Windows 2000 Dynamic Update

Previous page
Table of content
Next page

Windows 2000 clients can interact directly with a DNS server. With dynamic updates, clients can automatically register their own resource records with a DNS server and update them as changes occur. Resources records are the entries within the DNS server database files. Each resource record contains information about a specific machine such as the IP address or specific services running. The type of information within a resource record depends on the type of record created. For example, an A (address) record contains the IP address associated with a specific computer.

Dynamic update greatly reduces the administration associated with maintaining resource records. Dynamic updates eliminate the need for administrators to manually update these records. In terms of DHCP, with a short lease duration configured, the IP address assigned to DNS clients can change frequently.

Dynamic updates basically provide the following advantages:

  • DHCP servers can dynamically register records for clients. This is particularly important because DHCP servers can perform updates on behalf of clients that do not support dynamic updates, such as Windows 95, 98, or NT4 clients.

  • Reduces the administrative overhead because A records and PTR records can be dynamically updated by Windows 2000 clients. An A (address) record lists the IP address associated with a specific machine, whereas a PTR (pointer) record lists the specific machine associated with an IP address.

  • Allows domain controllers to be dynamically registered through SRV records.

graphics/alert_icon.gif

To support dynamic updates, a Windows 2000 DHCP server and a Windows 2000 DNS server must be on the network. Windows NT 4.0 DNS servers do not support dynamic updates. Windows 2000 DHCP servers are required to perform dynamic updates on behalf of those clients that do not support this feature.


How Dynamic Update Works

By default, any Windows 2000 client can update its own records with the DNS server. The DHCP client service attempts to update records with the DNS server when any of the following events occur:

  • The workstation is rebooted.

  • The client records are manually refreshed using the ipconfig / registerDNS command.

  • A statically configured IP address is modified.

  • The IP address leased from a DHCP server changes or is renewed.

Let's take a look at an example of what happens when a client performs a dynamic update. Assume that you change a bayside.net workstation's computer name from computer1 to computer2. Upon changing the computer name , you are then required to restart before the changes take effect. Once the workstation is rebooted, the following process occurs:

  1. The DHCP client service sends the domain's authoritative DNS server a query using the new DNS domain name of the workstation.

  2. The DNS server that is authoritative for the workstation's domain responds to the request.

  3. The client uses the response information to determine the primary DNS server for the domain and sends a dynamic update request to the primary DNS server.

  4. The update request is processed . The old host and pointer records are removed and replaced with the updated ones.

Configuring a Zone for Dynamic Update

Dynamic updates are configured on a per-zone basis. The zone must be either a primary or Active Directory “integrated zone.

To configure a zone for dynamic update, right-click the zone within the DNS management console and click Properties. In the Properties dialog box, select the General tab as shown in Figure 2.9. To enable dynamic updates, select one of the following options:

  • No ” Select this option to disable dynamic updates for the zone.

  • Yes ” Select this option to enable dynamic updates for the zone.

  • Only secure updates ” Select this option to enable dynamic updates for those users and groups authorized to do so. This option is only available for Active Directory “integrated zones.

Figure 2.9. Configuring dynamic updates for a zone.

graphics/02fig09.jpg

graphics/note_icon.gif

For Windows 2000, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when Windows 2000 DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers. If you are not concerned about security of reverse lookup (PTR) records, this precaution is advisable only if the DHCP server is configured to perform registration of host (A) records on behalf of its clients (which is not a default behavior).


graphics/alert_icon.gif

When configuring dynamic updates, remember that the zone must be primary or Active Directory “integrated. Also, to use secure updates, the zone must be Active Directory “integrated. This feature is not supported by primary zones.


Using Secure Dynamic Updates

Windows 2000 supports secure dynamic updates for those zones that are Active Directory “integrated. Secure dynamic updates occur the same way as dynamic updates, except secure updates are accepted only from clients who are authorized to update the zone file. This means that the DNS server accepts updates only from clients that have accounts within Active Directory. Any computers that do not have accounts are not permitted to register any records, thereby eliminating the chance of unknown computers registering with the DNS server.

The benefit of this is obviously an increase in security. The resource records and zone files can be modified only by users who have been authorized to do so. It also provides administrators with a finer granularity of control, as they can edit the access control list (ACL) for the zone and specify which specific users and groups can perform dynamic updates. You edit the ACL for a zone by right-clicking the zone, selecting Properties, and choosing the Security tab.

graphics/alert_icon.gif

One issue you need to be aware of is the situation in which you have enabled secure updates and also configured the DHCP server to perform updates on behalf of clients that do not support dynamic updates. If a DHCP server performs a secure update on behalf of the client, that DHCP server becomes the owner of the record. If another DHCP server on the network attempts to update the record, it cannot do so because it does not own the record. To get around this issue, you need to place the DHCP servers configured to perform dynamic updates into the DNSUpdateProxy group (as long as the DHCP server is not a domain controller), because members of this group bypass DNS security.



Previous page
Table of content
Next page
Windows 2000 Network Infrastructure Exam Cram 2 (Exam 70-216)
MCSE Windows 2000 Network Infrastructure Exam Cram 2 (Exam Cram 70-216)
ISBN: 078972863X
EAN: 2147483647
Year: 2005
Pages: 167
Authors: Diana Huggins, Ed Tittel
BUY ON AMAZON
MySQL Clustering
Introduction to 80x86 Assembly Language and Computer Architecture
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy