使用群組原則停用動態 DNS 更新

tag-icon tag-icon domain-name-system group-policy windows-server-2012-r2 internal-dns dynamic-dns
使用群組原則停用動態 DNS 更新

我正在管理一個系統,由於我無法控制的原因,該系統具有不相交的 DNS 命名空間。我不喜歡這樣,但事情就是這樣,我沒有辦法改變。原因是伺服器需要與預先存在的 DNS 基礎架構共存。

Windows 網域的名稱類似於 ad.example.com,NETBIOS 名稱稱為 AD。但是,所有 DNS 伺服器的主 DNS 後綴都設定為“example.com”或“sub.example.com”,具體取決於它們在網路中的位置。我已經在網域中配置了 msDS-AllowedDNSSuffixes 屬性,根據在 Technet 上建立不相交命名空間文章

ad.example.com 網域的 DNS 在環境中的兩個網域控制站上執行,example.com 和 sub.example.com 的 DNS 在其他非 Microsoft DNS 伺服器上執行。

在此環境中,DNS 是手動管理的,而不是依賴動態 DNS 註冊和更新。

環境運作正常,除了事件日誌中出現一些煩人的警告錯誤,如下所示:

The system failed to register host (A or AAAA) resource records (RRs) for
network adapter with settings:

Adapter Name : <censored>
Host Name : <censored>
Primary Domain Suffix : sub.example.com
DNS server list :
<censored> (These are the domain controllers for ad.example.com)
Sent update to server : <?>
IP Address(es) :
<censored> (This is the IP address of the host in question)

The reason the system could not register these RRs was because of a security related
problem. The cause of this could be (a) your computer does not have permissions
to register and update the specific DNS domain name set for this adapter, or 
(b) there might have been a problem negotiating valid credentials with the DNS
server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings
by typing 'ipconfig /registerdns' at the command prompt. If problems still persist,
contact your DNS server or network systems administrator. See event details for
specific error code information.

這些錯誤出現在系統日誌中,來源為“DNS 用戶端事件”,處於警告級別,事件 ID 8015。

透過封包嗅探,Windows 盒子似乎對 sub.example.com 的權威 DNS 伺服器進行動態 DNS 更新,該伺服器不支援動態更新(我們也不想啟用它們)。

因此,我們為自己設定了使用群組原則來停用動態 DNS 更新的任務。

週五,我創建了一個群組策略,並將其連結到網域的頂部,如下圖所示:

顯示策略的群組原則管理編輯器

政策「電腦設定」/「政策」/「管理範本」/「網路」/「DNS 用戶端」/「動態更新」已設定為「停用」。

但是,即使在幾天之後(群組原則有足夠的時間複製並套用到伺服器),這些事件仍然會繼續出現在日誌中。

我已使用 GPRESULT 驗證該策略確實已套用至相關伺服器。

的輸出gpresult /scope Computer /v如下(為了匿名目的刪除了一些不相關的資料):

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2013 Microsoft Corporation. All rights reserved.

Created on 2015-10-05 at 15:06:54



RSOP data for AD\ad79632 on BESTLA : Logging Mode
--------------------------------------------------

OS Configuration:            Member Server
OS Version:                  6.3.9600
Site Name:                   Example
Roaming Profile:             N/A
Local Profile:               C:\Users\ad79632
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=BESTLA,OU=Servers,OU=Computers,OU=SHEM,DC=ad,DC=example,DC=com
    Last time Group Policy was applied: 2015-10-05 at 14:09:58
    Group Policy was applied from:      dc02.example.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        AD
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
<some GPOs omitted for security reasons>
        Disable Dynamic DNS Updates

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        RDS Endpoint Servers
        RDS Management Servers
        RDS Remote Access Servers
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        BESTLA$
        Day-active Computers
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level

    Resultant Set Of Policies for Computer
    ---------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
<some GPOs omitted for security reasons>

        Audit Policy
        ------------
            N/A

        User Rights
        -----------
            N/A

        Security Options
        ----------------
<some GPOs omitted for security reasons>

        Event Log Settings
        ------------------
            N/A

        Restricted Groups
        -----------------
            N/A

        System Services
        ---------------
            N/A

        Registry Settings
        -----------------
            N/A

        File System Settings
        --------------------
            N/A

        Public Key Policies
        -------------------
            N/A

        Administrative Templates
        ------------------------
<some GPOs omitted for security reasons>
            GPO: Disable Dynamic DNS Updates
                Folder Id: SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\RegistrationEnabled
                Value:       0, 0, 0, 0
                State:       Enabled
<some GPOs omitted for security reasons>

有問題的登錄項目實際上已更新,如以下螢幕截圖所示:

顯示註冊表項的 regedit 螢幕截圖

那麼,我錯過了什麼?

答案1

看來我所做的一切都是正確的,除了需要重新啟動才能阻止這些訊息的發生,正如 @Brian 在評論中建議的那樣。

我將等到下一個補丁窗口,這意味著伺服器無論如何都會重新啟動,因為這不是一個關鍵問題。然後我希望這條訊息會在所有伺服器上消失。

相關內容