Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

Allowing only secure dynamic updates

To allow only secure dynamic updates using the Windows interface
  1. Open DNS Manager.

  2. In the console tree, right-click the applicable zone, and then click Properties.

  3. On the General tab, verify that the zone type is Active Directory-integrated.

  4. In Dynamic Updates, click secure only.

Additional considerations

  • To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  • Secure dynamic update is supported only for AD DS-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates.

  • Dynamic update is a Request for Comments (RFC)–compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."

  • By default, the DNS server allows a zone transfer only to authoritative DNS servers that are listed in the name server (NS) resource records for the zone.

To allow only secure dynamic updates using a command line
  1. Open a command prompt.

  2. Type the following command, and then press ENTER:

    dnscmd <ServerName> /Config {<ZoneName>|..AllZones} /AllowUpdate 2
    

Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)

/Config

Required. Configures the specified zone.

<ZoneName>|..AllZones

Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to allow dynamic updates, type ..AllZones.

/AllowUpdate

Required. Enables the zone to perform dynamic updates.

2

Required. Configures the server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /Config /help 

Additional considerations

  • To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  • Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."

  • By default, the DNS server allows a zone transfer only to authoritative DNS servers that are listed in the name server (NS) resource records for the zone.

Additional references