使用組策略禁用動態 DNS 更新
我正在管理一個系統,由於我無法控制的原因,該系統具有脫節的 DNS 命名空間。我不喜歡它,但就是這樣,我沒有辦法改變它。原因是伺服器需要與預先存在的 DNS 基礎設施共存。
Windows 域的名稱類似於 ad.example.com,NETBIOS 名稱為 AD。但是,所有 DNS 伺服器都將其主 DNS 後綴設置為“example.com”或“sub.example.com”,具體取決於它們在網路中的位置。根據Technet 上的 Create a Disjoint Namespace 文章,我已經在域中配置了 msDS-AllowedDNSSuffixes 屬性。
ad.example.com 域的 DNS 在環境中的兩個域控制器上執行,example.com 和 sub.example.com 的 DNS 在其他非 Microsoft DNS 伺服器上執行。
在這種環境中,DNS 是手動管理的,而不是依賴於動態 DNS 註冊和更新。
環境工作正常,除了一些惱人的警告錯誤出現在事件日誌中,看起來像這樣:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : <censored> Host Name : <censored> Primary Domain Suffix : sub.example.com DNS server list : <censored> (These are the domain controllers for ad.example.com) Sent update to server : <?> IP Address(es) : <censored> (This is the IP address of the host in question) The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.
錯誤出現在系統日誌中,源為“DNS 客戶端事件”,處於警告級別,事件 ID 為 8015。
進行數據包嗅探時,Windows 框似乎確實對 sub.example.com 的權威 DNS 伺服器進行了動態 DNS 更新,它不支持動態更新(我們也不想啟用它們)。
因此,我們為自己設定了使用組策略禁用動態 DNS 更新的任務。
週五,我創建了一個組策略,並將其連結到域的頂部,如下面的螢幕截圖所示:
策略電腦配置/策略/管理模板/網路/DNS 客戶端/動態更新已設置為禁用。
但是,即使在幾天后(組策略有足夠的時間複製並應用於伺服器),這些事件仍會繼續出現在日誌中。
我已使用 GPRESULT 驗證該策略確實已應用於相關伺服器。
的輸出
gpresult /scope Computer /v
如下(出於匿名目的刪除了一些不相關的數據):Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 © 2013 Microsoft Corporation. All rights reserved. Created on 2015-10-05 at 15:06:54 RSOP data for AD\ad79632 on BESTLA : Logging Mode -------------------------------------------------- OS Configuration: Member Server OS Version: 6.3.9600 Site Name: Example Roaming Profile: N/A Local Profile: C:\Users\ad79632 Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=BESTLA,OU=Servers,OU=Computers,OU=SHEM,DC=ad,DC=example,DC=com Last time Group Policy was applied: 2015-10-05 at 14:09:58 Group Policy was applied from: dc02.example.com Group Policy slow link threshold: 500 kbps Domain Name: AD Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- <some GPOs omitted for security reasons> Disable Dynamic DNS Updates The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users RDS Endpoint Servers RDS Management Servers RDS Remote Access Servers NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization BESTLA$ Day-active Computers Domain Computers Authentication authority asserted identity System Mandatory Level Resultant Set Of Policies for Computer --------------------------------------- Software Installations ---------------------- N/A Startup Scripts --------------- N/A Shutdown Scripts ---------------- N/A Account Policies ---------------- <some GPOs omitted for security reasons> Audit Policy ------------ N/A User Rights ----------- N/A Security Options ---------------- <some GPOs omitted for security reasons> Event Log Settings ------------------ N/A Restricted Groups ----------------- N/A System Services --------------- N/A Registry Settings ----------------- N/A File System Settings -------------------- N/A Public Key Policies ------------------- N/A Administrative Templates ------------------------ <some GPOs omitted for security reasons> GPO: Disable Dynamic DNS Updates Folder Id: SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled Value: 0, 0, 0, 0 State: Enabled <some GPOs omitted for security reasons>
有問題的系統資料庫項實際上已更新,如此螢幕截圖所示:
那麼,我錯過了什麼?
正如@Brian 在評論中所建議的那樣,我似乎做的一切都是正確的,除了需要重新啟動以阻止這些消息的發生。
我將等到我們的下一個更新檔視窗,這意味著伺服器無論如何都會重新啟動,因為這不是一個關鍵問題。然後,我希望此消息會在所有伺服器上消失。