使用组策略禁用动态 DNS 更新

tag-icon tag-icon domain-name-system group-policy windows-server-2012-r2 internal-dns dynamic-dns
使用组策略禁用动态 DNS 更新

我正在管理一个系统,由于我无法控制的原因,该系统有一个不相交的 DNS 命名空间。我不喜欢它,但事实就是如此,我无法改变这一点。原因是服务器需要与预先存在的 DNS 基础设施共存。

Windows 域的名称类似于 ad.example.com,NETBIOS 名称为 AD。但是,所有 DNS 服务器的主 DNS 后缀都设置为“example.com”或“sub.example.com”,具体取决于它们在网络中的位置。我已根据以下信息在域中配置了 msDS-AllowedDNSSuffixes 属性:在 Technet 上创建 Disjoint Namespace 文章

ad.example.com 域的 DNS 在环境中的两个域控制器上运行,example.com 和 sub.example.com 的 DNS 在其他非 Microsoft DNS 服务器上运行。

在这种环境中,DNS 是手动管理的,而不是依赖于动态 DNS 注册和更新。

环境运行良好,除了事件日志中出现的一些令人讨厌的警告错误,如下所示:

The system failed to register host (A or AAAA) resource records (RRs) for
network adapter with settings:

Adapter Name : <censored>
Host Name : <censored>
Primary Domain Suffix : sub.example.com
DNS server list :
<censored> (These are the domain controllers for ad.example.com)
Sent update to server : <?>
IP Address(es) :
<censored> (This is the IP address of the host in question)

The reason the system could not register these RRs was because of a security related
problem. The cause of this could be (a) your computer does not have permissions
to register and update the specific DNS domain name set for this adapter, or 
(b) there might have been a problem negotiating valid credentials with the DNS
server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings
by typing 'ipconfig /registerdns' at the command prompt. If problems still persist,
contact your DNS server or network systems administrator. See event details for
specific error code information.

错误出现在系统日志中,来源为“DNS 客户端事件”,警告级别,事件 ID 为 8015。

进行数据包嗅探确实表明 Windows 机子似乎对 sub.example.com 的权威 DNS 服务器进行了动态 DNS 更新,但该服务器不支持动态更新(我们也不想启用它们)。

因此,我们设定了使用组策略禁用动态 DNS 更新的任务。

周五,我创建了一个组策略,并将其链接到域的顶部,如下面的屏幕截图所示:

显示策略的组策略管理编辑器

策略计算机配置/策略/管理模板/网络/DNS 客户端/动态更新已设置为禁用。

然而,即使过了几天(有足够的时间让组策略复制并应用到服务器),这些事件仍会继续出现在日志中。

我已经使用 GPRESULT 验证该策略确实已应用于相关服务器。

输出gpresult /scope Computer /v如下(为了匿名化目的删除了一些不相关的数据):

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2013 Microsoft Corporation. All rights reserved.

Created on 2015-10-05 at 15:06:54



RSOP data for AD\ad79632 on BESTLA : Logging Mode
--------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.3.9600
Site Name:                   Example
Roaming Profile:             N/A
Local Profile:               C:\Users\ad79632
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=BESTLA,OU=Servers,OU=Computers,OU=SHEM,DC=ad,DC=example,DC=com
    Last time Group Policy was applied: 2015-10-05 at 14:09:58
    Group Policy was applied from:      dc02.example.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AD
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
<some GPOs omitted for security reasons>
        Disable Dynamic DNS Updates

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        RDS Endpoint Servers
        RDS Management Servers
        RDS Remote Access Servers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        BESTLA$
        Day-active Computers
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
<some GPOs omitted for security reasons>

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
<some GPOs omitted for security reasons>

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
<some GPOs omitted for security reasons>
            GPO: Disable Dynamic DNS Updates
                Folder Id: SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
                Value:       0, 0, 0, 0
                State:       Enabled
<some GPOs omitted for security reasons>

有问题的注册表项实际上已更新,如以下屏幕截图所示:

显示注册表项的 regedit 屏幕截图

那么,我遗漏了什么?

答案1

看来我做的一切都是正确的,只是必须重新启动才能阻止这些消息的出现,正如@Brian 在评论中所建议的那样。

我会等到下一个补丁窗口,这意味着服务器无论如何都会重新启动,因为这不是关键问题。然后我希望这条消息在所有服务器上消失。

相关内容