Microsoft KB Archive/936263

= How to disable remote administration of the DNS Server service in Windows Server 2003 and in Windows 2000 Server =

Article ID: 936263

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article describes how to disable DNS remote management of a DNS server that is running one of the following operating systems:
 * Microsoft Windows Server 2003
 * Microsoft Windows 2000 Server

You can use the method that is mentioned in this article to enhance the security of the computers that are running the DNS Server service in an organization.

For more information about a problem that affects the DNS Server service in Windows Server 2003 and in Windows 2000 Server, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/Bulletin/MS07-029.mspx



Overview
By default, the DNS Server service allows for remote management by using many interfaces. When the DNS Server service starts, it binds to a dynamic port in the ephemeral range. This port is used by the DNS Microsoft Management Console (MMC) snap-in and by the DNS Windows Management Instrumentation (WMI) provider. You can use the following registry entry to control whether the DNS Server service allows for remote management:

Value name: RpcProtocol

Value type: REG_DWORD

Value data: 0x4

The following values are available for the RpcProtocol registry entry:
 * 0x1

This value corresponds to a setting of DNS_RPC_USE_TCPIP
 * 0x2

This value corresponds to a setting of DNS_RPC_USE_NAMED_PIPE
 * 0x4

This value corresponds to a setting of DNS_RPC_USE_LPC

Note A value of 0x4 restricts the DNS RPC interface to local procedure calls only. This allows for local management only.

The effect of disabling remote management
When you set the RpcProtocol registry entry to 0x4, remote management of the DNS Server service is disabled. Therefore, you cannot use RPC or Windows Management Instrumentation (WMI) to manage the DNS server. In this scenario, DNS server management tools no longer work from a remote location. However, you can still use local management tools to manage the DNS server, and you can still perform remote management of the DNS server by using a Terminal Services connection.

Setting the RpcProtocol to 0x4 does not affect DNS queries, DNS dynamic updates, DNS zone transfers, and so on.

Note DNS Server service local administration and configuration may not work if the following conditions are true:
 * The server that you want to manage has a host name that has 15 characters.
 * You select the server by using its host name.

To resolve this problem, specify the fully qualified domain name (FQDN) of the computer when you manage it by using the DNS server administration tools.

To disable remote management of the DNS Server service
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To disable the remote management over RPC functionality of a computer that is running the DNS Server service, follow these steps:  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

 On the Edit menu, point to New, and then click DWORD Value. In the New Value #1 box, type RpcProtocol, and then press ENTER. Right-click RpcProtocol, and then click Modify. In the Value data box, type 4, and then click OK. Exit Registry Editor, and then restart the DNS Server service. To restart the DNS Server service, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type the following command, and then press ENTER:

net stop dns && net start dns

</li></ol> </li></ol>

To deploy the RpcProtocol registry value to many computers
You can use a script to deploy the RpcProtocol registry value. This lets you more easily disable remote management of the DNS Server service on many computers. To do this, follow these steps: <ol> Log on to the domain by using an account that has rights to modify the DNS servers. For example, log on as a domain administrator.</li> Create a list of all the DNS servers. To do this, run the following command at a command prompt:

dsquery * -filter &quot;(servicePrincipalName=DNS*)&quot; -attr dNSHostName -l > dns_servers.txt

If it is required, manually edit the dns_servers.txt file that is created to specify all the DNS servers. For example, this command only captures domain controllers that are configured as DNS servers. Therefore, you must manually add DNS servers that are configured as member servers.

Note You can use the Name Servers tab in the  Properties dialog box for each zone in the DNS snap-in to determine the names of the DNS servers that you want to add to this list.</li> If it is required, use the cd command at the command prompt to change to the directory to which you saved the dns_servers.txt file.</li> Type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do reg add \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /t REG_DWORD /d 4 /f

This command adds the RpcProtocol registry entry together with a value of 0x4.</li> Stop the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do sc \\%i stop DNS

</li> Start the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do sc \\%i start DNS

</li></ol>

To verify that the RpcProtocol registry entry is set on many computers
To query the servers and to verify that the RpcProtocol registry entry is set, follow these steps: <ol> Log on to a DNS server that has the RpcProtocol registry entry set.</li>  Copy the following script to a text file, and then name this file Dnsquery.cmd: Echo Comparing registry value for: > dns_errors.txt echo HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters >> dns_errors.txt echo Data Value for &quot;RpcProtocol&quot; >> dns_errors.txt echo. >> dns_errors.txt echo. >> dns_errors.txt Echo Errorlevel 1 - Failed to compare registry values >> dns_errors.txt Echo Errorlevel 2 - Reg values compared are different >> dns_errors.txt echo. >> dns_errors.txt echo. >> dns_errors.txt echo ===================================================== >> dns_errors.txt set _MachineName= for /f %%i in (dns_servers.txt) do ( call :TEST %%i )
 * TEST

Set _MachineName=%1 echo %_MachineName% reg.exe compare &quot;HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters&quot; &quot;\\%_MachineName%\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters&quot; /v RpcProtocol if %_MachineName% == &quot;&quot; echo 0 > nul if %errorlevel% == 0 echo 0 > nul if %errorlevel% == 1 Echo Computername: %_MachineName% Errorlevel returned: 1 - Failed >> dns_errors.txt if %errorlevel% == 2 Echo Computername: %_MachineName% Errorlevel returned: 2 - Different >> dns_errors.txt
 * End

rem exit Note This script compares the Parameters registry subkey on the remote computers to the one on the computer where you run the script.

Important There must be no trailing space characters in this script. </li> Double-click the Dnsquery.cmd file to run it.</li></ol>

To remove the RpcProtocol registry value from many computers
To undo the operation that sets the RpcProtocol registry value, follow these steps: <ol> Log on to the domain by using an account that has rights to modify the DNS servers. For example, log on as a domain administrator.</li> Start a command prompt, and then use the cd command to change to the directory to which you saved the Dns_servers.txt file.</li> Type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do reg delete \\%i\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v RpcProtocol /f

</li> Stop the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do sc \\%i stop DNS

</li> <li>Start the DNS Server service on all the computers. To do this, type the following command, and then press ENTER:

for /f %i in (dns_servers.txt) do sc \\%i start DNS

</li></ol>

Keywords: kberrmsg kbhowto kbinfo kbtshoot kbregistry KB936263

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.