performed by:

Windows 2000 workstation's and W2K server's DHCP client service
The DHCP Client service in W2K Pro and server performs dynamic DNS updates for adapters. The updates to DNS occur whether the adapter is configured by DHCP or is manually or statically configured.
- To disable forward lookup ( hostname A records ) and reverse lookup records (PTR registrations) for all adapters use the following registry hack.
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: DisableDynamicUpdate
  Type: REG_DWORD
  Value:
  1 Disable dynamic update registration
  0 Enable dynamic update registration
  
  DisableDynamicUpdate can only be set in the registry and the registry setting overrides the checkbox Register this connection's addresses in DNS found on the DNS tab of each network interface's TCP/IP advanced properties which is an individual adapter setting.
- To enable forward lookup (hostname A records) but not reverse lookup records (PTR registrations) for all adapters use the following registry hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: DisableReverseAddressRegistrations
  Type: REG_DWORD
  Value:
  1 Do not register PTR records
  0 Register PTR records
  
  DisableReverseAddressRegistrations disables DNS dynamic update registration of PTR records for the client. PTR records, pronounced pointer, associate an IP address with a computer name. This registry setting reduces unnecessary network traffic and eliminates event log errors that record unsuccessful attempts to register PTR records in environments where the primary DNS server that is authoritative for the reverse lookup zone cannot or is configured not to perform dynamic updates.
- To disable forward lookup (hostname A records) and reverse lookup records (PTR registrations) performed for a specific adapter :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface-name
  Name: DisableDynamicUpdate
  Type: REG_DWORD
  Value:
  1 Disables dynamic update registration
  0 Enables dynamic update registration
  
  For an adapter to use dynamic update, dynamic update must be enabled at the system level and at the adapter level. Disable at the system level and this setting is ineffective. A potential gotcha! is the adapter and system settings are in conflict.
- To enable forward lookup (hostname A records) but not reverse lookup records (PTR registrations) for a specific adapter :
  there is no method to do this AFAIK
- DNS records are re-registered dynamically every 24 hours by default. To modify the refresh interval for all adapters, use the following hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: DefaultRegistrationRefreshInterval
  Type: REG_DWORD
  Value: 0x0 - 0xFFFFFFFF seconds default=0x15180 (86,400 seconds = 24 hours)
  
  This specifies the time interval between DNS dynamic update registration refreshes.
- The default TTL ( Time To Live ) value used for dynamic registrations is 20 minutes. To modify the refresh interval for all adapters, use the following hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: DefaultRegistrationTTL
  Type: REG_DWORD
  Value: 0x0 - 0xFFFFFFFF seconds default=0x4B0 (1,200 seconds = 20 minutes)
  
  DefaultRegistrationTTL specifies the default TTL value set in the header of outgoing DNS dynamic update registrations. The TTL value controls how long a packet that has not reached its destination can remain on the network before it is discarded. A small value for DefaultRegistrationTTL causes cached entries to expire sooner, which increases DNS traffic but decreases the risk of stale entries. Long retention times are useful for computers that renew their DHCP leases infrequently.
- MaxNumberOfAddressesToRegister controls the maximum number of IP addresses that can be registered in DNS for an adapter. Having multiple addresses on an adapter is common for web servers. By default, only the first IP address for an adapter is dynamically registered. To modify the number of IP addresses dynamically registered for an adapter, use the following registry hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\interface-name\MaxNumberOfAddressesToRegister
  Name: MaxNumberOfAddressesToRegister
  Type: REG_DWORD
  Value: 0x0 - 0xFFFFFFFF default=0x1
  
