Merge pull request #8694 from MicrosoftDocs/v-lianna-patch-4

Deland-Han · web-flow · commit 3c8688ad27c7 · 2025-04-14T12:47:54.000+08:00
AB#5008 Update problems-with-dc-ad-integrated-dns-zones.md
diff --git a/support/windows-server/active-directory/problems-with-dc-ad-integrated-dns-zones.md b/support/windows-server/active-directory/problems-with-dc-ad-integrated-dns-zones.md
@@ -1,7 +1,7 @@
 ---
 title: Problems occur with DCs in AD integrated DNS zones
 description: Describes problems that can occur with many Domain Controllers in Active Directory integrated DNS zones.
-ms.date: 01/15/2025
+ms.date: 04/14/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -17,7 +17,11 @@ _Applies to:_ &nbsp; Supported versions of Windows Server
 
 ## Symptoms
 
-Domain Name System (DNS) registrations of SRV and domain controller (DC) locator A records (registered by Netlogon) and NS records (added by the authoritative DNS servers) in an Active Directory-integrated DNS zone for some DCs may not work in a domain that contains a large number of DCs (usually over 1200). If the Active Directory-integrated DNS zone has the same name as the Active Directory domain name, problems with the registration of A records and NS records at the zone root seem to occur in a domain with more than 400 DCs. Also, one or more of the following error messages may be logged in the Event log:
+Domain Name System (DNS) registrations of SRV and domain controller (DC) locator A records (registered by Netlogon) and NS records (added by the authoritative DNS servers) in an Active Directory-integrated DNS zone for some DCs might not work in a domain that contains a large number of DCs.
+
+For Windows Server 2022 and earlier versions, you can have about 1,200 DCs and DNS servers register all DNS records relevant to operating the DNS zones and domains. For Windows Server 2025, you can enable an optional feature that allows about 3,200 DCs to register their DNS records. See the [References](#references) section for details.
+
+One or more of the following error messages might be logged in the Event log:
 
 ```output
 Event Type: Error  
@@ -35,8 +39,6 @@ Event Category: None
 Event ID: 4015  
 Description: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error.  
 Data: 0000: 0b 00 00 00 ....  
-
-The final status code from event 4015, 0x00000b, maps to error "LDAP_ADMIN_LIMIT_EXCEEDED Administration limit on the server has exceeded."
 ```
 
 ```output
@@ -45,7 +47,13 @@ Event Source: NTDS Replication
 Event Category: Replication  
 Event ID: 1093  
 Description: The directory replication agent (DRA) could not apply changes to object DC=@,DC=xyz.example.com,CN=MicrosoftDNS,CN=System,DC=xyz,DC=example, DC=com (GUID <GUID>) because the incoming changes cause the object to exceed the database's record size limit. The incoming change to attribute 9017e (dnsRecord) will be backed out in an attempt to make the update fit. In addition to the change to the attribute not being applied locally, the current value of the attribute on this system will be sent out to all other systems to make that the definitive version. This has the effect of nullifying the change to the rest of the enterprise.
-The reversal may be recognized as follows: version 5474, time of change 2000-06-28 19:33.24 and USN of 2873104.
+The reversal may be recognized as follows:
+Version:
+5474
+Time of change:
+<DateTime>
+Update sequence number:
+<USN>
 ```
 
 ```output
@@ -58,29 +66,35 @@ Description: The directory replication agent (DRA) was able to successfully appl
 
 ## Cause
 
-This problem occurs because Active Directory has a limitation of approximately 1200 values that can be associated with a single object. In an Active Directory-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.
+In an Active Directory (AD)-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.
+
+This problem occurs because Active Directory has a limitation of approximately 1,200 values that can be associated with a single object in Windows Server 2022 and earlier versions. For Windows Server 2025, this limit can be lifted to about 3,200 values.
 
 ## Resolution
 
-You can use one of the following methods to resolve this issue.
+You can use the following methods to resolve this issue.
