Name Resolution in Active Directory |
Every Windows 2000–based domain controller registers two types of names at startup:
When a user starts a computer and logs on to a domain, the computer must do one of two things:
After the computer has found a domain controller, the information is cached so that a new query is not required for subsequent logon sessions.
Active Directory supports dynamic registration of domain controller addresses in DNS. After Active Directory has been installed during domain controller creation, the Net Logon service dynamically creates records in the DNS database that are used to locate the server. Dynamic update (described in Request for Comments (RFC) 2136) is a recent addition to the DNS standard; this addition to the standard defines a protocol for dynamically updating a DNS server with new or changed resource record values. Before the advent of this new protocol, administrators had to manually create the records that are stored on DNS servers. The implementation of DNS server that is included with Windows 2000 supports dynamic updates, as does the Berkeley Internet Name Domain (BIND) version 8.x implementation of DNS. (For more information about BIND DNS, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide.)
Every Windows 2000–based domain controller dynamically registers service records (SRV records) in DNS, which allow servers to be located by service type (for example, LDAP) and protocol (for example, Transmission Control Protocol [TCP]). Because domain controllers are LDAP servers that communicate over TCP, SRV records can be used to find the DNS computer names of domain controllers. In addition to registering LDAP-specific SRV records, Net Logon also registers Kerberos v5 authentication protocol–specific SRV records to enable locating servers that run the Kerberos Key Distribution Center (KDC) service. (For more information about the Kerberos v5 authentication protocol and the KDC, see "Authentication" in this book.)
Every Windows 2000–based domain controller also dynamically registers a single host resource record (an A resource record), which contains the name of the domain (DnsDomainName) where the domain controller is and the IP address of the domain controller. The A resource record makes it possible for clients that do not recognize SRV records to locate a domain controller by means of a generic host lookup.
You can disable the Net Logon registration of an A resource record that maps the Active Directory domain name to the IP address of the domain controller. For example, if a Web server registers the same name as the name of an Active Directory domain, you do not want non-Web servers to register A resource records for this name. Otherwise, if the Web browser located the domain controller instead of the Web server, the browser would receive the message that the site for which it was searching was not found. In another example, if a mail server is not enabled to do mail exchanger (MX) resource record lookup and, therefore, relies on A resource records for DNS lookup, the names that are used for mail servers must not be identical to the names that are used by other services, such as Active Directory.
To disable Net Logon registration of the A record for a domain controller
In the Value Name box, type DnsRegisterARecords.
In the Data Type drop-down list box, click REG_DWORD, and then click OK.
In the DWORD Editor dialog box, type 0 in the Data box, and then click OK.
– Or –
Click DWORD Value.
Type DnsRegisterARecords for the value name. A value of 0 is assigned automatically.
Caution
Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. There are programs available in Control Panel or Microsoft Management Console (MMC) for performing most administrative tasks. These programs provide safeguards that prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Registry editors bypass the standard safeguards that are provided by these administrative tools. Modifying the registry is recommended only when no administrative tool is available. Before you make changes to the registry, it is recommended that you back up any valuable data on the computer. For instructions about how to edit registry entries, see Help for the registry editor that you are using. For more information about the registry, see the Microsoft Windows 2000 Resource Kit Technical Reference to the Windows 2000 Registry (Regentry.chm).
A domain controller registers its NetBIOS name (DomainName[1C]) by broadcasting or directing a NetBIOS name registration request to a NetBIOS name server, such as a WINS server. Registering the NetBIOS name makes it possible for Windows-based clients that are not DNS-enabled to find the domain controllers that are running Windows 2000, Windows NT 4.0, or Windows NT 3.51. In this case, the client finds the domain controller by sending a Net Logon mailslot request that is based on the NetBIOS domain name.
Note
NetBIOS recognizes domain controllers by the [1C] registration.
For more information about registering names with WINS, see "Windows Internet Name Service" in the TCP/IP Core Networking Guide.