Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.
Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
Allowing only secure dynamic updates
|
To allow only secure dynamic updates using the Windows interface |
-
Open DNS Manager.
-
In the console tree, right-click the applicable zone, and then click Properties.
-
On the General tab, verify that the zone type is Active Directory-integrated.
-
In Dynamic Updates, click secure only.
Additional considerations
- To open DNS Manager, click Start,
point to Administrative Tools, and then click
DNS.
- Secure dynamic update is supported only for
AD DS-integrated zones. If the zone type is configured
differently, you must change the zone type and directory-integrate
the zone before securing it for DNS dynamic updates.
- Dynamic update is a Request for Comments
(RFC)–compliant extension to the DNS standard. The DNS update
process is defined in RFC 2136, "Dynamic Updates in the Domain
Name System (DNS UPDATE)."
- By default, the DNS server allows a zone
transfer only to authoritative DNS servers that are listed in the
name server (NS) resource records for the zone.
|
|
To allow only secure dynamic updates using a command line |
-
Open a command prompt.
-
Type the following command, and then press ENTER:
dnscmd <ServerName> /Config {<ZoneName>|..AllZones} /AllowUpdate 2
| Parameter | Description |
|---|---|
|
dnscmd |
The command-line tool for managing DNS servers. |
|
<ServerName> |
Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.) |
|
/Config |
Required. Configures the specified zone. |
|
<ZoneName>|..AllZones |
Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to allow dynamic updates, type ..AllZones. |
|
/AllowUpdate |
Required. Enables the zone to perform dynamic updates. |
|
2 |
Required. Configures the server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only. |
To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:
dnscmd /Config /help
Additional considerations
- To open an elevated Command Prompt window,
click Start, point to All Programs, click
Accessories, right-click Command Prompt, and then
click Run as administrator.
- Dynamic update is an RFC-compliant extension
to the DNS standard. The DNS update process is defined in
RFC 2136, "Dynamic Updates in the Domain Name System (DNS
UPDATE)."
- By default, the DNS server allows a zone
transfer only to authoritative DNS servers that are listed in the
name server (NS) resource records for the zone.