DNS Record Ownership and the DnsUpdateProxy Group
Applies To: Windows Server 2008
The DNS server can end up with stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients using dynamic update. The following example sequence shows how this can happen:
A Windows Server 2008 DHCP server performs a dynamic update on behalf of a DHCP client.
The DHCP server creates the client’s DNS name and becomes the owner of that name.
Now only the DHCP server itself can update the DNS records for the client’s name.
The original server fails and a second backup DHCP server comes online; now the second server cannot update the client name because it is not the name’s owner.
To solve this problem, you can use a built-in security group called DnsUpdateProxy. However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
You must create a dedicated user account and configure the DHCP servers with its credentials under the following circumstances:
The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
A domain controller is configured to function as a DHCP server. Without the dedicated user account, secure updates will not work.
The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.
Use of the DnsUpdateProxy group offers the following advantages and disadvantages:
The advantages of using the DnsUpdateProxy group include:
Secure DNS updates can work with multiple DHCP servers: If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of a server that fails can be updated by another server.
Upgraded clients can update their own records: The first user who is not a member of the DnsUpdateProxy group to modify the set of records that is associated with a DNS name becomes its owner, so when earlier version clients are upgraded they can take ownership of their name records at the DNS server.
The disadvantage of using the DnsUpdateProxy group is that it requires a dedicated user account for security. DNS domain names that are registered by the DHCP server are not secure by default when the DHCP server is a member of the DnsUpdateProxy group. To use this group in an Active Directory-integrated zone that allows only secure dynamic updates, you should create a DNS dynamic updates registration user account. When you specify credentials on the DHCP server, DNS records will be secure.
If the DHCP server is collocated on a domain controller, secure dynamic updates might fail if credentials are not configured.
See the following procedure.
To configure credentials for dynamic DNS update
In the DHCP console tree, right-click IPv4, and then click Properties.
Click Advanced, click Credentials, type the credentials that the DHCP server supplies when registering names using DNS dynamic updates, and then click OK.