Integrating DHCP with Other Services | Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

If you use DHCP servers for Microsoft network clients, you must use a name resolution service. Networks that support clients running Windows 2000, Microsoft Windows XP Professional, and Windows Server 2003 use the DNS service to support name resolution. Networks that support clients running versions of the operating system earlier than Windows 2000 must use a form of NetBIOS name resolution, such as WINS. Networks that support both types of clients must implement both WINS and DNS servers.

Windows Server 2003 DHCP provides support for both DNS dynamic updates and secure DNS dynamic updates. DHCP and DNS work together to perform dynamic updates and work with Active Directory to perform secure DNS dynamic updates. DHCP also works with Active Directory to prevent unauthorized DHCP servers from running on the network.

Figure 2.6 shows the process for integrating DHCP with other services.

click to expand
Figure 2.6: Integrating DHCP with Other Services

Configuring Dynamic Update and Secure Dynamic Update

The Windows Server 2003 DHCP Server service can be configured to perform DNS dynamic updates and secure DNS dynamic updates for DHCP clients, which eliminates the need for administrators to update DNS records manually when a client's IP address changes. Clients running Windows 2000, Windows XP, or Windows Server 2003 can also perform dynamic updates.

Clients running versions of Windows earlier than Windows 2000 do not support DNS dynamic update. To enable the DHCP server to perform DNS dynamic updates on behalf of these clients, use the default client preference settings. Clients using WINS for name resolution cannot make an explicit request for DNS dynamic update protocol preference. For these clients, the DHCP service can be configured to update both the PTR and the A resource records.

By itself, dynamic update is not secure; any client can modify DNS records. When secure dynamic update is configured, the authoritative name server accepts updates only from clients and servers that are authorized to make dynamic updates to the appropriate objects in Active Directory. Secure dynamic update is available only on Active Directory-integrated zones. To configure secure dynamic updates, you can use the Windows Server 2003 secure dynamic update feature.

Secure dynamic update protects zones and resource records from being modified by unauthorized users by enabling you to specify the users and groups that can modify zones and resource records. By default, Windows Server 2003, Windows XP Professional, and Windows 2000 clients attempt unsecured dynamic updates first. If that request fails, they attempt secure updates.

When using multiple DHCP servers and secure dynamic updates, add each of the DHCP servers as members of the DnsUpdateProxy global security group so that any DHCP server can perform a secure dynamic update for any record. Otherwise, when a DHCP server performs a secure dynamic update for a record, that DHCP server is the only computer that can update the record.

To configure dynamic update for DHCP clients and servers
1. In the DHCP snap-in, select and right-click the DHCP server you want to configure, and then click Properties.
2. In the server name Properties dialog box, click the DNS tab.
3. On the DNS tab, select the Enable DNS dynamic updates according to the settings below check box.
4. On the DNS tab, select the dynamic update method you want: either always updating DNS A and PTR, or only updating the records when requested by the DHCP client.

Use the DNS snap-in to enable secure dynamic update. For more information about dynamic update and secure dynamic update, see "Deploying DNS" in this book and in Help and Support Center for Windows Server 2003.

Important

If DHCP will perform DNS dynamic updates, do not install it on a domain controller. Instead, install DHCP on a member server. When DHCP is installed on a domain controller and is configured to perform dynamic updates on behalf of clients in DNS zones that are configured to allow only secure dynamic update, specify a user account to update the DNS records. For more information about installing DHCP, see "Checklist: Installing a DHCP server" in Help and Support Center for Windows Server 2003.

Authorizing DHCP Servers in Active Directory

An unauthorized DHCP server on a network can cause a variety of problems, such as the leasing of incorrect IP addresses and options. To protect against this type of problem, when a Windows 2000 or Windows Server 2003 domain member DHCP server attempts to start on the network, it first queries Active Directory. The DHCP server compares its IP address and server name to the list of authorized DHCP servers. If either the server name or IP address is found on the list of authorized DHCP servers, the server is authorized as a DHCP server. If no match is found, the server is not authorized in Active Directory and does not respond to DHCP traffic. The process of authorizing DHCP servers is useful for only Windows 2000-based or Windows Server 2003-based DHCP servers. This process cannot be used for DHCP servers running Windows NT Server, or servers running non-Windows-based DHCP services. Only a member of the Enterprise Admins group can authorize or unauthorize a DHCP server in Active Directory.

Important

You must be logged in as an enterprise administrator to authorize a DHCP server.

To authorize a DHCP server in Active Directory
1. In the DHCP snap-in, right-click DHCP.
2. Select Manage authorized servers.
3. In the Manage Authorized Servers dialog box, click Authorize.
4. In the Authorize DHCP Server dialog box, type the name or IP address of the DHCP server, and then click OK.

Note

Detection of unauthorized DHCP servers requires the deployment of Active Directory and the DHCP service running on Windows 2000 or Windows Server 2003. Other DHCP servers do not attempt to determine whether they are authorized by Active Directory before offering IP address leases.