Eliminate manual updates of DNS records by configuring dynamic update and secure dynamic update
Applies To: Windows Server 2008 R2
With Windows Server 2008, a DHCP server can enable dynamic updates in the DNS namespace for any one of its clients that support these updates. Scope clients can use the DNS dynamic update protocol to update their host name-to-address mapping information whenever changes occur to their DHCP-assigned address. (This mapping information is stored in zones on the DNS server.) A Windows Server 2008–based DHCP server can perform updates on behalf of its DHCP clients to any DNS server.
How DHCP/DNS update interaction works
You can use the DHCP server to register and update the PTR and A resource records on behalf of the server's DHCP-enabled clients. When you do this, you must use an additional DHCP option, the Client FQDN option (option 81). This option lets the client send its FQDN to the DHCP server in the DHCPREQUEST packet. This enables the client to notify the DHCP server as to the service level it requires.
The FQDN option includes the following six fields:
Code -- Specifies the code for this option (81).
Len -- Specifies the length of this option. (This must be a minimum of 4.)
Flags -- Specifies the type of service.
0 -- Client will register the "A" (Host) record.
1 -- Client wants DHCP to register the "A" (Host) record.
3 -- DHCP will register the "A" (Host) record regardless of the client's request.
- 0 -- Client will register the "A" (Host) record.
RCODE1 -- Specifies a response code the server is sending to the client.
RCODE2 -- Specifies an additional delineation of RCODE1.
Domain Name -- Specifies the FQDN of the client.
If the client requests to register its resource records with DNS, the client is responsible for generating the dynamic UPDATE request per Request for Comments (RFC) 2136. Then, the DHCP server registers its PTR (pointer) record.
Assume that this option is issued by a qualified DHCP client, such as a DHCP-enabled computer that is running, Windows Vista, Windows 2000 or Windows XP. In this case, the option is processed and interpreted by Windows Server 2008–based DHCP servers to determine how the server initiates updates on behalf of the client.
Secure dynamic updates
For Windows Server 2008, DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.
By default, dynamic update security for Windows Server 2008–based DNS servers and clients is handled in the following manner:
Windows Server 2008–based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.
Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security.
By default, after a zone becomes Active Directory-integrated, Windows Server 2008–based DNS servers enable only secure dynamic updates.
By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.
If you use multiple Windows Server 2008–based DHCP servers on your network and if you configure your zones to enable secure dynamic updates only, use the Active Directory Users and Computers snap-in to add your DHCP server computers to the built-in DnsUpdateProxy group. When you do this, all your DHCP servers have the secure rights to perform proxy updates for any one of your DHCP clients.
|The secure dynamic updates functionality can be compromised if the following conditions are true: •You run a DHCP server on a Windows Server 2008–based domain controller •The DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers, or configure the DHCP server to use a dedicated user account for dynamic updates.|
|The secure dynamic update functionality is supported only for Active Directory-integrated zones. If you configure a different zone type, change the zone type, and then integrate the zone before you secure it for DNS updates. Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."|