Microsoft KB Archive/267855: Difference between revisions
m (Text replacement - "<" to "<") |
m (Text replacement - ">" to ">") |
||
Line 223: | Line 223: | ||
<pre class="fixed_text">Mnemonic Type DNS Record | <pre class="fixed_text">Mnemonic Type DNS Record | ||
-------------------------------------------------------------------------- | -------------------------------------------------------------------------- | ||
LdapIpAddress A <DnsDomainName | LdapIpAddress A <DnsDomainName> | ||
Ldap SRV _ldap._tcp.<DnsDomainName | Ldap SRV _ldap._tcp.<DnsDomainName> | ||
LdapAtSite SRV _ldap._tcp.<SiteName | LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName> | ||
Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName | Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName> | ||
Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName | Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> | ||
GcAtSite SRV _ldap._tcp.<SiteName | GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> | ||
DcByGuid SRV _ldap._tcp.<DomainGuid | DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> | ||
GcIpAddress A _gc._msdcs.<DnsForestName | GcIpAddress A _gc._msdcs.<DnsForestName> | ||
DsaCname CNAME <DsaGuid | DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName> | ||
Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName | Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> | ||
KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName | KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> | ||
Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName | Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> | ||
DcAtSite SRV _ldap._tcp.<SiteName | DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> | ||
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName | Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> | ||
Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName | Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName> | ||
GenericGc SRV _gc._tcp.<DnsForestName | GenericGc SRV _gc._tcp.<DnsForestName> | ||
GenericGcAtSite SRV _gc._tcp.<SiteName | GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName> | ||
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName | Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> | ||
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName | Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> | ||
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName | Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> | ||
</pre> | </pre> | ||
'''NOTE''': Windows 2000 does not add this value to the registry, and it is not necessary to restart the Netlogon service. If the DnsAvoidRegisterRecords registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).<br /> | '''NOTE''': Windows 2000 does not add this value to the registry, and it is not necessary to restart the Netlogon service. If the DnsAvoidRegisterRecords registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).<br /> | ||
Line 264: | Line 264: | ||
Mnemonic Type DNS Record | Mnemonic Type DNS Record | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
LdapIpAddress A <DnsDomainName | LdapIpAddress A <DnsDomainName> | ||
Ldap SRV _ldap._tcp.<DnsDomainName | Ldap SRV _ldap._tcp.<DnsDomainName> | ||
DcByGuid SRV _ldap._tcp.<DomainGuid | DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> | ||
Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName | Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> | ||
Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName | Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> | ||
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName | Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> | ||
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName | Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> | ||
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName | Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> | ||
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName | Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> | ||
GC-specific records: | GC-specific records: | ||
Line 278: | Line 278: | ||
Mnemonic Type DNS Record | Mnemonic Type DNS Record | ||
--------------------------------------------------------------------------- | --------------------------------------------------------------------------- | ||
Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName | Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> | ||
GcIpAddress A _gc._msdcs.<DnsForestName | GcIpAddress A _gc._msdcs.<DnsForestName> | ||
GenericGc SRV _gc._tcp.<DnsForestName | GenericGc SRV _gc._tcp.<DnsForestName> | ||
</pre> | </pre> | ||
Note that these lists do not include the site-specific records. Therefore, DCs and GC servers in branch offices are located by site-specific records that are usually used by a DC locator. If a program searches for a DC/GC by using generic (non-site-specific) records such as any of the records in the lists that are listed earlier in this article, it finds a DC/GC in the central location.<br /> | Note that these lists do not include the site-specific records. Therefore, DCs and GC servers in branch offices are located by site-specific records that are usually used by a DC locator. If a program searches for a DC/GC by using generic (non-site-specific) records such as any of the records in the lists that are listed earlier in this article, it finds a DC/GC in the central location.<br /> |
Latest revision as of 09:45, 21 July 2020
Article ID: 267855
Article Last Modified on 2/28/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q267855
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
Domain Name System (DNS) registrations of SRV and domain controller (DC) locator A records (registered by Netlogon) and NS records (added by the authoritative DNS servers) in an Active Directory-integrated DNS zone for some DCs may not work in a domain that contains a large number of DCs (usually over 800). If the Active Directory-integrated DNS zone has the same name as the Active Directory domain name, problems with the registration of A records and NS records at the zone root seem to occur in a domain with more than 400 DCs. Also, one or more of the following error messages may be logged in the Event log:
CAUSE
This problem occurs because Active Directory has a limitation of approximately 800 values that can be associated with a single object. In an Active Directory-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
Date Time Size File name --------------------------------------------------------- 02/08/2001 01:32p 5,090,728 Q267855_W2K_SP2_x86_en.EXE
This hotfix contains fixes for the DNS and Netlogon components. The fixes do not remove the limitation on the number of records that can be added for the same DNS name when the DNS zone is integrated with Active Directory, but provide a mechanism for disabling unnecessary DNS registrations of SRV and DC locator A records and NS records in an Active Directory-integrated DNS zone.
