What to remove in DNS to to stop Client Access to Domain Controllers

So you want to get rid of a domain controller, but dont want incidents with systems configured directly to that controller?

First of start with disabling the dynamic registration of the Domain Controller in DNS. The easy way of doing that is by setting the registry value of UseDynamicDns to 0.

So now the Domain Controller wont register it self in the DNS again. So now lets start to remove entries from the DNS. There exist a list in the %WINDIR%\System32\config\netlogon.dns, Below is an example of that list.
So as you see there are plenty of DNS names that the domain registers to be able to function. Just carefully remove all references to the Domain Controller that you are trying to remove.

And now just wait a couple of days and then use Network Monitor to listen for LDAP traffic.

Comments

  1. D-Rock says:

    Hi Virot, in regards to removing the domain controller entries referenced in netlogon.dns. If I look at the netlogon.dns file located on the domain controller I am attempting to remove, every line contains a reference to this domain controller. This is similar to your example so I don’t understand the step.

    Thanks!

    • virot says:

      Hi Darren.
      Well this step is about removing the domain controller from the DNS so no clients are using it. If the domain controller is referenced by DNS we cant find hardcoded clients. In the AD integrated DNS domain remove all information about this DC. you can the netlogon.dns file for guidance where to delete in the domain.

      -virot

Leave a Reply