How can I prevent my branch office domain controllers (DCs) from registering generic DNS service records?
A. By default, DCs publish service DNS records in a generic portion of the DNS namespace and a site-specific portion of the namespace. If a client can't find a DC in its local site DNS space (maybe the local DC is offline), the client will query the generic portion of the DNS namespace. In a default configuration, the client will just as likely be returned a DC in another branch office instead of one in a hub or central location, and that isn't a desirable situation.
August 17, 2005
A. By default, DCs publish service DNS records in a generic portion of the DNS namespace and a site-specific portion of the namespace. If a client can't find a DC in its local site DNS space (maybe the local DC is offline), the client will query the generic portion of the DNS namespace. In a default configuration, the client will just as likely be returned a DC in another branch office instead of one in a hub or central location, and that isn't a desirable situation. To ensure that clients without a local DC available are returned only records from the central locations, you need to configure DCs in branch offices to register only site-specific DNS service records. To perform this change, you need to edit the Group Policy for the Default Domain Controllers and enable the “DC Locator DNS records not registered by the DCs” option (which is found in the Computer Configuration, Administrative Templates, System, Net Logon, DC Locator DNS Records) and set it to the following:
LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
These settings are explained fully in the "Windows Server 2003 Active Directory Branch Office Guide," but essentially, they stop DCs from registering any non-site-specific entries. The problem is that configuring these settings makes the change for all DCs, so contrary to what the Microsoft document says, I prefer to change the settings on DCs via the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParametersDnsAvoidRegisterRecords registry subkey. You can set the same options that enabling the “DC Locator DNS records not registered by the DCs” option via Group Policy sets. After this change is applied, the generic portions of the DNS namespace (e.g., _ldap._tcp. ) should contain service records for only DCs that didn't receive the registry change.
About the Author
You May Also Like