DNS Fix
Apply the hotfix to every DNS server running on a DC. The DNS portion of the hotfix also contains an updated version of Dnscmd.exe that is installed in the Systemdrive
:\Program Files\Support Tools folder. After you apply the hotfix, use either one of the following methods:
Method 1
If you want to specify a list of DNS servers that can add NS records corresponding to themselves to a specified zone, choose one DNS server and then run Dnscmd.exe with the /AllowNSRecordsAutoCreation switch:
- To set a list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the dnscmd
servername
/configzonename
/AllowNSRecordsAutoCreation IPList command. For example:Dnscmd NS1 /config
zonename
.com /AllowNSRecordsAutoCreation 10.1.1.1 10.5.4.2 - To clear the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone and return the zone to the default state when every primary DNS server automatically adds to a zone an NS record corresponding to it, use the dnscmd
servername
/configzonename
/AllowNSRecordsAutoCreation command. For example:Dnscmd NS1 /config
zonename
.com /AllowNSRecordsAutoCreation - To query the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the dnscmd
servername
/zoneinfozonename
/AllowNSRecordsAutoCreation command. For example:Dnscmd NS1 /zoneinfo
zonename
.com /AllowNSRecordsAutoCreation
NOTE: Run this command on only one DNS server. Active Directory replication propagates the changes to all DNS servers that are running on DCs in the same domain.
In an environment in which the majority of the DNS DCs for a domain are located in branch offices and a few are located in a central location, you may want to use the Dnscmd command described earlier in this article to set the IPList to include only the centrally located DNS DCs. By doing so, only the centrally located DNS DCs add their respective NS records to the Active Directory domain zone.
Method 2
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
If you want to choose which DNS server does not add NS records corresponding to themselves to any Active Directory-integrated DNS zone, use Registry Editor (Regedt32.exe) to configure the following registry value on each affected DNS server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Registry value: DisableNSRecordsAutoCreation
Data type: REG_DWORD
Data range: 0x0 | 0x1
Default value: 0x0
This value affects all Active Directory-integrated DNS zones. The values have the following meanings:
Value Meaning ---------------------------------------------------------------------- 0 DNS server automatically creates NS records for all Active Directory-integrated DNS zones unless any zone, that is hosted by the server, contains the AllowNSRecordsAutoCreation attribute (described earlier in this article) that does not include the server. In this situation, the server uses the AllowNSRecordsAutoCreation configuration. 1 DNS server does not automatically create NS records for all Active Directory-integrated DNS zones, regardless of the AllowNSRecordsAutoCreation configuration in the Active Directory-integrated DNS zones.
NOTE: Windows 2000 does not add this value to the registry. To apply the changes to this value, you must restart the DNS Server service.
If you want to prevent certain DNS servers from adding their corresponding NS records to Active Directory-integrated DNS zones that they host, you can use the DisableNSRecordsAutoCreation registry value described earlier in this article.
Note that if the DisableNSRecordsAutoCreation registry value is set to 0x1, none of the Active Directory-integrated DNS zones hosted by that DNS server will contain its NS records. Therefore, if this server must add its own NS record to at least one Active Directory-integrated DNS zone that it hosts, do not set the registry value to 0x1.
