Windows Server 2003 DNS update features

The DNS service lets client computers dynamically update their resource records in DNS. When you use this functionality, you improve DNS administration by reducing the time that it requires to manually manage zone records. You can use the DNS update functionality with DHCP to update resource records when a computer’s IP address is changed. Computers that are running Windows Server 2003 can send dynamic updates.

Windows Server 2003 provides the following features that are related to the DNS dynamic update protocol:

  • Use of Active Directory directory service as a locator service for domain controllers.
  • Integration with Active Directory.

    You can integrate DNS zones into Active Directory to provide increased fault tolerance and security. Every Active Directory-integrated zone is replicated among all domain controllers in the Active Directory domain. All DNS servers that are running on these domain controllers can act as primary servers for the zone and accept dynamic updates. Active Directory replicates on a per-property basis and propagates only relevant changes.

  • Aging and scavenging of records.

    The DNS Server service can scan and remove records that are no longer required. When you enable this feature, you can prevent outdated records from remaining in DNS.

  • Secure dynamic updates in Active Directory-integrated zones.

    You can configure Active Directory-integrated zones for secure dynamic updates so that only authorized users can make changes to a zone or to a record.

  • Administration from a command prompt.
  • Enhanced name resolution.
  • Enhanced caching and negative caching.
  • Interoperability with other DNS server implementations.
  • Integration with other network services.
  • Incremental zone transfer.

How Windows Server 2003-based computers update their DNS names

By default, computers that run Windows Server 2003 and that are statically configured for TCP/IP try to dynamically register host address (A) and pointer (PTR) resource records for IP addresses that are configured and used by their installed network connections. By default, all computer register records are based on the full computer name.

For Windows Server 2003-based computers, the primary full computer name is a fully qualified domain name (FQDN). Additionally, the primary full computer name is the primary DNS suffix of the computer that is appended to the computer name. To determine the primary DNS suffix of the computer and the computer name, right-click My Computer, click Properties, and then click Computer Name.

DNS updates can be sent for any one of the following reasons or events:

  • An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
  • An IP address lease changes or renews any one of the installed network connections with the DHCP server. For example, this update occurs when the computer is started or when you use the ipconfig /renew command.
  • You use the ipconfig /registerdns command to manually force an update of the client name registration in DNS.
  • The computer is turned on.
  • A member server is promoted to a domain controller.

When one of these events triggers a DNS update, the DHCP Client service, not the DNS Client service, sends updates. If a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections on the system. This includes connections that are not configured to use DHCP.

Notes

  • The update process for Windows Server 2003-based computers that use DHCP to obtain their IP address is different from the process that is described in this section. For more information, see the “Integration of DHCP with DNS” section and the “Windows DHCP clients and DNS dynamic update protocol” section.
  • The update process that is described in this section assumes that Windows Server 2003 installation defaults are in effect. Specific names and update behavior is tunable when advanced TCP/IP properties are configured to use non-default DNS settings.
  • Besides the full computer name, or the primary name, of the computer, you can configure additional connection-specific DNS names and optionally register or update them in DNS.

By default, Windows XP and Windows Server 2003 reregister their A and PTR resource records every 24 hours regardless of the computer’s role. To change this time, add the DefaultRegistrationRefreshInterval registry entry under the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\ParametersThe interval is set in seconds.

An example of how DNS updates work

For Windows Server 2003, dynamic updates are typically requested when either a DNS name or an IP address changes on the computer. For example, a client named “oldhost” is first configured in system properties to have the following names:Computer name: oldhost
DNS domain name of computer: example.microsoft.com
Full computer name: oldhost.example.microsoft.comIn this example, no connection-specific DNS domain names are configured for the computer. If you rename the computer from “oldhost” to “newhost”, the following name changes occur:Computer name: newhost
DNS domain name of computer: example.microsoft.com
Full computer name: newhost.example.microsoft.com
After the name change is applied in System Properties, Windows Server 2003 prompts you to restart the computer. After the computer restarts Windows, the DHCP Client service performs the following sequence to update DNS:

  1. The DHCP Client service sends a start of authority (SOA) type query by using the DNS domain name of the computer.

    The client computer uses the currently configured FQDN of the computer, such as “newhost.example.microsoft.com”, as the name specified in this query.

  2. The authoritative DNS server for the zone that contains the client FQDN responds to the SOA-type query.

    For standard primary zones, the primary server, or owner, that is returned in the SOA query response is fixed and static. The primary server name always matches the exact DNS name as that name is displayed in the SOA resource record that is stored with the zone. However, if the zone that is being updated is directory-integrated, any DNS server that is loading the zone can respond and dynamically insert its own name as the primary server of the zone in the SOA query response.

