Dynamic Update and Secure Dynamic Update

Windows 2000 supports both dynamic update, defined in RFC 2136, and secure dynamic update, defined in the IETF Internet-Draft "GSS Algorithm for TSIG (GSS-TSIG)."

With dynamic update, clients can automatically send updates to the name server that is authoritative for the record they want to change. The authoritative name server then checks to make sure that certain prerequisites have been met. Prerequisites are resource records that must be present or absent before records can be updated. For more information about prerequisites, see "Introduction to DNS" in this book. If the prerequisites have been met, the authoritative name server makes the change. The change can be adding records, deleting records, or modifying records.


Both clients and servers can send dynamic updates.

Dynamic update provides the following benefits:

  • Enables clients, including DHCP clients, to dynamically register A and PTR resource records with a primary server. This reduces the administrative resources needed to manually manage those records.

  • Enables DHCP servers to register A and PTR resource records on behalf of DHCP clients. This reduces the time needed to manually manage those records and provides support for DHCP clients that cannot perform dynamic updates.

  • Simplifies the setup of Active Directory by allowing domain controllers to be dynamically registered by using SRV records.

Secure dynamic update works like dynamic update, with the following exception: the authoritative name server accepts updates only from clients and servers that are authorized to make dynamic updates to the dnsZone and dnsNode objects.

Secure dynamic update provides the following benefits:

  • Protects zones and resource records from being modified by users without authorization.

  • Enables you to specify exactly which users and groups can modify zones and resource records.


Any primary zone can be configured for dynamic update. However, only Active Directory–integrated zones can be configured for secure dynamic update.

By default, the dynamic update client attempts a dynamic update first, and if it fails, negotiates a secure dynamic update. However, you can also configure it to always attempt insecure dynamic update or to always attempt secure dynamic update by adding the UpdateSecurityLevel registry entry to the following subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\Tcpip\Parameters

The value of UpdateSecurityLevel can be set to the decimal values 0, 16, or 256, which configure security as follows:

  • 256 . Specifies the use of secure dynamic update only.

  • 16 . Specifies the use of insecure dynamic update only.

  • 0 . Specifies the use of secure dynamic update when an insecure dynamic update is refused. This is the default value.



If you disable secure dynamic update, the client is not able to perform updates on zones that have been configured for secure dynamic update.

Also, if you configure a zone to use only secure dynamic update, make sure that the DHCP servers that update records in the zone are not installed on domain controllers. Otherwise, the DHCP server that performs registration of A resource records on behalf of any of its clients can take ownership of names that belong to computers that register their own records.