+
+## Experiencing the problem with the NS records of a zone
 
 ### Method 1
 
-If you want to specify a list of DNS servers that can add NS records corresponding to themselves to a specified zone, choose one DNS server and then run Dnscmd.exe with the /AllowNSRecordsAutoCreation switch:
+If your DCs are also DNS servers, they all host the AD-integrated zones, and all would add themselves to the NS record for the zone by default. If you exceed the limit for non-linked attributes, updates to the DNS record AD object will fail.
+
+If you want to reduce the list of DNS servers that can add NS records corresponding to themselves to a specified zone, choose a subset of DNS servers and then run **Dnscmd.exe** with the `/AllowNSRecordsAutoCreation` switch. Consider having DCs in the list that are well-connected to the network and well-monitored. This can be a set of DCs running in your central datacenters.
 
-- To set a list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the `dnscmd servername /config zonename /AllowNSRecordsAutoCreation IPList` command. For example:
+- To set a list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the `/AllowNSRecordsAutoCreation IPList` command. For example:
 
     ```console
     Dnscmd NS1 /config zonename.com /AllowNSRecordsAutoCreation 10.1.1.1 10.5.4.2
     ```
 
-- To clear the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone and return the zone to the default state when every primary DNS server automatically adds to a zone an NS record corresponding to it, use the `dnscmd servername /config zonename /AllowNSRecordsAutoCreation` command. For example:
+- To clear the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone and return the zone to the default state when every primary DNS server automatically adds to a zone an NS record corresponding to it, use the `/AllowNSRecordsAutoCreation` command. For example:
 
     ```console
     Dnscmd NS1 /config zonename.com /AllowNSRecordsAutoCreation
     ```
 
-- To query the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the `dnscmd servername /zoneinfo zonename /AllowNSRecordsAutoCreation` command. For example:
+- To query the list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the `/AllowNSRecordsAutoCreation` command. For example:
 
     ```console
     Dnscmd NS1 /zoneinfo zonename.com /AllowNSRecordsAutoCreation
@@ -89,50 +103,45 @@ If you want to specify a list of DNS servers that can add NS records correspondi
 > [!NOTE]
 > Run this command on only one DNS server. Active Directory replication propagates the changes to all DNS servers that are running on DCs in the same domain.
 
-In an environment in which the majority of the DNS DCs for a domain are located in branch offices and a few are located in a central location, you may want to use the `Dnscmd` command described earlier in this article to set the IPList to include only the centrally located DNS DCs. By doing so, only the centrally located DNS DCs add their respective NS records to the Active Directory domain zone.
+In an environment in which the majority of the DNS DCs for a domain are located in branch offices and a few are located in a central location, you might want to use the `Dnscmd` command described earlier in this article to set the IPList to include only the centrally located DNS DCs. By doing so, only the centrally located DNS DCs add their respective NS records to the Active Directory domain zone.
 
 ### Method 2
 
 > [!IMPORTANT]
 > This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information, see [How to back up and restore the registry in Windows](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692).
