Configuring Dynamic Update and Secure Dynamic Update

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The Windows Server 2003 DHCP Server service can be configured to perform DNS dynamic updates and secure DNS dynamic updates for DHCP clients, which eliminates the need for administrators to update DNS records manually when a client’s IP address changes. Clients running Windows 2000, Windows XP, or Windows Server 2003 can also perform dynamic updates.

Clients running versions of Windows earlier than Windows 2000 do not support DNS dynamic update. To enable the DHCP server to perform DNS dynamic updates on behalf of these clients, use the default client preference settings. Clients using WINS for name resolution cannot make an explicit request for DNS dynamic update protocol preference. For these clients, the DHCP service can be configured to update both the PTR and the A resource records.

By itself, dynamic update is not secure; any client can modify DNS records. When secure dynamic update is configured, the authoritative name server accepts updates only from clients and servers that are authorized to make dynamic updates to the appropriate objects in Active Directory. Secure dynamic update is available only on Active Directory–integrated zones. To configure secure dynamic updates, you can use the Windows Server 2003 secure dynamic update feature.

Secure dynamic update protects zones and resource records from being modified by unauthorized users by enabling you to specify the users and groups that can modify zones and resource records. By default, Windows Server 2003, Windows XP Professional, and Windows 2000 clients attempt unsecured dynamic updates first. If that request fails, they attempt secure updates.

When using multiple DHCP servers and secure dynamic updates, add each of the DHCP servers as members of the DnsUpdateProxy global security group so that any DHCP server can perform a secure dynamic update for any record. Otherwise, when a DHCP server performs a secure dynamic update for a record, that DHCP server is the only computer that can update the record.

To configure dynamic update for DHCP clients and servers

  1. In the DHCP snap-in, select and right-click the DHCP server you want to configure, and then click Properties.

  2. In the server nameProperties dialog box, click the DNS tab.

  3. On the DNS tab, select the Enable DNS dynamic updates according to the settings below check box.

  4. On the DNS tab, select the dynamic update method you want: either always updating DNS A and PTR, or only updating the records when requested by the DHCP client.

Use the DNS snap-in to enable secure dynamic update. For more information about dynamic update and secure dynamic update, see "Deploying Domain Name System (DNS)" in this book and in Help and Support Center for Windows Server 2003.

Important

  • If DHCP will perform DNS dynamic updates, do not install it on a domain controller. Instead, install DHCP on a member server. When DHCP is installed on a domain controller and is configured to perform dynamic updates on behalf of clients in DNS zones that are configured to allow only secure dynamic update, specify a user account to update the DNS records. For more information about installing DHCP, see "Checklist: Installing a DHCP server" in Help and Support Center for Windows Server 2003.