Allow Only Secure Dynamic Updates

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

DNS client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Allowing only secure dynamic updates

• Using the Windows interface

• Using a command line

To allow only secure dynamic updates using the Windows interface

1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

2. In the console tree, click the name of the DNS server you wish to configure, and then open Forward Lookup Zones or Reverse Lookup Zones.

3. Right-click the name of the zone you wish to configure, and then click Properties.

4. On the General tab, verify that the zone type is Active Directory-integrated.

5. In Dynamic Updates, click secure only.

To allow only secure dynamic updates using a command line

1. Open an elevated command prompt.

2. Type the following command, and then press ENTER:

   dnscmd <ServerName> /Config <ZoneName> /AllowUpdate 2
   

See Also

Concepts

Configure AD Integrated Zones
Checklist: Implementing a Secure DNS Configuration