Client Dynamic Updates and DHCP
You can configure DHCP servers in your enterprise to dynamically update DNS when the DHCP server assigns a DHCP client computer IP information, or you can allow clients to dynamically update DNS.
DNS clients running Windows 2000, Windows XP, and Windows Server 2003 operating systems can dynamically update DNS on startup. When DNS clients are allowed to update DNS, they connect to the DNS server on startup and automatically register the appropriate client information, such as the system IP address and the fully qualified domain name (FQDN), with the DNS server, regardless of whether their IP addresses are entered manually or assigned via DHCP.
To have clients dynamically update DNS, in the Network and Dial-up Connections dialog box, select the client's active network connection, and choose Properties. Select Internet Protocol (TCP/IP), and click the Properties button. In the General tab, click the Advanced button to open the Advanced TCP/IP Settings dialog box, and then select the DNS tab (see Figure 3.6).Figure 3.6 The Register this connection's addresses in DNS check box is enabled at the bottom of the Advanced TCP/IP Settings dialog box.
If you decide instead to configure the DHCP server to dynamically update DNS, you need to specify the DNS zones that the DHCP server is responsible for automatically updating. To do this, right-click the zone in the left pane and choose Properties. In the DNS tab (see Figure 3.7), select the Enable DNS dynamic updates according to the settings below check box. Then choose whether to allow the DHCP server to make the updates or to override client settings and always perform updates.Figure 3.7 The Always dynamically update DNS A and PTR records option has been set.
You can also set the DHCP server to update A and PTR records of clients that do not make any dynamic update requests, such as Windows NT 4 systems. On the DNS server, you specify the DHCP server as the only computer authorized to update DNS entries.
If you use multiple Windows Server 2003 DHCP servers on your network and configure your zones to allow secure dynamic updates only, you need to add your DHCP servers to the built-in DnsUpdateProxyGroup to grant all your DHCP servers secure rights to perform updates for your DHCP clients. The default Discretionary Access Control List (DACL) entries on the DNS zones stored in Active Directory are as follows:
Administrators have Allow settings for the following: Read, Write, Create All Child Objects, Special Permissions
DnsAdmins have Allow settings for the following: Full Control, Read, Write, Create All Child Objects, Delete Child Objects
Domain Admins have Allow settings for the following: Full Control, Read, Write, Create All Child Objects, Delete Child Objects
Enterprise Admins have Allow settings for the following: Full Control, Read, Write, Create All Child Objects, Delete Child Objects
Enterprise Domain Controllers have Allow settings for the following: Special Permissions
Pre-Windows 2000 Compatible Access has Allow settings for the following: Special Permissions
System has Allow settings for the following: Full Control, Read, Write, Create All Child Objects, Delete Child Objects
When dealing with clients that dynamically update their own DNS records, host record registration often fails because the primary DNS suffix on the client machine does not match the DNS zone name. For example, say you have gunderville.com for the actual Active Directory domain and DNS domain, and the computer has a primary DNS suffix of 2000trainers.com. This discrepancy causes the system to attempt to register at 2000trainers.com, which it typically is not authorized to do.