DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scope

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Dynamic Host Configuration Protocol Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Operating System

Windows Server 2008 R2, Windows Server 2012


Dynamic Host Configuration Protocol (DHCP)






Name protection has been enabled on some IPv4 scopes, but secure DNS updates has not been enabled.


Name protection requires secure update to work. Without name protection DNS names may be hijacked.


Using the DNS MMC, configure an Active Directory-integrated DNS zone for the domain and enable secure (only) dynamic updates

You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.

To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Convert primary DNS server to Active Directory integrated primary

  1. On the current DNS server, start DNS Manager.

  2. Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will be Primary zone, Secondary zone or Stub zone.

  3. Click Change.

  4. In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNS server is a domain controller) check box. When you are prompted to answer whether want this zone to become Active Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated".

Enable secure dynamic updates

  1. Open the DNS snap-in.

  2. In the console tree, right-click the applicable zone, and then click Properties.

  3. On the General tab, verify that the zone Type is Active Directory-Integrated.

  4. In Dynamic updates, click Secure only.

Additional references

For updated detailed IT pro information about DNS and DHCP, see the Windows Server 2008 R2 documentation on the Microsoft TechNet Web site.