?
Solved

Impact of setting RegisterDNSARecords to 0 on AD domain controllers

Posted on 2011-03-04
13
Medium Priority
?
1,562 Views
Last Modified: 2012-05-11
Because we run our AD in our top level domain (for certain reasons) and we are running BIND as our DNS, we have the problem of windows domain controllers inserting A records directly against "domain.com".

Some research has indicated that one option is to set the registry value RegisterDNSARecords to 0 on all DCs to stop them registering A records against domain.com

What I wanted to get some feel for is what is the impact of removing these A records against the domain (both AD and internet top level) ?  

Will there be any service impact in our AD environment ?

Experience anyone ?

0
Comment
Question by:router_doctor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 12

Expert Comment

by:mlongoh
ID: 35040863
I guess I'm missing something.  Why is it a problem to have each DC create an A record for itself in the domain that it exists in?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040867
Yes, if the Domain Controllers don't have an A record  then they will be able to be found. You should be running DNS within Windows at least on one Domain Controller these records will then replicate to the BIND servers
0
 
LVL 3

Author Comment

by:router_doctor
ID: 35040887
In our case this breaks http:\\domain.com as it will resolve to the DCs that are in a private (10.x.x.x) subnet.

I know I can do things to work around this but I am specifically after the answer to the above question.

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35040920
So, you are saying that when you go to the your domain in  the IE for an example you get the DCs. What you would have to do is setup a IIS redirect on each DC to redirect any request for the http://domain.com to the web server you want to handle this.

This is a common issue when you are running the same external and internal domain name.

http://technet.microsoft.com/en-us/library/cc755946(WS.10).aspx

IIS redirect steps.

http://oddjobsintech.com/active-directory-tip-access-external-website-with-the-same-domain-name-as-your-internal-domain/

You would need to setup www record as well

But to answer above question you can NOT remove A record for Domain Controllers that wouldn't fix your problem anyways but instead cause lots more
0
 
LVL 3

Author Comment

by:router_doctor
ID: 35059351
I am not sure I am being clear.  

I am NOT looking for a way of getting around the problem.  I know about IIS redirection and split DNS.  Neither of these are viable options for reasons I wont go into here.

What I am specifically looking for an answer on is what is the service impact of having DCs not register A records for against the domain name when setting RegisterDNSARecords=0

To add some more information:  I did some testing over the weekend.  I removed the A records for the domain (set RegisterDNSARecords=0) and restarted all the DCs and Clients.   Testing indicated that basic functionality was still operating (find shares, open shares, group policy, etc).  Because I dont know what other problems might be lurking I have restored the existing behaviour until such time as I am certain of the impact.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35059391
If the DCs are not updating there A records you will start seeing DNS and\or AD replication errors.
0
 
LVL 3

Author Comment

by:router_doctor
ID: 35059470
Not sure why we would see DNS errors since AD should be using the following domains to find other DCs and services.

_msdcs.domain.com
_tcp.domain.com
_sites.domain.com
_udp.domain.com
DomainDnsZones.domain.com
ForestDnsZones.domain.com

These are still going to be resolvable without the need for any A records against the domain name.

As per AD replication - that too should continue to work by getting the required information from the above records.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35059523
If you look those records don't pertain to an IP address these records all go to the A record for IP address.
0
 
LVL 3

Author Comment

by:router_doctor
ID: 35059613
These are subdomains that hold all the AD information.  Inside these subdomains you will find SRV records pointing to the domain controllers for particular service.

The domain controller(s) A records are fine - we're not talking about stopping DCs from registering A records for themselves:

ie:    dc1.domain.com.   IN   A   10.x.y.z

Were are taking about stopping this

domain.com.   IN   A  10.a.b.c
domain.com.   IN   A  10.x.y.z

And removing the above will not prevent AD from resolving any SRV records as indicated before.

Note:  I think you might be confusing A records pointing to the domain controllers vs A records pointing to the domain.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35060919
0
 
LVL 3

Author Comment

by:router_doctor
ID: 35063309
We are setting the A records for the DCs manually so all I am worried about is removing the domain.com A records.

This reference in the document you sent seems to indicate little impact - "Lightweight Directory Access Protocol (LDAP) implementations that do not support SRV records will not be able to locate the LDAP server on this domain controller"

That implies that if you are using a non-AD LDAP service then you might have problems.  We are of course using AD's build in LDAP support.
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 1500 total points
ID: 35069416
If you are manually adding the A record and you don't have DNS Scavenging turned on then you should be ok.


DNS stops updating when an update attempt fail



0
 
LVL 3

Author Closing Comment

by:router_doctor
ID: 35111927
Not a complete answer to what I was wanting but you did point out some information.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question