For more information, see How to back up and restore the registry in Windows. This section describes how to enable and disable the following lookup registrations:. To disable both forward A resource record and reverse PTR resource record registrations that are performed for all adapters by the DHCP Client service, use the following registry subkey:. If the check box was checked before the policy was enabled, it will still be checked after the policy is enabled.
The registry setting made by the policy is a global setting that affects all interfaces, not an adapter-specific setting. This key disables DNS update registration for all adapters on this computer.
With DNS update, DNS client computers automatically register and update their resource records whenever address changes occur. To disable DNS update for a particular adapter, add the DisableDynamicUpdate value to an interface name registry subkey and set its value to 1. To disable DNS updates on all adapters in a computer, add the DisableDynamicUpdate value to the following subkey, and then set its value to When this registry value is set to 1, the Register this connection's addresses in DNS check box will not reflect the changes made to this registry key.
If the check box was selected before the registry change, it will stay selected after this registry change. This registry setting is not an adapter-specific setting, but a global setting that affects all interfaces.
This global setting is not revealed in the user interface. Windows doesn't add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry. When you want forward lookup A resource record registrations but not reverse lookups PTR resource record registrations, use the following registry subkey to disable registrations of PTR resource records:.
PTR resource records associate an IP address with a computer name. This entry is designed for enterprises where the primary DNS server that is authoritative for the reverse lookup zone can't, or is configured not to, perform DNS updates. It reduces unnecessary network traffic and prevents event log errors that record unsuccessful tries to register PTR resource records.
Windows does not add this entry to the registry. Each computer has a primary DNS suffix. Additionally, each adapter can also have a separate DNS suffix that is configured for itself. This disables DNS update registration on this adapter. For DNS updates to operate on any adapter, it must be enabled at the system level and at the adapter level.
To disable DNS updates for a particular adapter, add the DisableDynamicUpdate value to an interface name registry subkey, and then set its value to 1. To disable DNS updates on all adapters in a computer, add the DisableDynamicUpdate value to the following registry subkey, and then set its value to By default, DNS records are re-registered dynamically and periodically every 24 hours.
You can use the following registry subkey to modify the update interval:. This specifies the time interval between DNS update registration updates. To make the changes to this value effective, you must restart Windows. You can use the following registry subkey to modify the TTL value:.
By default, only the first IP address is dynamically registered. You can use the following registry key to modify the number of IP addresses that are dynamically registered for an adapter that is configured with more than one IP address, or is logically multihomed:. This setting determines the maximum number of IP addresses that can be registered in DNS for this adapter. By default, non-secure DNS registrations are tried. You can use the following registry subkey to modify this behavior:.
This determines whether the DNS client uses secure dynamic update or standard dynamic update. Windows supports both dynamic updates and secure dynamic updates. With secure dynamic updates, the authoritative name server accepts updates only from authorized clients and servers. This prevents the DNS client from overwriting an existing resource record when it discovers an address conflict during dynamic update.
However, you can use this entry to direct DNS back out of the registration process. An error in Event Viewer isn't logged. This entry is designed for zones that don't use secure dynamic update. It prevents unauthorized users from changing the IP address registration of a client computer. The DNS Server service registers host name A resource records for all the adapters that the service is listening on if the service is authoritative SOA for a particular name.
When a server that is running the DNS Server service has multiple adapters, unwanted addresses can be automatically published. Common scenarios include disconnected or unused network adapters that publish AutoNet addresses and private or perimeter network DMZ interfaces that publish unreachable addresses.
If the Network Load Balancing service is installed on a DNS server, both the virtual network adapter address and the dedicated network adapter address will be registered by the DNS Server service. In Server properties , click the Adapters tab.
If the list of IP addresses that the DNS server listens to and serves is different from the list of IP addresses that is published or that is registered by the DNS Server service, use the following registry subkey:. This value specifies the IP addresses that you want to publish for the computer. The DNS server creates A resource records only for the addresses in this list. If this entry doesn't appear in the registry, or if its value is blank, the DNS server creates an A resource record for each of the computer's IP addresses.
This entry is designed for computers that have multiple IP addresses. With this entry, you can publish only a subset of the available addresses. Typically, this entry is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address.
DNS reads its registry entries only when it starts. Active Directory replicates on a per-property basis and propagates only relevant changes. The DNS Server service can scan and remove records that are no longer required. When you enable this feature, you can prevent outdated records from remaining in DNS. You can configure Active Directory-integrated zones for secure dynamic updates so that only authorized users can make changes to a zone or to a record. By default, all computer register records are based on the full computer name.
