Adding a DHCP Server to the DnsUpdateProxy Security Group
There is going to be time when DNS records can't be updated due to changes in the client system whether the client system was upgraded from Windows 2000 to Windows XP. Clients running Windows 2000 are not able to updates their own DNS record. But now that the system has been upgraded to Windows XP, the clients computer can update it own DNS resources record, but the system have already been register for the DHCP server to update the resource records on behalf of the system. So the client computers are not able to update the record unless there are configurations changes. Another issue that might prevent the client from updating the DNS resource records is that if a secondary DHCP server registers a name and then foes offline, that name cannot be dynamically updated until the secondary server comes back online.
To resolve these two issues, Windows Server 2003 Active Directory have a built-in security group called DnsUpdateProxy. DnsUpdateProxy creates an objects that are not secure meaning that the objects has no owner as the result both DHCP server or Clients can updates the DNS resource records. But if DHCP server or the client is the first to update that records, the DHCP server or the Client will become the owner and from then on only the owner can update the DNS resource records. To avoid this problem, DHCP server will need to be added to the DnsUpdateProxy security group.
Windows Server 2003/2008
To resolve these two issues, Windows Server 2003 Active Directory have a built-in security group called DnsUpdateProxy. DnsUpdateProxy creates an objects that are not secure meaning that the objects has no owner as the result both DHCP server or Clients can updates the DNS resource records. But if DHCP server or the client is the first to update that records, the DHCP server or the Client will become the owner and from then on only the owner can update the DNS resource records. To avoid this problem, DHCP server will need to be added to the DnsUpdateProxy security group.
Windows Server 2003/2008
- Click Start > All Programs > Administrative Tools > Active Directory Users and Computers
- Select Users object folder
- In the right pane, select DnsUpdateProxy and right-click select Properties
4. Click Members tab
5. In Members tab, click Add
6. In the Enter the object names to select box, type in the name of the DHCP servers or domain controllers that host DHCP
7. Click Check Name
8. Click OK
9. The Servers should appear in the Members area
10. Click Apply
11. Click OK
5. In Members tab, click Add
6. In the Enter the object names to select box, type in the name of the DHCP servers or domain controllers that host DHCP
7. Click Check Name
8. Click OK
9. The Servers should appear in the Members area
10. Click Apply
11. Click OK
Note:
Adding DHCP Servers to the DnsUpdateProxy Security Group: If you are using multiple DHCP servers for fault tolerance and secure DNS dynamic updates are required for zones serviced by these DHCP servers, be sure to add each of the computers operating a Windows Server 2003 DHCP server tot he DnsUpdateProxy security group.
Caution:
For Windows Server 2003, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when the Windows Server 2003 DHCP service is configured to perform registration of DNS records o behalf of DHCP clients. To avoid this problem, deploy DHCP servers and domain controllers on separate computers.