Problems with the DnsAvoidRegisterRecords registry key

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi All

I am using the above registry key to try to prevent certain DNS records from
being registered for some of my DC's.

Every time I set this key I get an error 3051 in the event log that says:

The Registry or the information you just typed includes an illegal value for
"DnsAvoidRegisterRecords".

I have followed KB306602 which gives info re the setting. I have tried this
on 3 different windows 2000 sp3 builds (built from different Source media)
to no avail

Even if I just put in the registry entry with no values I get this error.

Anybody seen this? got any pointers.....

Thanks

Jody

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Jody Flett, JMF Computers wrote:
> Hi All
>
> I am using the above registry key to try to prevent certain DNS
> records from being registered for some of my DC's.
>
> Every time I set this key I get an error 3051 in the event log that
> says:
> The Registry or the information you just typed includes an illegal
> value for "DnsAvoidRegisterRecords".
>
> I have followed KB306602 which gives info re the setting. I have
> tried this on 3 different windows 2000 sp3 builds (built from
> different Source media) to no avail
>
> Even if I just put in the registry entry with no values I get this
> error.
> Anybody seen this? got any pointers.....
>
> Thanks
>
> Jody

Is this Win2000? You need to do it thru regedt32 and select it's a Mult-SZ
type.

Curious, what is the end result you are looking for putting this key in?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Sorry, I see it is Win2000.

Which records are you trying to avoid? How are you typing them in?

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Ace

Many Thanks for your help, I was being very stupid and feel quite
embarrased.... :-s, using rededt32 set me on the right track, I was using
regedit which was not creating the right key.... (Sometimes you don't see
the wood for the trees, I think I may invest in some new glasses... )

Anyway some further information - I am using this key to stop a couple of
DC's registering all of their records apart from the A (Host) and the CNAME
Alias for replication. I do not want it to be used to authenticate any
clients on the Domain as this particular DC is going to be placed in a LAG
replication DR site. Basically as well as sectioning off the site this is
another safeguard against clients using these DC's

The registry key I am using can be created using the following command
line.... (should have used the trusty command line from the start.. ;-) )

reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
DnsAvoidRegisterRecords /t REG_MULTI_SZ /s - /d
LdapIpAddress-Ldap-LdapAtSite-Pdc-Gc-GcAtSite-DcByGuid-GcIpAddress-Kdc-KdcAtSite-Dc-DcAtSite-Rfc1510Kdc-Rfc1510KdcAtSite-GenericGc-GenericGcAtSite-Rfc1510UdpKdc-Rfc1510Kpwd-Rfc1510UdpKpwdValue

Thanks

Jody



"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:O%23Zl1saYFHA.3840@tk2msftngp13.phx.gbl...
> Sorry, I see it is Win2000.
>
> Which records are you trying to avoid? How are you typing them in?
>
> Ace
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Jody Flett, JMF Computers" <news@SPAMjmfcomputers.co.uk> wrote in message
news:%23IqXtVcYFHA.3488@tk2msftngp13.phx.gbl...
> Hi Ace
>
> Many Thanks for your help, I was being very stupid and feel quite
> embarrased.... :-s, using rededt32 set me on the right track, I was using
> regedit which was not creating the right key.... (Sometimes you don't see
> the wood for the trees, I think I may invest in some new glasses... )
>
> Anyway some further information - I am using this key to stop a couple of
> DC's registering all of their records apart from the A (Host) and the
> CNAME Alias for replication. I do not want it to be used to authenticate
> any clients on the Domain as this particular DC is going to be placed in a
> LAG replication DR site. Basically as well as sectioning off the site this
> is another safeguard against clients using these DC's
>
> The registry key I am using can be created using the following command
> line.... (should have used the trusty command line from the start.. ;-) )
>
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
> DnsAvoidRegisterRecords /t REG_MULTI_SZ /s - /d
> LdapIpAddress-Ldap-LdapAtSite-Pdc-Gc-GcAtSite-DcByGuid-GcIpAddress-Kdc-KdcAtSite-Dc-DcAtSite-Rfc1510Kdc-Rfc1510KdcAtSite-GenericGc-GenericGcAtSite-Rfc1510UdpKdc-Rfc1510Kpwd-Rfc1510UdpKpwdValue
>
> Thanks
>
> Jody

I can sympathsize about the glasses. I've been thinking about doing the same
thing.

I think in addition to putting them into a separate site, it would be easier
to play with the weights in the SVR records than removing those entries.
This would be the first I heard of doing it this way. Curious how you make
out.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I will post back and let you know how it goes, so far in testing all looks
good.... .FRS is happy, NTDS replication is happy...

I was looking into weighting the records as well, but I still had
reservations about clients being able to query DNS and get records for the
LAG Servers. (ie. There is still an outside chance that they would uses a
LAG DC and I could see difficult troubleshooting of wierd client
problems.... ) also in the company I work for DNS is looked after by
another team, and is also not a Windows based DNS service, which is only
dynamic for DC's. I really wanted the emergency recovery procedure to be
able to be carried out by one team without the need to depend on other
members of other teams which adds time. With this key implemented, the
server team can perform the complete recovery procecdure without involving
another set of people, which keeps things simple.