 
-If you want to choose which DNS server does not add NS records corresponding to themselves to any Active Directory-integrated DNS zone, use Registry Editor (Regedt32.exe) to configure the following registry value on each affected DNS server:
+Similar to method 1, pick a number of DCs you want to have present with an NS record for the zones they host. For the DNS servers you don't want to add NS records corresponding to themselves to any AD-integrated DNS zone, use Registry Editor (Regedt32.exe) to configure the following registry value on each affected DNS server:
 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters`
 
-Registry value: DisableNSRecordsAutoCreation  
+Registry value: `DisableNSRecordsAutoCreation`  
 Data type: REG_DWORD  
 Data range: 0x0 | 0x1  
 Default value: 0x0
 
-This value affects all Active Directory-integrated DNS zones. The values have the following meanings:
+This value affects all AD-integrated DNS zones. The values have the following meanings:
 
 |Value  |Meaning  |
 |---------|---------|
-|0     |   DNS server automatically creates NS records for all Active Directory-integrated DNS zones unless any zone, that is hosted by the server, contains the AllowNSRecordsAutoCreation attribute (described earlier in this article) that does not include the server. In this situation, the server uses the AllowNSRecordsAutoCreation configuration. |
-|1     |   DNS server does not automatically create NS records for all Active Directory-integrated DNS zones, regardless of the AllowNSRecordsAutoCreation configuration in the Active Directory-integrated DNS zones.  |
+|0     |   DNS server automatically creates NS records for all Active Directory-integrated DNS zones unless any zone, that is hosted by the server, contains the AllowNSRecordsAutoCreation attribute (described earlier in this article) that doesn't include the server. In this situation, the server uses the AllowNSRecordsAutoCreation configuration. |
+|1     |   DNS server doesn't automatically create NS records for all Active Directory-integrated DNS zones, regardless of the AllowNSRecordsAutoCreation configuration in the Active Directory-integrated DNS zones.  |
 
 > [!NOTE]
 > To apply the changes to this value, you must restart the DNS Server service.
 
-If you want to prevent certain DNS servers from adding their corresponding NS records to Active Directory-integrated DNS zones that they host, you can use the DisableNSRecordsAutoCreation registry value described earlier in this article.
-
-> [!NOTE]
-> If the DisableNSRecordsAutoCreation registry value is set to 0x1, none of the Active Directory-integrated DNS zones hosted by that DNS server will contain its NS records. Therefore, if this server must add its own NS record to at least one Active Directory-integrated DNS zone that it hosts, do not set the registry value to 0x1.
-
-### Netlogon Fix
+## Experiencing the problem with the SRV and A records of a zone owned by DCs
 
 > [!IMPORTANT]
 > This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information, see [How to back up and restore the registry in Windows](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692).
 
-The Netlogon portion of this hotfix gives administrators greater control as described earlier in this article. You should apply the fix to every DC. Also, to prevent a DC from attempting dynamic updates of certain DNS records that by default are dynamically updated by Netlogon, use Regedt32.exe to configure the following registry value:
+Netlogon manages the registration of a DC's DNS record. To prevent a DC from attempting dynamic updates of certain DNS records that by default are dynamically updated by Netlogon, use Regedt32.exe to configure the following registry value:
 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters`
 
-Registry value: DnsAvoidRegisterRecords  
+Registry value: `DnsAvoidRegisterRecords`  
 Data type: REG_MULTI_SZ
 
-In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this DC.
+In this value, specify the list of mnemonics corresponding to the DNS records that shouldn't be registered by this DC.
 
 > [!NOTE]
 > Set the value to the list of the enter-delimited mnemonics that are specified in the following table.
@@ -163,16 +172,20 @@ The list of mnemonics includes:
 |Rfc1510UdpKpwd     |SRV         |_kpasswd._udp.\<DnsDomainName>         |
 
 > [!NOTE]
-> It is not necessary to restart the Netlogon service. If the DnsAvoidRegisterRecords registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).
+> It isn't necessary to restart the Netlogon service. If the `DnsAvoidRegisterRecords` registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).
+
+You can also set the list of DNS records to suppress using a Group Policy:
+
+**GPS: Specify DC Locator DNS records not registered by the DCs**
 
-DNS registrations of A records performed by Netlogon can be also be modified by using the RegisterDnsARecords registry value. For more information, see [How to enable or disable DNS updates in Windows](../networking/enable-disable-dns-dynamic-registration.md).
+DNS registrations of A records performed by Netlogon can be also be modified by using the `RegisterDnsARecords` registry value. For more information, see [How to enable or disable DNS updates in Windows](../networking/enable-disable-dns-dynamic-registration.md).
