DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv4 scope
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Dynamic Host Configuration Protocol Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).
Operating System |
Windows Server 2008 R2, Windows Server 2012 |
Product/Feature |
Dynamic Host Configuration Protocol (DHCP) |
Severity |
Error |
Category |
Configuration |
Issue
Name protection has been enabled but the DNSupdateproxy group has not been secured.
Impact
Name protection may not work without the DNSupdateproxy group being secured.
Resolution
Using dnscmd, set the OpenACLOnProxyUpdates to 0 to secure the DNSupdateproxygroup.
DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.
To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
To secure the DNSupdateproxy group
Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
Click Yes if prompted by User Account Control, type dnscmd /config /OpenAclOnProxyUpdates 0 and then press ENTER.
Additional references
For updated detailed IT pro information about DHCP, see the Windows Server 2008 R2 documentation on the Microsoft TechNet Web site.