Many Thanks for your help... .

Jody




"Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in message
news:Oyr0NJkYFHA.3356@TK2MSFTNGP15.phx.gbl...
>
> "Jody Flett, JMF Computers" <news@SPAMjmfcomputers.co.uk> wrote in message
> news:%23IqXtVcYFHA.3488@tk2msftngp13.phx.gbl...
>> Hi Ace
>>
>> Many Thanks for your help, I was being very stupid and feel quite
>> embarrased.... :-s, using rededt32 set me on the right track, I was using
>> regedit which was not creating the right key.... (Sometimes you don't see
>> the wood for the trees, I think I may invest in some new glasses... )
>>
>> Anyway some further information - I am using this key to stop a couple of
>> DC's registering all of their records apart from the A (Host) and the
>> CNAME Alias for replication. I do not want it to be used to authenticate
>> any clients on the Domain as this particular DC is going to be placed in
>> a LAG replication DR site. Basically as well as sectioning off the site
>> this is another safeguard against clients using these DC's
>>
>> The registry key I am using can be created using the following command
>> line.... (should have used the trusty command line from the start.. ;-) )
>>
>> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v
>> DnsAvoidRegisterRecords /t REG_MULTI_SZ /s - /d
>> LdapIpAddress-Ldap-LdapAtSite-Pdc-Gc-GcAtSite-DcByGuid-GcIpAddress-Kdc-KdcAtSite-Dc-DcAtSite-Rfc1510Kdc-Rfc1510KdcAtSite-GenericGc-GenericGcAtSite-Rfc1510UdpKdc-Rfc1510Kpwd-Rfc1510UdpKpwdValue
>>
>> Thanks
>>
>> Jody
>
> I can sympathsize about the glasses. I've been thinking about doing the
> same thing.
>
> I think in addition to putting them into a separate site, it would be
> easier to play with the weights in the SVR records than removing those
> entries. This would be the first I heard of doing it this way. Curious how
> you make out.
>
> Ace
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Jody Flett, JMF Computers wrote:
> I will post back and let you know how it goes, so far in testing all
> looks good.... .FRS is happy, NTDS replication is happy...
>
> I was looking into weighting the records as well, but I still had
> reservations about clients being able to query DNS and get records
> for the LAG Servers. (ie. There is still an outside chance that they
> would uses a LAG DC and I could see difficult troubleshooting of
> wierd client problems.... ) also in the company I work for DNS is
> looked after by another team, and is also not a Windows based DNS
> service, which is only dynamic for DC's. I really wanted the
> emergency recovery procedure to be able to be carried out by one team
> without the need to depend on other members of other teams which adds
> time. With this key implemented, the server team can perform the
> complete recovery procecdure without involving another set of people,
> which keeps things simple.
> Many Thanks for your help... .
>
> Jody
>

No problem for the help. I will be monitoring this thread to see how you
made out.

Ace

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Ace

If you are still watching, all tested and implemented now, the DC's are
replicating, event logs are clear and we have not noticed any funnies in the
environment so preventing the registration seems to be doing the trick. Also
going through the security logs shows that the DC's are not performing any
validations. Am quite happy with this reg key... also on Windows 2003
Servers there is a group policy to do the same although this GP does not
apply to 2000 machines :-( which would just be the icing on the cake...

Cheers

Jody


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:uHljGSlZFHA.3320@TK2MSFTNGP12.phx.gbl...
> Jody Flett, JMF Computers wrote:
>> I will post back and let you know how it goes, so far in testing all
>> looks good.... .FRS is happy, NTDS replication is happy...
>>
>> I was looking into weighting the records as well, but I still had
>> reservations about clients being able to query DNS and get records
>> for the LAG Servers. (ie. There is still an outside chance that they
>> would uses a LAG DC and I could see difficult troubleshooting of
>> wierd client problems.... ) also in the company I work for DNS is
>> looked after by another team, and is also not a Windows based DNS
>> service, which is only dynamic for DC's. I really wanted the
>> emergency recovery procedure to be able to be carried out by one team
>> without the need to depend on other members of other teams which adds
>> time. With this key implemented, the server team can perform the
>> complete recovery procecdure without involving another set of people,
>> which keeps things simple.
>> Many Thanks for your help... .
>>
>> Jody
>>
>
> No problem for the help. I will be monitoring this thread to see how you
> made out.
>
> Ace
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uVIUMqAbFHA.1456@TK2MSFTNGP15.phx.gbl,
Jody Flett, JMF Computers <news@SPAMjmfcomputers.co.uk> stated, and I
replied below:
> Hi Ace
>
> If you are still watching, all tested and implemented now, the DC's
> are replicating, event logs are clear and we have not noticed any
> funnies in the environment so preventing the registration seems to be
> doing the trick. Also going through the security logs shows that the
> DC's are not performing any validations. Am quite happy with this reg
> key... also on Windows 2003 Servers there is a group policy to do the
> same although this GP does not apply to 2000 machines :-( which would
> just be the icing on the cake...
> Cheers
>
> Jody
>

Very cool. I guess it took a bit of testing to insure that it will work. As
for Win2000, not much we can do about it, unless you script it.

Cheers!

Ace