Netlogon Fix
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
The Netlogon portion of this hotfix gives administrators greater control as described earlier in this article. You should apply the fix to every DC. Also, to prevent a DC from attempting dynamic updates of certain DNS records that by default are dynamically updated by Netlogon, use Regedt32.exe to configure the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this DC. NOTE: Set the value to the list of the enter-delimited mnemonics that are specified in the following table. The list of mnemonics includes:
Mnemonic Type DNS Record -------------------------------------------------------------------------- LdapIpAddress A <DnsDomainName> Ldap SRV _ldap._tcp.<DnsDomainName> LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName> Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName> Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName> DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> GcIpAddress A _gc._msdcs.<DnsForestName> DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName> Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> KdcAtSite SRV _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName> Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName> GenericGc SRV _gc._tcp.<DnsForestName> GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName> Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName>
NOTE: Windows 2000 does not add this value to the registry, and it is not necessary to restart the Netlogon service. If the DnsAvoidRegisterRecords registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).
DNS registrations of A records performed by Netlogon can be also be modified by using the RegisterDnsARecords registry value. For additional information how to do so, click the article number below to view the article in the Microsoft Knowledge Base:
246804 How to Enable/Disable Windows 2000 Dynamic DNS Registrations
Note that the DnsAvoidRegisterRecords registry value settings take precedence over the RegisterDnsARecords registry value settings. Therefore, if the LdapIpAddress and/or GcIpAddress mnemonics are used in the DnsAvoidRegisterRecords registry value, the following conditions apply:
- If DnsAvoidRegisterRecords contains LdapIpAddress and RegisterDnsARecords is set to 0x0,
DnsDomainName
A record(s) are not registered by Netlogon. - If DnsAvoidRegisterRecords does not contain LdapIpAddress and RegisterDnsARecords is set to 0x1,
DnsDomainName
A record(s) are not registered by Netlogon. - If DnsAvoidRegisterRecords contains GcIpAddress and RegisterDnsARecords is set to 0x0, _gc._msdcs.
DnsForestName
A record(s) are not registered by Netlogon. - If DnsAvoidRegisterRecords does not contain GcIpAddress and RegisterDnsARecords is set to 0x1, _gc._msdcs.
DnsForestName
A record(s) are not registered by Netlogon.
To prevent the problem described earlier in this article from occurring in an environment in which a set of DCs and/or global catalog (GC) servers are located in a central location and a large number of the DCs and/or GC servers are located in branch offices, the administrator can disable registration of some of the DNS records by Netlogon on the DCs/GCs in the branch offices. In this situation, the list of mnemonics that should not be registered includes:
DC-specific records: Mnemonic Type DNS Record --------------------------------------------------------------------------- LdapIpAddress A <DnsDomainName> Ldap SRV _ldap._tcp.<DnsDomainName> DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName> Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDomainName> Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName> Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName> Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainName> Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName> Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName> GC-specific records: Mnemonic Type DNS Record --------------------------------------------------------------------------- Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName> GcIpAddress A _gc._msdcs.<DnsForestName> GenericGc SRV _gc._tcp.<DnsForestName>
Note that these lists do not include the site-specific records. Therefore, DCs and GC servers in branch offices are located by site-specific records that are usually used by a DC locator. If a program searches for a DC/GC by using generic (non-site-specific) records such as any of the records in the lists that are listed earlier in this article, it finds a DC/GC in the central location.
An administrator may also choose to limit the number of the DC locator records such as SRV and A records registered by Netlogon for the same generic DNS name (_ldap._tcp.dc._msdcs.DomainName
), even in a scenario with fewer than 800 DCs in the same domain, to reduce the size of DNS responses to queries for such records.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.
MORE INFORMATION
Every DNS server that is authoritative for an Active Directory-integrated DNS zone adds a NS record. By default, every DC in a domain registers a SRV record for a set of non-site-specific names such as "_ldap._tcp.domain_name
" and A record(s) that map(s) the Active Directory DNS domain name to the TCP/IP address(es) of the DC. When a DNS server tries to write a record after approximately 800 records with the same shared name, Local Security Authority (LSA) runs at 100 percent CPU usage for approximately 10 seconds and the registration does not succeed. Netlogon retries this registration every hour; the 100 percent CPU usage spike reappears at least once an hour and the attempted registrations do not succeed.
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Keywords: kbhotfixserver kbqfe kbbug kbdns kbenv kberrmsg kbfix kbnetwork kbwin2000presp2fix KB267855