Preventing Win2K from hijacking our whole DNS domain?

[Joe Emenaker]

First off, keep in mind that, on our campus, we have central DNS
servers that handle all of the subdomains on the campus. In other
words, our Win2K server CANNOT be the DNS servers for the domain which
they are AD DC's for.

Anyway... some time ago, our campus network admins turned on the
ability for us to make dynamic updates to the campus DNS servers. This
allowed our Win2K AD servers to update the DNS tables and, presto,
domain users from off-campus could log in and use our resources. Just
as advertized... wow!

Problem was, the Win2k servers, in *addition* to setting up all of the
various SRV records, also changed the "normal" domain addresses to
point to them as well.

For example, supposed that our domain is "dept.college.edu". We have a
web and mail server on a Linux box here, so the DNS records are set up
to point to them. However, when we started updating the DNS servers,
in addition to creating all of the "_msdcs.dept.college.edu",
"_sites.dept.college.edu", "_tcp.dept.college.edu", and
"_udp.dept.college.edu" entries, the Win2K servers also decided to
make "dept.college.edu" point directly to them.

I've heard that there are some registry entries that I can change
which will prevent this.

Any suggestions?

- Joe

 

[Adam Wood]

I've heard that there are some registry entries that I can change
which will prevent this.

Any suggestions?

You could just create zones for the underscores (_msdcs et al) and give
these over to Windows to have its evil way with.

You could try living without dynamic updates from domain controllers --
oif you expect good uptime from the DCs then you could leave the records
as static.