DHCP interoperates with other services in Windows Server 2003. When planning to upgrade or migrate your DHCP service to Windows Server 2003, you need to take into account how DHCP interacts with other services that might be running on your network. The following sections describe some of these interactions, as well as any steps you need to take to ensure smooth integration following a migration.
Windows Server 2003 DHCP supports both DNS dynamic updates and secure DNS dynamic updates. DHCP and DNS work together to perform dynamic updates and work with Active Directory to perform secure DNS dynamic updates. DNS dynamic updates and secure DNS dynamic updates eliminate the need for administrators to update DNS records manually when a client s IP address changes.
Clients running Windows 2000, Windows XP, or Windows Server 2003 can also perform dynamic updates. Clients running versions of Windows earlier than Windows 2000 do not support DNS dynamic update. For these clients , the DHCP server can be configured to update both the PTR and the A resource records.
By itself, dynamic update is not secure; any client can modify DNS records. When secure dynamic update is configured, the authoritative name server accepts updates only from clients and servers that are authorized to make dynamic updates to the appropriate objects in Active Directory. Secure dynamic update is available only on Active Directory “integrated zones.
Secure dynamic update protects zones and resource records from being modified by unauthorized users by enabling you to specify the users and groups that can modify zones and resource records. By default, Windows Server 2003, Windows XP Professional, and Windows 2000 clients attempt unsecured dynamic updates first. If that request fails, they attempt secure updates.
Use the DHCP snap-in to enable dynamic update on behalf of clients.
To configure dynamic update
In the DHCP snap-in, right-click the DHCP server you want to configure, and then click Properties .
In the server_name Properties dialog box, click the DNS tab.
On the DNS tab, click to select the Enable DNS dynamic updates according to the settings below check box.
On the DNS tab, select the dynamic update method you want: either always updating DNS A and PTR, or only updating the records when requested by the DHCP client.
Click to select the Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0 check box, if applicable .
Use the DNS snap-in to enable secure dynamic update by the DHCP server on behalf of the clients.
To configure secure dynamic update
In the DNS snap-in, select and right-click the applicable zone, and then click Properties .
On the General tab, verify that the zone type is either Primary or Active Directory “integrated . To allow secure dynamic updates only, verify that the zone type is Active Directory “integrated .
To allow dynamic updates and secure dynamic updates, in Dynamic Updates , click Nonsecure and secure .
To allow secure dynamic updates only, in Dynamic Updates , click secure only .
When using multiple DHCP servers and secure dynamic updates, add each of the DHCP servers as members of the domain global DnsUpdateProxy security group so that any DHCP server can perform a secure dynamic update for any record. Otherwise, when a DHCP server performs a secure dynamic update for a record, the DHCP server that originally created the record is the only computer that can update the record.
DHCP also works with Active Directory to prevent unauthorized DHCP servers from running on the network. Windows Server 2003-based DHCP servers that are part of an Active Directory domain will not lease IP addresses unless they are authorized in Active Directory. Because of this, you will need to authorize your DHCP servers in Active Directory immediately after upgrading to Active Directory and upgrading or migrating your DHCP servers.
An unauthorized DHCP server on a network can cause a variety of problems, such as the leasing of incorrect IP addresses and options. To protect against this type of problem, when a Windows Server 2003 domain member DHCP server attempts to start on the network, it first queries Active Directory. The DHCP server compares its IP address and server name to the list of authorized DHCP servers. If either the server name or IP address is found on the list of authorized DHCP servers, the server is authorized as a DHCP server. If no match is found, the server is not authorized in Active Directory and does not respond to DHCP traffic. The process of authorizing DHCP servers is useful for only Windows 2000 “based or Windows Server 2003 “based DHCP servers. This process cannot be used for DHCP servers running Windows NT Server, or servers running non-Windows-based DHCP services. Only a member of the Enterprise Admins group can authorize or unauthorize a DHCP server in Active Directory.
You must be an enterprise administrator to authorize a DHCP server.
To authorize a DHCP server in Active Directory
In the DHCP snap-in, right-click DHCP .
Click Manage authorized servers .
In the Manage Authorized Servers dialog box, click Authorize .
In the Authorize DHCP Server dialog box, type the name or IP address of the DHCP server, and then click OK .
Detection of unauthorized DHCP servers requires the deployment of Active Directory and the DHCP service running on Windows 2000 or Windows Server 2003. Other DHCP servers do not attempt to determine whether they are authorized by Active Directory before offering IP address leases.