 
-Be aware that both the DnsAvoidRegisterRecords and the RegisterDnsARecords registry values need to allow registering the host (A) record:
+Be aware that both the DnsAvoidRegisterRecords and the `RegisterDnsARecords` registry values need to allow registering the host (A) record:
 
 - RegisterDnsARecords = 0x1<br>
-    If you list LdapIpAddress and GcIpAddress in the DnsAvoidRegisterRecords registry value settings, A records are not registered.
+    If you list LdapIpAddress and GcIpAddress in the `DnsAvoidRegisterRecords` registry value settings, A records aren't registered.
 - RegisterDnsARecords = 0x0<br>
-    No matter whether you list LdapIpAddress and GcIpAddress in the DnsAvoidRegisterRecords registry value settings, A records are not registered.
+    No matter whether you list LdapIpAddress and GcIpAddress in the `DnsAvoidRegisterRecords` registry value settings, A records aren't registered.
 
 To prevent the problem described earlier in this article from occurring in an environment in which a set of DCs and/or global catalog (GC) servers are located in a central location and a large number of the DCs and/or GC servers are located in branch offices, the administrator can disable registration of some of the DNS records by Netlogon on the DCs/GCs in the branch offices. In this situation, the list of mnemonics that should not be registered includes:
 
@@ -200,13 +213,22 @@ GC-specific records:
 
 > [!NOTE]
 > These lists do not include the site-specific records. Therefore, DCs and GC servers in branch offices are located by site-specific records that are usually used by a DC locator. If a program searches for a DC/GC by using generic (non-site-specific) records such as any of the records in the lists that are listed earlier in this article, it finds a DC/GC in the central location.
+>
+> Read-only DCs default to registering DNS records specific to their site.
 
-An administrator may also choose to limit the number of the DC locator records such as SRV and A records registered by Netlogon for the same generic DNS name (_ldap._tcp.dc._msdcs.\<DomainName>), even in a scenario with fewer than 1200 DCs in the same domain, to reduce the size of DNS responses to queries for such records.
+An administrator might also choose to limit the number of the DC locator records, such as SRV and A records registered by Netlogon for the same generic DNS name (_ldap._tcp.dc._msdcs.\<DomainName>), even in a scenario with fewer DCs than the non-linked attribute value limit in the same domain, to reduce the size of DNS responses to queries for such records.
+
+You can create this setting in a Group Policy linked to the DCs OU, put all branch DCs into an "AD Branch DCs" group, and set the Group Policy to apply only to members of the "AD Branch DCs" group.
 
 ## Status
 
 Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
 
-## More Information
+## More information
+
+Every DNS server that is authoritative for an Active Directory-integrated DNS zone adds an NS record. By default, every DC in a domain registers an SRV record for a set of non-site-specific names such as "_ldap._tcp.\<domain_name>" and A record(s) that map(s) the Active Directory DNS domain name to the TCP/IP address(es) of the DC. When a DNS server tries to write a record with many values for the same shared name, Local Security Authority Subsystem Service (LSASS) runs at 100% CPU usage for approximately 10 seconds and the registration doesn't succeed. Netlogon retries this registration every hour; the 100% CPU usage spike reappears at least once an hour, and the attempted registrations don't succeed.
+
+## References
 
-Every DNS server that is authoritative for an Active Directory-integrated DNS zone adds an NS record. By default, every DC in a domain registers an SRV record for a set of non-site-specific names such as "_ldap._tcp.\<domain_name>" and A record(s) that map(s) the Active Directory DNS domain name to the TCP/IP address(es) of the DC. When a DNS server tries to write a record after approximately 1200 records with the same shared name, Local Security Authority (LSA) runs at 100 percent CPU usage for approximately 10 seconds and the registration does not succeed. Netlogon retries this registration every hour; the 100 percent CPU usage spike reappears at least once an hour and the attempted registrations do not succeed.
+- [Optimize domain controller location](optimize-dc-location-global-catalog.md)
+- [Windows Server 2025 optional feature: What's new in Windows Server 2025](/windows-server/get-started/whats-new-windows-server-2025#active-directory-domain-services)
