Configuring Secure Dynamic Update
Updated: October 16, 2008
Applies To: Windows Server 2008
When installing the Windows Server 2008 DHCP service, you can configure the server to perform updates on behalf of its DHCP clients to any Domain Name System (DNS) servers that support dynamic updates.
The DHCP server can be used to register and update the pointer (PTR) and host (A) resource records on behalf of its DHCP-enabled clients.
This process requires the use of an additional DHCP option, the Client FQDN option (option 81). This option permits the client to provide its fully qualified domain name (FQDN) as well as instructions to the DHCP server about how the server should process DNS dynamic updates (if any) on its behalf.
When this option is issued by a qualified DHCP client, option 81 is processed and interpreted by a DHCP server running Windows Server 2008 to determine how the server initiates updates on behalf of the client. If the server is configured to perform DNS dynamic updates, it takes one of the following actions:
The DHCP server updates both DNS A and PTR records if requested by clients using option 81.
The DHCP server updates DNS A and PTR records regardless of whether the client requests this action.
In addition, the DHCP server can dynamically update DNS A and PTR records on behalf of legacy clients that are not capable of sending option 81 to the server. You can also configure the DHCP server to discard client A and PTR records when the client lease is deleted.
The DHCP server might be configured in one of the following ways:
The DHCP server registers and updates client information with the authoritative DNS server of the zone in which the DHCP server is located according to the DHCP client request.
This is the default configuration for DHCP servers running Windows Server 2008. In this mode, the DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS.
To modify this setting, select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
The DHCP server always registers and updates client information in DNS.
This is a modified configuration supported for DHCP servers running Windows Server 2008 and DHCP clients. In this mode, the DHCP server always performs updates of the client's FQDN, leased IP address information, and both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates.
To modify this setting, select the Enable DNS dynamic updates according to the settings below check box and click Always dynamically update DNS A and PTR records, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
The DHCP server never registers and updates client information in DNS.
To set this behavior, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. By disabling this feature, no client host (A) or pointer (PTR) resource records are updated in DNS for DHCP clients.
If necessary, this change in setting can be made at DHCP servers running Windows Server 2008 by clearing the Enable DNS dynamic updates according to the settings below check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes. By default, updates are always performed for newly installed DHCP servers running Windows Server 2008 and any new scopes created for them.
In addition to these standard DHCP/DNS interactions, the DHCP server can be configured to perform these optional update tasks as follows:
The server can selectively be configured to not send updates for discarding a client host (A) resource record when the client lease expires.
When the DHCP server is enabled to perform DNS updates, it always sends updates to discard the client pointer (PTR) resource records when the lease expires. You can configure whether the server also does this with client host (A) resource records when the lease of a client expires (by default, the server discards these).
To modify this at the applicable DHCP server, clear the Discard forward (name-to-address) lookups when leases expires check box in Properties on the DNS tab.
The server can be selectively configured to not send updates for clients unable to use the Client FQDN option (option 81), to request the way that updates are handled.
By default, the DHCP server does not send updates for clients that do not support option 81.
To modify this setting, select the Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0) check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes.
As previously described, you can configure a DHCP server so that it dynamically registers host (A) and pointer (PTR) resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic update with DNS servers might cause stale resource records.
For example, suppose the following sequence of events occurs:
A DHCP server running Windows Server 2008 (DHCP1) performs a secure dynamic update on behalf of one of its clients for a DNS domain name.
Because the DHCP server successfully created the name, it becomes the owner of the name.
After the DHCP server becomes the owner of the name, only that DHCP server can update the DNS records for that name.
In some circumstances, this can cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the second server cannot update the client name because it is not the owner of the name.
To solve this problem, the built-in security group called DnsUpdateProxy is provided. If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of one server can be updated by another server if the first server fails. Also, because all of the objects that are created by the members of the DnsUpdateProxy group are not secured, the first user (that is not a member of the DnsUpdateProxy group) to modify the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can therefore take ownership of their name records at the DNS server. If every DHCP server registering resource records for legacy clients is a member of the DnsUpdateProxy group, the problems discussed earlier are eliminated.
DNS domain names that are registered by the DHCP server are not secure when the DHCP server is a member of the DnsUpdateProxy group. The host (A) resource record for the DHCP server itself is an example of such a record. Also, because objects created by the members of the DnsUpdateProxy group are not secured, it is impossible to use this group effectively in an Active Directory-integrated zone that allows only secure dynamic updates unless you take additional steps to allow records created by members of the group to be secured.
To protect against unsecured records, or to allow members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you can create a dedicated user account and configure DHCP servers to perform DNS dynamic updates with the user account credentials (user name, password, and domain). The credentials of one dedicated user account can be used by multiple DHCP servers.
A dedicated user account is a user account whose sole purpose is supplying DHCP servers with credentials for DNS dynamic update registrations. When you create a dedicated user account and configure DHCP servers with the account credentials, each DHCP server supplies these credentials when registering names on behalf of DHCP clients using DNS dynamic update. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides. The dedicated user account can also be located in another forest as long as the forest it resides in has a forest trust established with the forest containing the primary DNS server for the zone to be updated.
When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers, including domain controllers).
You must configure a dedicated user account and configure the DHCP server with the account credentials under the following circumstances:
A domain controller is configured to function as a DHCP server.
The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.
After you have created a dedicated user account, you can configure DHCP servers with the user account credentials by using the DHCP console or by using the Netsh DHCP context command server set dnscredentials. For more information about configuring credentials using the DHCP console, see Configure DNS Dynamic Update Credentials. For a comprehensive reference about Netsh commands for DHCP, including syntax, parameters, and examples for the set dnscredentials command at the server context of netsh dhcp, see Netsh Commands for Dynamic Host Configuration Protocol server (http://go.microsoft.com/fwlink/?LinkId=125702).