Using DNS servers with DHCP
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using DNS servers with DHCP
When installing the Windows Server 2003 DHCP service, you can configure the server to perform updates on behalf of its DHCP clients to any Domain Name System (DNS) servers that support dynamic updates.
How DHCP/DNS update interaction works
The DHCP server can be used to register and update the pointer (PTR) and host (A) resource records on behalf of its DHCP-enabled clients.
This process requires the use of an additional DHCP option, the Client FQDN option (option 81). This option permits the client to provide its fully qualified domain name (FQDN) as well as instructions to the DHCP server on how it would like the server to process DNS dynamic updates (if any) on its behalf.
When this option is issued by a qualified DHCP client, such as a DHCP-enabled computer running Windows 2000, Windows XP, or a Windows Server 2003 operating system, option 81 is processed and interpreted by a DHCP server running Windows Server 2003 to determine how the server initiates updates on behalf of the client. If the server is configured to perform DNS dynamic updates, it takes one of the following actions:
The DHCP server updates both DNS A and PTR records if requested by clients using option 81.
The DHCP server updates DNS A and PTR records regardless of whether the client requests this action or not.
In addition, the DHCP server can dynamically update DNS A and PTR records on behalf of legacy clients that are not capable of sending option 81 to the server. You can also configure the DHCP server to discard client A and PTR records when the client lease is deleted.
The DHCP server might be configured in one of the following ways:
The DHCP server registers and updates client information with the authoritative DNS server of the zone in which the DHCP server is located according to the DHCP client request.
This is the default configuration for DHCP servers running Windows Server 2003 and DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system. In this mode, the DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS.
To modify this setting, select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
The DHCP server always registers and updates client information in DNS.
This is a modified configuration supported for DHCP servers running Windows Server 2003 and DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system. In this mode, the DHCP server always performs updates of the client's FQDN, leased IP address information, and both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates.
To modify this setting, select the Enable DNS dynamic updates according to the settings below check box and click Always dynamically update DNS A and PTR records, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.
The DHCP server never registers and updates client information in DNS.
To set this behavior, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. By disabling this feature, no client host (A) or pointer (PTR) resource records are updated in DNS for DHCP clients.
If necessary, this change in setting can be made at DHCP servers running Windows Server 2003 by clearing the Enable DNS dynamic updates according to the settings below check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes. By default, updates are always performed for newly installed DHCP servers running Windows Server 2003 and any new scopes created for them.
Advanced DHCP/DNS server configuration options
In addition to these standard DHCP/DNS interactions, the DHCP server can be configured to perform these optional update tasks as follows:
The server can selectively be configured to not send updates for discarding a client host (A) resource record when the client lease expires.
When the DHCP server is enabled to perform DNS updates, it always sends updates to discard the client pointer (PTR) resource records when the lease expires. Whether the server also does this with client host (A) resource records when the lease of a client expires (by default, the server discards these) is a configurable option.
To modify this at the applicable DHCP server, clear the Discard forward (name-to-address) lookups when leases expires check box in Properties on the DNS tab.
The server can be selectively configured to not send updates for clients unable to use the Client FQDN option (option 81), to request the way that updates are handled.
By default, the DHCP server does not send updates for clients that do not support option 81.
To modify this setting, select the Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0) check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes.
Windows DHCP clients and DNS dynamic update protocol
DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system interact differently than earlier versions of Windows when performing the DHCP/DNS interactions previously described. The following examples and graphics show how this process varies in different cases.
Example 1: DHCP/DNS update interaction for DHCP clients running Windows 2000, Windows XP , or a Windows Server 2003 operating system
DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system interact with DNS dynamic update protocol as follows:
The client initiates a DHCP request message (DHCPREQUEST) to the server and includes DHCP option 81. By default, the client requests that the DHCP server register the DNS PTR record, while the client registers its own DNS A record.
The server returns a DHCP acknowledgment message (DHCPACK) to the client, granting an IP address lease and including DHCP option 81. If the DHCP server is configured with the default settings (dynamically update DNS A and PTR records only if requested by the DHCP clients), then option 81 instructs the client that the DHCP server will register the DNS PTR record and the client will register the DNS A record.
Asynchronously, the client registers its DNS A record, and the DHCP server registers the DNS PTR record of the client.
Example 2: DHCP/DNS update interaction for earlier Windows DHCP clients (prior to Windows 2000)
Earlier versions of Windows DHCP clients do not support the DNS dynamic update process directly, and therefore, cannot directly interact with the DNS server. For these DHCP clients, updates are typically handled as follows:
The client initiates a DHCP request message (DHCPREQUEST) to the server. The request does not include DHCP option 81.
The server returns a DHCP acknowledgment message (DHCPACK) to the client, granting an IP address lease, without DHCP option 81.
The server then sends updates to the DNS server for the forward lookup record of the client, which is a host (A) resource record. The server also sends updates for the reverse lookup record of the client, which is a pointer (PTR) resource record.
