Announcement

Collapse
No announcement yet.

SRV Records and annoyances

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SRV Records and annoyances

    Hi all

    OK, my apologies if this is in the wrong place, I thought about the 2008 R2 forums, the AD forums and finally went for DNS... please feel free to move it if required.

    I have had to build 3 RODCs which are going to be shipped to offshore (sea-bound) drilling platforms to provide logon and DNS services to local clients; they are not Server Core, just normal GUI boxes. The networks they will reside on, don't exist yet, so they have been built on a land-based central site, and added to the appropriate AD Site for their current location.

    Trouble is, we don't want them trying to authenticate because they don't have the objects for any of the central site computers or users; so we implemented Mnemonics in the registry to stop them registering DNS SRV records. We have put the following into the registry of each box:
    KEY:
    HKLM\SYSTEM\Current Control Set\Services\NETLOGON\Parameters\

    Value:
    DnsAvoidRegisterRecords (Multistring)

    CONTENT:
    LdapIpAddress
    Ldap
    LdapAtSite
    DcByGuid
    Kdc
    KdcAtSite
    Rfc1510KdcAtSite
    Dc
    DcAtSite
    Rfc1510Kdc
    Rfc1510UdpKdc
    Rfc1510Kpwd
    Rfc1510UdpKpwd
    Gc
    GcAtSite
    GcIpAddress
    GenericGc
    GenericGcAtSite

    Which appears to be designed to prevent the RODC registering ANY SRV records and should therefore prevent the RODC from being asked to authenticate as it won't be discoverable by clients.

    HOWEVER

    The bloody thing continues to register SOME SRV records. I just cannot figure out why... this is causing a problem with a UNIX SAMBA process which is failing because it reports no trust relationship when it hits the RODCs. It might be several weeks before these machines are shipped to their production locations so I really want to get this sorted - can anyone suggest something I've missed, or a mnemonic I don't have in there? I have used ALL of the mnemonics listed in the Microsoft Technet article relating to this so I doubt it but who knows?

    At my wits' end over it. I have rebooted a few times and restarted the NETLOGON service innumerable times... all to no avail (and then Microsoft deigned to tell me you don't need to restart the service; the new values should take effect in 15 mins)

    Thank you in advance!


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: SRV Records and annoyances

    What SRV records are being created??

    This site seems to list all of the values that can be stopped registering.

    http://technet.microsoft.com/en-us/l...=ws.10%29.aspx

    Just from a quick count you are missing 2.

    Pdc
    DsaCname

    Maybe try adding them and see if it makes a difference.
    Last edited by wullieb1; 10th July 2012, 07:26.

    Comment


    • #3
      Re: SRV Records and annoyances

      The records I'm seeing are in the following zones:

      <domain>._msdcs.dc._sites.<sitename>._tcp;
      <domain>._sites.<sitename>._tcp and finally
      <domain>.DomainDNSZones._sites.<sitename>._tcp

      I won't bother with the PDC one for obvious reasons... what does the other one do?


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: SRV Records and annoyances

        This was resolved by preventing the server using Dynamic DNS at all... no idea why it was ignoring the Mnemonics.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment

        Working...
        X