Section 3.7: Configuring Dynamic DNS
The DNS Service includes a dynamic update capability called Dynamic DNS (DDNS). With DNS, when there are changes to the domain for which a name server has authority, you must manually update the zone database file on the preferred name server. With DDNS, name servers and clients within a network automatically update the zone database files.
DDNS interacts with the DHCP Service to maintain synchronized name-to-IP-address mappings for network hosts. By default, the DHCP Service allows clients to add their own A (Host) records to the zone, and the DHCP Service adds the PTR (Pointer) record to the zone when the client leases the IP address. The DHCP Service cleans up both the A (Host) and PTR records in the zone when the lease expires.
3.7.1: Dynamic Updates
When a client receives a new IP address from a DHCP server, the name-to-IP address mapping information that is stored on a DNS server must be updated. By default, Windows Server 2003, Windows 2000, and Windows XP clients as well as Windows Server 2003, and Windows 2000 DHCP servers can register with DNS and dynamically update DNS with their name-to-IP address mapping information with DNS servers that are configured to support dynamic updates.
Note: Static DNS servers are not able to interact dynamically with DHCP when client configurations change. It is therefore recommended that you upgrade all DNS servers from Windows NT 4.0 to Windows Server 2003 or Windows 2000 to enable them to support dynamic updates.
However, computers running earlier versions of Windows, such as Windows NT and Windows 98 are not able to update DNS therefore you must configure the DHCP server to update A and PTR resource records for these clients.
When you configure dynamic updates you must configure the DNS server for dynamic updates; the DHCP server for dynamic updates; and the client computers for dynamic updates.
3.7.2: Secure Dynamic Updates
You can configure the DNS server to perform secure dynamic updates for Active Directory integrated zones. With secure dynamic updates, the authoritative DNS server accepts new registrations only from computers that have a computer account in Active Directory, and accepts updates only from the computer that originally registered the record. The DNS server refuses updates until the DHCP servers and clients encrypt the information. Secure dynamic updates allow you to specify which users and groups are authorized to modify zones and resource records and will prevent unauthorized users from modifying zones and resource records.
To configure secure dynamic updates on the DNS server, do the following:
• Click on the START button
• Point to PROGRAMS
• Point to ADMINISTARTIVE TOOLS
• Click on DNS
• Click on the server
• Right-click the Active Directory integrated zone
• Click on PROPERTIES
• Click on the general tab
• In the ALLOW DYNAMIC UPDATES list, click ONLY SECURE UPDATES
• Click OK
Domain Controllers are also identified by the specific services that they provide. Windows Server 2003 uses DNS to locate domain controllers by resolving a domain or computer name to an IP address. DNS servers use the information in the SRV resource record and the A resource record to locate domain controllers. SRV resource records map a particular service to the domain controller that provides that service. The format of an SRV resource record contains this information and TCP/IP specific information. When a domain controller starts, the Net Logon service running on the domain controller uses the DNS dynamic update feature to register with the DNS database the SRV resource records for all Active Directory-related services that the domain controller provides. Therefore, a computer running Windows Server 2003 or Windows 2000 can query a DNS server when it must contact a domain controller.
3.7.3: Configuring Scavenging
Dynamically registered records can become obsolete when computers crash or come on and off the network at infrequent intervals. When scavenging is enabled, DNS applies an aging value to dynamically registered resource records. Scavenging removes records that have not been refreshed for more than 14 days. Scavenging can be enabled for a single zone or for all zones on the server. To enable scavenging for a zone, do the following:
• Click on the START button
• Point to PROGRAMS
• Point to ADMINISTARTIVE TOOLS
• Click on DNS
• Right-click the zone
• On the pop-up menu, click on PROPERTIES
• Click on the general tab
• Then click AGING to open the Zone Aging/Scavenging Properties window
• Select the scavenge stale resource records option
• Leave the default seven-day values for no-refresh interval and refresh INTERVAL
• Click OK to save the settings
• Click yes on the warning message that appears to inform you that the zone file record format will be changed
• Then click OK to save the changes and close the window