Understanding Dynamic Update

Applies To: Windows Server 2008, Windows Server 2008 R2

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

The DNS Client service and the DNS Server service support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server that is configured to load either a standard primary or directory-integrated zone. By default, the DNS Client service dynamically updates host (A) resource records in DNS when the service is configured for TCP/IP.

How client and server computers update their DNS names

By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) resource records and pointer (PTR) resource records for IP addresses that are configured and used by their installed network connections. By default, all computers register records based on their fully qualified domain name (FQDN).

The primary full computer name, an FQDN, is based on the primary DNS suffix of a computer,appended to its computer name.

Additional considerations:

  • By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone that is named with a single-label name is considered to be a TLD zone, for example, com, edu, blank, my-company. To configure a DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or you can modify the registry.

  • By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory Domain Services (AD DS) domain to which the computer is joined. To allow the use of different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).

Dynamic updates can be sent for any of the following reasons or events:

  • An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.

  • An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.

  • The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.

  • At startup time, when the computer is turned on.

  • A member server is promoted to a domain controller.

When one of the previous events triggers a dynamic update, the DNS Client service (not the DHCP Client service) sends updates. This is designed so that if a change to the IP address information occurs, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DNS Client service performs this function for all network connections on the system, including connections that are not configured to use DHCP.

Example: How dynamic update works

Typically, dynamic updates are requested when either a DNS name or an IP address changes on the computer. For example, supposethat a client named oldhost is first configured in System properties with the following names.

Computer name

oldhost

DNS domain name of computer

tailspintoys.com

Full computer name

oldhost.tailspintoys.com 

In this example, no connection-specific DNS domain names are configured for the computer. Later, the computer is renamed from oldhost to newhost, which results in the following name changes on the system.

Computer name

newhost

DNS domain name of computer

tailspintoys.com

Full computer name

newhost.tailspintoys.com 

After you apply the name change in System properties, you are prompted to restart the computer. When the computer restarts Windows, the DNS Client service performs the following sequence to update DNS:

  1. The DNS Client service sends a start of authority (SOA)–type query using the DNS domain name of the computer.

    The client computer uses the currently configured FQDN of the computer (such as newhost.tailspintoys.com) as the name that is specified in this query.

  2. The authoritative DNS server for the zone that contains the client FQDN responds to the SOA-type query.

    For standard primary zones, the primary server (owner) that is returned in the SOA query response is fixed and static. It always matches the exact DNS name as it appears in the SOA resource record that is stored with the zone. If, however, the zone being updated is directory integrated, any DNS server that is loading the zone can respond and dynamically insert its own name as the primary server (owner) of the zone in the SOA query response.

  3. The DNS Client service then attempts to contact the primary DNS server.

    The client processes the SOA query response for its name to determine the IP address of the DNS server that is authorized as the primary server for accepting its name. It then proceeds to perform the following sequence of steps as needed to contact and dynamically update its primary server:

    1. It sends a dynamic update request to the primary server that is determined in the SOA query response.

      If the update succeeds, no further action is taken.

    2. If this update fails, the client next sends a name server (NS)–type query for the zone name that is specified in the SOA record.

    3. When it receives a response to this query, it sends an SOA query to the first DNS server that is listed in the response.

    4. After the SOA query is resolved, the client sends a dynamic update to the server that is specified in the returned SOA record.

      If the update succeeds, no further action is taken.

    5. If this update fails, the client repeats the SOA query process by sending to the next DNS server that is listed in the response.

  4. After the primary server that can perform the update is contacted, the client sends the update request and the server processes it.

    The contents of the update request include instructions to add host (A) (and possibly pointer (PTR)) resource records for newhost.tailspintoys.com and to remove these same record types for oldhost.tailspintoys.com, the name that was registered previously.

    The server also checks to ensure that updates are permitted for the client request. For standard primary zones, dynamic updates are not secured; therefore, any client attempt to update succeeds. For AD DS-integrated zones, updates are secured and performed using directory-based security settings.

Dynamic updates are sent or refreshed periodically. By default, computers send a refresh once every seven days. If the update results in no changes to zone data, the zone remains at its current version and no changes are written. Updates result in actual zone changes or increased zone transfer only if names or addresses actually change.

When the DNS Client service registers host (A) and pointer (PTR) resource records for a computer, it uses a default caching Time to Live (TTL) of 15 minutes for host records. This determines how long other DNS servers and clients cache a computer's records when the records are included in a query response.

Secure dynamic update

DNS update security is available only for zones that are integrated into AD DS. When you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

By default, dynamic update security for DNS servers and clients can be handled as follows:

  • DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.

    Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.

  • After a zone becomes AD DS-integrated, DNS servers running Windows Server® 2008 default to allowing only secure dynamic updates.

    When you use standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or that use standard file-based storage, you can change the zone to allow all dynamic updates, which permits all updates to be accepted.