DNS record ownership and the DnsUpdateProxy group
As previously described, you can configure a DHCP server so that it dynamically registers host (A) and pointer (PTR) resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic update with DNS servers might cause stale resource records.
For example, suppose the following sequence of events occurs:
A DHCP server running Windows Server 2003 (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
Because the DHCP server successfully created the name, it becomes the owner of the name.
Once the DHCP server becomes the owner of the name, only that DHCP server can update the DNS records for that name.
In some circumstances, this can cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the second server cannot update the client name because it is not the owner of the name.
In another example, if the DHCP server performs DNS dynamic updates for legacy DHCP clients (clients running a version of Windows earlier than Windows 2000), and those clients are later upgraded to Windows 2000, Windows XP, or a Windows Server 2003 operating system, the upgraded client cannot take ownership of or update its own DNS records.
To solve this problem, the built-in security group called DnsUpdateProxy is provided. If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of one server can be updated by another server if the first server fails. Also, because all of the objects that are created by the members of the DnsUpdateProxy group are not secured, the first user (that is not a member of the DnsUpdateProxy group) to modify the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can therefore take ownership of their name records at the DNS server. If every DHCP server registering resource records for legacy clients is a member of the DnsUpdateProxy group, the problems discussed earlier are eliminated.
You can configure the DnsUpdateProxy security group through Active Directory Users and Computers. For more information, see Add a member to a group.
Securing records when using the DnsUpdateProxy group
DNS domain names that are registered by the DHCP server are not secure when the DHCP server is a member of the DnsUpdateProxy group. The host (A) resource record for the DHCP server itself is an example of such a record. Also, because objects created by the members of the DnsUpdateProxy group are not secured, it is impossible to use this group effectively in an Active Directory integrated zone that allows only secure dynamic updates unless you take additional steps to allow records created by members of the group to be secured.
To protect against unsecured records, or to allow members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you can create a dedicated user account and configure DHCP servers to perform DNS dynamic updates with the user account credentials (user name, password, and domain). The credentials of one dedicated user account can be used by multiple DHCP servers.
A dedicated user account is a user account whose sole purpose is supplying DHCP servers with credentials for DNS dynamic update registrations. When you create a dedicated user account and configure DHCP servers with the account credentials, each DHCP server supplies these credentials when registering names on behalf of DHCP clients using DNS dynamic update. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides. The dedicated user account can also be located in another forest as long as the forest it resides in has a forest trust established with the forest containing the primary DNS server for the zone to be updated. For more information about establishing forest trusts, see Forest trusts.
When the DHCP Server service is installed on a domain controller, configuring the DHCP server with the credentials of the dedicated user account will prevent the server from inheriting, and possibly misusing, the power of the domain controller. When installed on a domain controller, the DHCP Server service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone (this includes records that were securely registered by other computers running Windows 2000 or a Windows Server 2003 operating system, including domain controllers).
It is necessary to configure a dedicated user account and configure the DHCP server with the account credentials under the following circumstances:
A domain controller is configured to function as a DHCP server.
The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.
Once you have created a dedicated user account, you can configure DHCP servers with the user account credentials by using the DHCP console or by using the Netsh DHCP context command server set dnscredentials. For more information on configuring credentials using the DHCP console, see Configure DNS dynamic update credentials. For a comprehensive reference about Netsh commands for DHCP (including syntax, parameters, and examples for the set dnscredentials command at the server context of netsh dhcp), see Netsh commands for DHCP.
Additional resources on DHCP and DNS interaction
Because of the close integration of DHCP and DNS described in this section, you might want to investigate or review these additional topics as resources for your deployment issues related to this feature.
For more information:
On the DNS dynamic update protocol and considerations for securing dynamic updates when using Active Directory, see Dynamic update.
On how to enable DHCP servers to initiate updates on behalf of its clients for specific scopes (or all scopes), see Enable DNS dynamic updates for clients.
On how you can modify or set computers to initiate dynamic updates on their own behalf, see Configure TCP/IP to use DNS.
Microsoft supports the DHCP/DNS update interaction currently under final review as a proposed Internet standard Request for Comment (RFC) document by the Internet Engineering Task Force (IETF).
This interactive process is fully described in the applicable draft, "Interaction between DHCP and DNS." To obtain the current or final version of this draft, see the Request for Comments Web site.
If you are using legacy DNS servers that do not support dynamic updates, you can implement the following changes for dynamically updating and registering names and addresses for your DHCP clients:
If you are using WINS and legacy Windows DNS servers (that is, DNS servers running Windows NT Server 4.0), you might be able to use WINS lookup integration to support resolution of client names and addresses on your network that are not updated dynamically in DNS.
Upgrade or replace older DNS servers with DNS servers running Windows Server 2003 .
For more information about DHCP, see "Dynamic Host Configuration Protocol" at the Microsoft Windows Resource Kits Web site.
For more information about the DNS registration changes related to DHCP Servers running Windows Server 2003, see DNS registration changes for Windows Server 2003 based DHCP Servers