  To prevent an address being registered for the adapter, set MaxNumberOfAddressesToRegister to 0.
- UpdateSecurityLevel determines whether the DNS client uses secure dynamic update or standard dynamic update. Under secure dynamic update, the authoritative name server accepts updates only from authorized clients and servers. Non-secure dynamic DNS registrations are used by default. To force secure registrations, use the following registry hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: UpdateSecurityLevel
  Type: REG_DWORD
  Value:
  0x0 Send secure dynamic updates only when non-secure dynamic updates are refused
  0x10 Send only non-secure dynamic updates
  0x100 Send only secure dynamic updates
- This registry hack is designed for zones that do NOT use secure dynamic update. It prevents unauthorized users from changing the IP address registration of a client computer. DisableReplaceAddressesInConflicts prevents a DNS client from overwriting an existing resource record when it discovers an address conflict during dynamic update. An address conflict occurs when the DNS client discovers that an existing A record associates its DNS name with the IP address of a different computer. By default, the DNS client tries to replace the original registration with a record associating the DNS name to its own IP address. However, you can use this registry hack to direct DNS back out of the registration process. An error in Event Viewer is not logged. :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  Name: DisableReplaceAddressesInConflicts
  Type: REG_DWORD
  Value:
  0 The DNS client overwrites the existing hostname A record with an hostname A record for its own IP address.
  1 The DNS client backs out of the registration process. No error is written to the Event Viewer log.
Windows 2000 servers supporting W2K DNS server service
- The DNS Server service registers forward lookup ( hostname A ) records for all the adapters it is listening on if it is authoritative ( SOA ) for a given name. When a server running the DNS Service has multiple adapters, unwanted addresses can be published automatically. Common scenarios include disconnected or unused network adapters publishing AutoNet addresses and private or DMZ interfaces publishing unreachable addresses. If the Network Load Balancing (NLB) service is installed on a DNS server, both the virtual network adapter address and the dedicated network adapter address will be registered by the DNS Server service. The adapters on which the DNS server is listening on can be changed by using the DNS snap-in. In Server properties, click the Adapters tab. In circumstances in which the list of IP addresses the DNS server listens to and serves is different from the list of IP addresses published (registered by the DNS Server service), use the following registry hack :
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\DNS\Parameters
  Name: PublishAddresses
  Type: REG_SZ
  
  This specifies the IP addresses you want to publish for the computer. The DNS server creates hostname A records only for the address in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an hostname A record for each of the computer's IP addresses. This entry is designed for computers with multiple IP addresses, when you prefer to publish only a subset of the available addresses. Typically, this is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address. DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server service.
Windows 2000 domain controllers have Netlogon service
- To disable all registrations performed by Netlogon:
  
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  Name: UseDynamicDns
  Type: REG_DWORD
  Value:
  0 Netlogon does not use DNS dynamic updates. Records specified in the Netlogon.dns file must be registered manually in DNS
  1 Netlogon uses DNS dynamic updates to register the names identifying this domain controller
  
  You would consider disabling Netlogon's use of DNS dynamic updates if your DNS servers do not support DNS dynamic updates or to eliminate the network traffic associated with periodic registration of Net Logon's DNS records. This value is not effective unless you delete %SYSTEMROOT%\system32\config\netlogon.dnbyou and then restart the Netlogon service.
- Netlogon A registrations
  By default, Netlogon on a DC registers SRV, domain A, and GC ( Global Catalog ) A records every hour. SRV records are mapped to a FQDN and hostname A records are mapped to an IP address. Registration of domain A records for all adapters by Netlogon and subsequent re-registration every hour (by default) can be problematic if clients resolve the domain name to an unreachable IP address. The following registry key enables/disables the registration of hostname A records by Netlogon for a domain controller. The domain A records are not required by Windows 2000, but are registered for the benefit of LDAP implementations that do not support SRV records. Note that this registry key disables all hostname A record registrations performed by Netlogon, which includes the gc._msdcs.DnsForestName records. Registration of gc._msdcs.DnsForestName records is required and must be performed manually if the RegisterDnsARecords registry key is set to disabled.
  
  Hive: HKEY_LOCAL_MACHINE
  Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  Name: RegisterDnsARecords
  Type: REG_DWORD
  Value:
  
  0 Does not register DNS A records. LDAP implementations that do not support SRV records will not be able to locate the LDAP server on this domain controller.
  1 Registers DNS hostname A records
  
  You might consider setting this value to 0 if DNS does not complete its dynamic updates because it cannot update hostname A records. DNS stops updating when an update attempt does not succeed.
Windows 2000 workstation RAS clients
To configure individual RAS connection settings, use Advanced TCP/IP properties checkbox.
Windows 2000 servers supporting W2K DHCP server service
??

Keywords: Windows 2000 Registry Tip,