  3. The DHCP Client service tries to contact the primary DNS server.

    The client processes the SOA query response for its name to determine the IP address of the DNS server that is authorized as the primary server for accepting its name. If it is required, the client performs the following steps to contact and dynamically update its primary server:

    1. The client sends a dynamic update request to the primary server that is determined in the SOA query response.

      If the update succeeds, no additional action is taken.

    2. If this update fails, the client next sends an NS-type query for the zone name that is specified in the SOA record.
    3. When the client receives a response to this query, the client sends an SOA query to the first DNS server that is listed in the response.
    4. After the SOA query is resolved, the client sends a dynamic update to the server that is specified in the returned SOA record.

      If the update succeeds, no additional action is taken.

    5. If this update fails, the client repeats the SOA query process by sending to the next DNS server that is listed in the response.
  4. After the primary server that can perform the update is contacted, the client sends the update request, and the server processes it.

    The contents of the update request include instructions to add A, and possibly PTR, resource records for “newhost.example.microsoft.com” and to remove these same record types for “oldhost.example.microsoft.com”. (“oldhost.example.microsoft.com” is the name that was previously registered.)

    The server also checks to make sure that updates are permitted for the client request. For standard primary zones, dynamic updates are not secured. Any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings.

Dynamic updates are sent or refreshed periodically. By default, computers send an update every twenty-four hours. If the update causes no changes to zone data, the zone remains at its current version, and no changes are written. Updates that cause actual zone changes or increased zone transfers occur only if names or addresses actually change.

Note Names are not removed from DNS zones if they become inactive or if they are not updated within the update interval of twenty-four hours. DNS does not use a mechanism to release or to tombstone names, although DNS clients do try to delete or to update old name records when a new name or address change is applied

When the DHCP Client service registers A and PTR resource records for a Windows Server 2003-based computer, the client uses a default caching time-to-live (TTL) value of 15 minutes for host records. This value determines how long other DNS servers and clients cache a computer’s records when they are included in a query response.

Integration of DHCP with DNS

With Windows Server 2003, a DHCP server can enable dynamic updates in the DNS namespace for any one of its clients that support these updates. Scope clients can use the DNS dynamic update protocol to update their host name-to-address mapping information whenever changes occur to their DHCP-assigned address. (This mapping information is stored in zones on the DNS server.) A Windows Server 2003-based DHCP server can perform updates on behalf of its DHCP clients to any DNS server.

How DHCP/DNS update interaction works

You can use the DHCP server to register and update the PTR and A resource records on behalf of the server’s DHCP-enabled clients. When you do this, you must use an additional DHCP option, the Client FQDN option (option 81). This option lets the client send its FQDN to the DHCP server in the DHCPREQUEST packet. This enables the client to notify the DHCP server as to the service level it requires.

The FQDN option includes the following six fields:

  • Code
    Specifies the code for this option (81).
  • Len
    Specifies the length of this option . (This must be a minimum of 4.)
  • Flags
    Specifies the type of service.
  • 0
    Client will register the “A” (Host) record.
  • 1
    Client wants DHCP to register the “A” (Host) record.
  • 3
    DHCP will register the “A” (Host) record regardless of the client’s request.
  • RCODE1
    Specifies a response code the server is sending to the client.
  • RCODE2
    Specifies an additional delineation of RCODE1.
  • Domain Name
    Specifies the FQDN of the client.

If the client requests to register its resource records with DNS, the client is responsible for generating the dynamic UPDATE request per Request for Comments (RFC) 2136. Then, the DHCP server registers its PTR (pointer) record.

Assume that this option is issued by a qualified DHCP client, such as a DHCP-enabled computer that is running Windows Server 2003, Microsoft Windows 2000, or Microsoft Windows XP. In this case, the option is processed and interpreted by Windows Server 2003-based DHCP servers to determine how the server initiates updates on behalf of the client.

For example, you can use any one of the following configurations to process client requests:

  • The DHCP server registers and updates client information with its configured DNS servers according to the client request.

    This is the default configuration for Windows Server 2003-based DHCP servers and clients that are running Windows Server 2003, Windows 2000, or Windows XP. In this mode, any one of these Windows DHCP clients can specify the way that the DHCP server updates its host A and PTR resource records. If it is possible, the DHCP server handles the client request for handling updates to its name and IP address information in DNS.

    To configure the DHCP server to register client information according to the client’s request, follow these steps:

    1. Open the DHCP properties for the server or the individual scope.
    2. Click the DNS tab, click Properties, and then click to select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box.
  • The DHCP server always registers and updates client information with its configured DNS servers.

    This is a modified configuration supported for Windows Server 2003-based DHCP servers and clients that are running Windows Server 2003, Windows 2000, or Windows XP. In this mode, the DHCP server always performs updates of the client’s FQDN and leased IP address information regardless of whether the client has requested to perform its own updates.

    To configure a DHCP server to register and to update client information with its configured DNS servers, follow these steps:

    1. Open the DHCP properties for the server
    2. Click DNS, click Properties, click to select the Enable DNS dynamic updates according to the settings below check box, and then click Always dynamically update DNS A and PTR records.
  • The DHCP server never registers and updates client information with its configured DNS servers.

