Networking / Beginners

Adding Members to the DnsUpdateProxy

Group You can configure the DnsUpdate-Proxy global security group through the Active Directory Users And Computers console.

Important If you are using multiple DHCP servers for fault tolerance, and secure DNS dynamic updates are required on zones serviced by these DHCP servers, be sure to add each of the computers operating a Windows Server 2003 DHCP server to the DnsUpdateProxy global security group.

Security Concerns Although adding all DHCP servers to this special built-in group helps resolve some concerns about maintaining secure DNS updates, this solution also introduces some additional security risks.

For example, any DNS domain names registered by the computer running the DHCP server are not secure. The A resource record for the DHCP server itself is an example of such a record. To protect against this risk, you can manually specify a different owner for any DNS records associated with the DHCP server itself.

However, a more significant issue arises if the DHCP server (which is a member of the DnsUpdateProxy group) is installed on a domain controller. In this case, all service location (SRV), host (A), or alias (CNAME) resource records registered by the Netlogon service for the domain controller are not secure. To minimize this problem, you should not install a DHCP server on a domain controller when using dynamic updates.

Caution For Windows Server 2003, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when the Windows Server 2003 DHCP service is configured to perform registration of DNS records on behalf of DHCP clients. To avoid this problem, deploy DHCP servers and domain controllers on separate computers.

[Previous] [Contents]

In this tutorial:

  1. Configuring DHCP Servers and Clients
  2. Configuring the DHCP Server
  3. Benefits of DHCP
  4. Installing the DHCP Server Service
  5. Authorizing the Server
  6. Configuring Scopes
  7. IP Address Range
  8. Exclusion Ranges
  9. Using the 80/20 Rule for Servers and Scopes
  10. Creating Reservations
  11. Assigning DHCP Options
  12. Activating a Scope
  13. Networking Configuring the Client
  14. Migrating from APIPA or Alternate Configurations
  15. Migrating ICS Clients
  16. Installing and Configuring a DHCP Server
  17. Adding a DHCP Server Role
  18. Configuring a DHCP Client
  19. Managing DHCP in Windows Networks
  20. Changing DCHP Server Status
  21. Services Console
  22. Managing DHCP from a Command Line
  23. Connecting Clients to Remote DHCP Servers
  24. Using Superscopes
  25. Changing the Addressing of a Subnet
  26. Backing Up the DHCP Server Database
  27. Performing a Manual Backup
  28. Manually Compacting a DHCP Server
  29. Using Options Classes
  30. Implementing User Classes
  31. Performing a Manual Backup of the DHCP Server
  32. Creating a New Superscope
  33. Configuring DHCP Servers to Perform DNS Updates
  34. Configuring Dynamic Updates with DHCP
  35. Using the DnsUpdateProxy Security Group
  36. Adding Members to the DnsUpdateProxy