DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scope
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Dynamic Host Configuration Protocol Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).
Windows Server 2008 R2, Windows Server 2012
Dynamic Host Configuration Protocol (DHCP)
Name protection has been enabled on some IPv4 scopes, but secure DNS updates has not been enabled.
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
Using the DNS MMC, configure an Active Directory-integrated DNS zone for the domain and enable secure (only) dynamic updates
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory–integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
To perform the following procedures, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
Convert primary DNS server to Active Directory integrated primary
On the current DNS server, start DNS Manager.
Right-click a DNS zone, click Properties, click the General tab, and then note the Type value. This will be Primary zone, Secondary zone or Stub zone.
In the Change Zone Type box, click to select the Store the zone in Active Directory (available only if DNS server is a domain controller) check box. When you are prompted to answer whether want this zone to become Active Directory integrated, click Yes, and then click OK. In the Domain properties, the type now shows "Active Directory-Integrated".
Enable secure dynamic updates
Open the DNS snap-in.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone Type is Active Directory-Integrated.
In Dynamic updates, click Secure only.
For updated detailed IT pro information about DNS and DHCP, see the Windows Server 2008 R2 documentation on the Microsoft TechNet Web site.