The primary full computer name is a fully qualified domain name FQDN. Additionally, the primary full computer name is the primary DNS suffix of the computer that is appended to the computer name.
This includes connections that are not configured to use DHCP. By default, Windows registers A and PTR resource records every 24 hours regardless of the computer's role. Dynamic updates are typically requested when either a DNS name or an IP address changes on the computer. For example, a client named "oldhost" is first configured in system properties to have the following names: Computer name: oldhost DNS domain name of computer: example.
In this example, no connection-specific DNS domain names are configured for the computer. If you rename the computer from "oldhost" to "newhost", the following name changes occur: Computer name: newhost DNS domain name of computer: example. After the name change is applied in System Properties , Windows prompts you to restart the computer. The client computer uses the currently configured FQDN of the computer, such as " newhost. For standard primary zones, the primary server, or owner, that is returned in the SOA query response is fixed and static.
The primary server name always matches the exact DNS name as that name is displayed in the SOA resource record that is stored with the zone. However, if the zone that is being updated is directory-integrated, any DNS server that is loading the zone can respond and dynamically insert its own name as the primary server of the zone in the SOA query response.
The client processes the SOA query response for its name to determine the IP address of the DNS server that is authorized as the primary server for accepting its name.
If it is required, the client performs the following steps to contact and dynamically update its primary server:. The client sends a dynamic update request to the primary server that is determined in the SOA query response. If this update fails, the client next sends an NS-type query for the zone name that is specified in the SOA record.
When the client receives a response to this query, the client sends an SOA query to the first DNS server that is listed in the response.
After the SOA query is resolved, the client sends a dynamic update to the server that is specified in the returned SOA record. If this update fails, the client repeats the SOA query process by sending to the next DNS server that is listed in the response.
After the primary server that can perform the update is contacted, the client sends the update request, and the server processes it. The contents of the update request include instructions to add A, and possibly PTR, resource records for " newhost. The server also checks to make sure that updates are permitted for the client request.
For standard primary zones, dynamic updates are not secured. Any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings. Dynamic updates are sent or refreshed periodically. By default, computers send an update every twenty-four hours.
If the update causes no changes to zone data, the zone remains at its current version, and no changes are written. Updates that cause actual zone changes or increased zone transfers occur only if names or addresses actually change. Names are not removed from DNS zones if they become inactive or if they are not updated within the update interval of twenty-four hours.
DNS does not use a mechanism to release or to tombstone names, although DNS clients do try to delete or to update old name records when a new name or address change is applied. This value determines how long other DNS servers and clients cache a computer's records when they are included in a query response.
Scope clients can use the DNS dynamic update protocol to update their host name-to-address mapping information whenever changes occur to their DHCP-assigned address. This mapping information is stored in zones on the DNS server. This enables the client to notify the DHCP server as to the service level it requires. In this case, the option is processed and interpreted by Windows Server-based DHCP servers to determine how the server initiates updates on behalf of the client.
This is the default configuration for Windows. To configure the DHCP server to register client information according to the client's request, follow these steps:. By default, updates are always performed for newly installed Windows Server-based DHCP servers and any new scopes that you create for them.
The following examples show how this process varies in different cases. For these DHCP clients, updates are typically handled in the following manner:. After you integrate a zone, you can use the access control list ACL editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record. For more information, search for the "To modify security for a resource record" topic or the "To modify security for a directory integrated zone" topic in Windows Server Help.
By default, dynamic update security for Windows Server DNS servers and clients is handled in the following manner:. Windows Server-based DNS clients try to use nonsecure dynamic updates first.
If the nonsecure update is refused, clients try to use a secure update. Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security. By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates.
This enables all updates to be accepted by passing the use of secure updates. The secure dynamic updates functionality can be compromised if the following conditions are true:. For more information, see the "Security considerations when you use the DnsUpdateProxy group" section. The secure dynamic update functionality is supported only for Active Directory-integrated zones.
If you configure a different zone type, change the zone type, and then integrate the zone before you secure it for DNS updates. If you use secure dynamic updates in this configuration with Windows Server-based DNS servers, resource records may become stale.
In some circumstances, this scenario may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because the server is not the owner of the name. In another example, assume that the DHCP server performs dynamic updates for legacy clients.
0コメント