Restrict the DNS resource records that are updated by Netlogon
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The following procedure restricts Domain Name System (DNS) resource records that are registered by the Net Logon service for Active Directory domain controllers only.
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.
To restrict the DNS resource records that are updated by NetlLogon
Open Registry Editor.
In Registry Editor, navigate to the following registry key:
Add the following multistring value (REG_MULTI_SZ) value:
In this value, specify the list of data corresponding to the DNS resource records that should not be registered for this domain controller by the Net Logon service. The following table contains the list of data.
Data Value Resource Record Type DNS Resource Record
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Restart of the Net Logon service is not required to make the changes to this value effective. If the DnsAvoidRegisterRecords registry key is created or modified while the Net Logon service is stopped or within the first 15 minutes after it is started, appropriate DNS updates may take place with a short delay. However, the delay is no later than 15 minutes after the Net Logon service starts.