DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv6 scope

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Dynamic Host Configuration Protocol Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2, Windows Server 2012

Product/Feature

Dynamic Host Configuration Protocol (DHCP)

Severity

Error

Category

Configuration

Issue

Name protection has been enabled but the DNSupdateproxy group has not been secured.

Impact

Name protection may not work without the DNSupdateproxy group being secured.

Resolution

Using dnscmd, set the OpenACLOnProxyUpdates to 0 to secure the DNSupdateproxygroup.

DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.

To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

To secure the DNSupdateproxy group

  1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Click Yes if prompted by User Account Control, type dnscmd /config /OpenAclOnProxyUpdates 0 and then press ENTER.

Additional references

For updated detailed IT pro information about DHCP, see the Windows Server 2008 R2 documentation on the Microsoft TechNet Web site.