Updating DNS Resource Records
Updated: April 19, 2010
Applies To: Windows 7, Windows HPC Server 2008 R2
In Windows Server® 2008 R2 DNS resource records are no longer updated by sources with DNS credentials. Instead, DNS resource records are now updated by the sources that are part of a DNS Update Proxy Group.
In order for the DNS Update Proxy Group to update the DNS resource records, a global parameter has been introduced. This global parameter, OpenACLOnProxyUpdates, disables previously existing functionality where the DNS Update Proxy Group can be overridden by sources which are not part of the DNS Update Proxy Group. Additionally, when performing a secure dynamic update, OpenACLOnProxyUpdates is set to 0. Setting OpenACLOnProxyUpdates to 0 ensures that the DNS Update Proxy Group will not be allowed to update client created DNS resource records and that client created DNS resource records will not be allowed to update the DNS Update Proxy Group.
OpenACLOnProxyUpdates is set to 1 by default. This means that when a member of the DNS Update Proxy Group updates a DNS resource record, the record's ACL will be adjusted to grant write privileges to clients. The reason behind this is to allow backwards compatibility with systems that are running versions of Windows that were released before . Regardless of OpenACLOnProxyUpdates being set to 1 by default, it is recommended that it be set to 0.
In order to set OpenACLOnProxyUpdates to 0, take the following steps.
Run the DNS Server Troubleshooting Tool, Dnscmd.exe
Note Dnscmd.exe assists administrators in DNS management. It displays and changes the properties of DNS servers, zones, and DNS resource records. It manually modifies these properties, creates and deletes zones and resource records, and forces replication events between DNS server physical memory and DNS databases and data files. Some operations of this tool work at the DNS server level while others work at the zone level.
Run the following commands at the Dnscmd.exe command prompt.
Dnscmd /Info /OpenACLOnProxyUpdates
Note The above command retreives the current value set for OpenACLOnProxyUpdates.
Dnscmd /Config /OpenACLOnProxyUpdates 0