Networking / Beginners

Using the DnsUpdateProxy Security Group

As previously described, you can configure a Windows Server 2003 DHCP server so that it dynamically registers both A and PTR resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic updates with Windows Server 2003 DNS servers can occasionally lead to stale resource records. Because secure dynamic updates require that the owner of a resource record update that record, resource records are not updated if your configuration ever changes.

For example, suppose the following sequence of events occurs:

  1. A Windows Server 2003 DHCP server (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
  2. Because DHCP1 successfully created the name, DHCP1 becomes the owner of the name.
  3. Once DHCP1 becomes the owner of the client name and associated resource records, only DHCP1 can update the name or its IP address.

In some circumstances, this situation might cause problems. For instance, suppose DHCP1 later fails. If a second backup DHCP server (DHCP2) comes online, DHCP2 is unable to update the client's resource record because DHCP2 is not the owner of the record.

In a similar example, suppose DHCP1 has registered the name host.example. microsoft.com on behalf of a client running a version of Windows earlier than Windows 2000. Then the administrator upgrades that client computer to Windows XP Professional. Because the DHCP server (DHCP1) is the owner of this name, the client cannot update its DNS records once the computer is upgraded.

To solve these kinds of problems, Windows Server 2003 Active Directory provides a built-in security group called DnsUpdateProxy. Any object created by the members of this group has no security settings. As a result, initially, the object has no owner, and it can therefore be updated by a DHCP server or client that did not create it, even in zones requiring secure updates. However, as soon as the first DHCP server or client that is not a member of the DnsUpdateProxy group modifies such a record, that server or client then becomes its owner. After that point, only the owner can update the record in zones requiring secure updates. Thus, if every DHCP server registering resource records for older clients is a member of this group, and the clients themselves are not members of the group, the problems discussed earlier are eliminated.

[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring DHCP Servers and Clients
  2. Configuring the DHCP Server
  3. Benefits of DHCP
  4. Installing the DHCP Server Service
  5. Authorizing the Server
  6. Configuring Scopes
  7. IP Address Range
  8. Exclusion Ranges
  9. Using the 80/20 Rule for Servers and Scopes
  10. Creating Reservations
  11. Assigning DHCP Options
  12. Activating a Scope
  13. Networking Configuring the Client
  14. Migrating from APIPA or Alternate Configurations
  15. Migrating ICS Clients
  16. Installing and Configuring a DHCP Server
  17. Adding a DHCP Server Role
  18. Configuring a DHCP Client
  19. Managing DHCP in Windows Networks
  20. Changing DCHP Server Status
  21. Services Console
  22. Managing DHCP from a Command Line
  23. Connecting Clients to Remote DHCP Servers
  24. Using Superscopes
  25. Changing the Addressing of a Subnet
  26. Backing Up the DHCP Server Database
  27. Performing a Manual Backup
  28. Manually Compacting a DHCP Server
  29. Using Options Classes
  30. Implementing User Classes
  31. Performing a Manual Backup of the DHCP Server
  32. Creating a New Superscope
  33. Configuring DHCP Servers to Perform DNS Updates
  34. Configuring Dynamic Updates with DHCP
  35. Using the DnsUpdateProxy Security Group
  36. Adding Members to the DnsUpdateProxy