    To use this configuration, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. When you use this configuration, no client host A or PTR resource records are updated in DNS for DHCP clients.

    To configure the server to never update client information, follow these steps:

    1. Open the DHCP properties for the DHCP server or one of its scopes on the Windows Server 2003-based DHCP server.
    2. Click DNS, click Properties, and then clear the Enable DNS dynamic updates according to the settings below check box.

    By default, updates are always performed for newly installed Windows Server 2003-based DHCP servers and any new scopes that you create for them.

Windows DHCP clients and DNS dynamic update protocol

DHCP clients that are running Windows Server 2003, Windows 2000, Windows XP, or earlier operating systems can interact differently when they perform the DHCP/DNS interactions. The following examples show how this process varies in different cases.

An example of a DHCP/DNS update interaction for Windows Server 2003-based, Windows 2000-based, and Windows XP-based DHCP clients

Clients that are running Windows Server 2003, Windows 2000, or Windows XP DHCP interact with DNS dynamic update protocol in the following manner:

  1. The client initiates a DHCP request message (DHCPREQUEST) to the server. The request includes option 81.
  2. The server returns a DHCP acknowledgement message (DHCPACK) to the client. The client grants an IP address lease and includes option 81. If the DHCP server is configured with the default settings, option 81 tells the client that the DHCP server will register the DNS PTR record and that the client will register the DNS A record.
  3. Asynchronously, the client sends a DNS update request to the DNS server for its own forward lookup record, a host A resource record.
  4. The DHCP server registers the PTR record of the client.

An example of a DHCP/DNS update interaction for Windows-based DHCP clients that use a version of Windows that is earlier than Windows Server 2003

Earlier versions of Windows-based DHCP clients do not support the DNS dynamic update process directly and cannot directly interact with the DNS server. For these DHCP clients, updates are typically handled in the following manner:

  1. The client initiates a DHCP request message (DHCPREQUEST) to the server. This request does not include option 81.
  2. The server returns a DHCP acknowledgement message (DHCPACK) to the client. The client grants an IP address lease, without option 81.
  3. The server sends updates to the DNS server for the client’s forward lookup record, the host A resource record, and sends an update for the client’s PTR reverse lookup record.

Secure dynamic updates

For Windows Server 2003, DNS update security is available only for zones that are integrated into Active Directory. After you integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record.

For more information, search for the “To modify security for a resource record” topic or the “To modify security for a directory integrated zone” topic in Windows Server 2003 Help.

By default, dynamic update security for Windows Server 2003 DNS servers and clients is handled in the following manner:

  1. Windows Server 2003-based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update.

    Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security.

  2. By default, after a zone becomes Active Directory-integrated, Windows Server 2003-based DNS servers enable only secure dynamic updates.

By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates.

Important The DHCP Server service can perform proxy registration and update of DNS records for legacy clients that do not support dynamic updates. For more information, see the “Using DNS servers with DHCP” topic in Windows Server 2003 Help.

If you use multiple Windows Server 2003-based DHCP servers on your network and if you configure your zones to enable secure dynamic updates only, use the Active Directory Users and Computers snap-in to add your DHCP server computers to the built-in DnsUpdateProxy group. When you do this, all your DHCP servers have the secure rights to perform proxy updates for any one of your DHCP clients. For more information, see the “Using DNS servers with DHCP” topic or the “Manage groups” topic in Windows Server 2003 Help.

Caution The secure dynamic updates functionality can be compromised if the following conditions are true:

  • You run a DHCP server on a Windows Server 2003-based domain controller
  • The DHCP server is configured to perform registration of DNS records on behalf of its clients.

To avoid this issue, deploy DHCP servers and domain controllers on separate computers, or configure the DHCP server to use a dedicated user account for dynamic updates. For more information, see the “Using DNS servers with DHCP” topic in Windows Server 2003 Help.

For more information, see the “Security considerations when you use the DnsUpdateProxy group” section.

Enable only secure dynamic updates

  1. Click Start, point to Administrative Tools, and then click DNS.
  2. Under DNS, double-click the applicable DNS server, double-click Forward Lookup Zones or Reverse Lookup Zones, and then right-click the applicable zone.
  3. Click Properties.
  4. On the General tab, verify that the zone type is Active Directory-integrated.
  5. In the Dynamic updates box, click Secure only.
  6. Click OK.

Post By Gishore J Kallarackal (2,121 Posts)

Gishore J Kallarackal is the founder of techgurulive. The purpose of this site is to share information about free resources that techies can use for reference. You can follow me on the social web, subscribe to the RSS Feed or sign up for the email newsletter for your daily dose of tech tips & tutorials. You can content me via @twitter or e-mail.

Website: → Techgurulive

Connect