Adding Members to the DnsUpdateProxy

Group You can configure the DnsUpdate-Proxy global security group through the Active Directory Users And Computers console.

Important If you are using multiple DHCP servers for fault tolerance, and secure DNS dynamic updates are required on zones serviced by these DHCP servers, be sure to add each of the computers operating a Windows Server 2003 DHCP server to the DnsUpdateProxy global security group.

Security Concerns Although adding all DHCP servers to this special built-in group helps resolve some concerns about maintaining secure DNS updates, this solution also introduces some additional security risks.

For example, any DNS domain names registered by the computer running the DHCP server are not secure. The A resource record for the DHCP server itself is an example of such a record. To protect against this risk, you can manually specify a different owner for any DNS records associated with the DHCP server itself.

However, a more significant issue arises if the DHCP server (which is a member of the DnsUpdateProxy group) is installed on a domain controller. In this case, all service location (SRV), host (A), or alias (CNAME) resource records registered by the Netlogon service for the domain controller are not secure. To minimize this problem, you should not install a DHCP server on a domain controller when using dynamic updates.

Caution For Windows Server 2003, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when the Windows Server 2003 DHCP service is configured to perform registration of DNS records on behalf of DHCP clients. To avoid this problem, deploy DHCP servers and domain controllers on separate computers.