Microsoft KB Archive/317590

= How to configure DNS dynamic update in Windows 2000 =

Article ID: 317590

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q317590



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK
SUMMARY Windows 2000 DNS Dynamic Update Features How Windows 2000-Based Computers Update Their DNS Names
 * An Example of How DNS Dynamic Update Works

Integration of DHCP with DNS
 * How DHCP/DNS Update Interaction Works

Windows DHCP Clients and DNS Dynamic Update Protocol
 * An Example of a DHCP/DNS Update Interaction for Windows 2000 DHCP Clients
 * An Example of a DHCP/DNS Update Interaction for Windows DHCP Clients That Use a Version of Windows Earlier Than Windows 2000

Secure Dynamic Update
 * How to Allow Only Secure Dynamic Updates

How to Use the DnsUpdateProxy Security Group
 * How to Add Members to the DnsUpdateProxy Group
 * Security Consideration When You Use the DnsUpdateProxy Group

How to Configure DNS Dynamic Update
 * How to Configure DNS Dynamic Update for DHCP Clients
 * DNS Dynamic Update on Statically Configured and Remote Access Clients
 * How to Configure DNS Dynamic Update on Multiple-homed Client Computers
 * How to Configure DNS Dynamic Update on a Windows 2000 DNS Client Computer
 * How to Configure DNS Dynamic Update on a Windows 2000 DNS Server
 * How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server
 * How to Enable DNS Dynamic Updates to a DNS Server

Additional Advanced DHCP/DNS Server Configuration Options How to Disable DNS Dynamic Update Troubleshooting REFERENCES



SUMMARY
This article describes how to configure the DNS dynamic update functionality in Windows 2000. The DNS dynamic update functionality enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. If you use this functionality, you can reduce the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an Internet Protocol (IP) address.

Windows 2000 provides client and server support to use the dynamic update functionality as described in Request for Comments (RFC) 2136. For DNS servers, the DNS service allows you to enable or disable the DNS dynamic update functionality on a per-zone basis at each server that is configured to load either a standard primary or directory-integrated zone.

back to the top

Windows 2000 DNS Dynamic Update Features
The DNS service allows client computers to dynamically update their resource records in DNS. When you use this functionality, you improve DNS administration by reducing the time required to manually manage zone records. You can use the DNS dynamic update functionality in conjunction with DHCP to update resource records when a computer's IP address is changed. Computers that are running Windows 2000 can send dynamic updates.

Windows 2000 provides the following features that are related to the DNS dynamic update protocol:
 * Support for Active Directory directory service as a locator service for domain controllers.
 * Integration with Active Directory.

You can integrate DNS zones into Active Directory to provide increased fault tolerance and security. Every Active Directory-integrated zone is replicated among all domain controllers in the Active Directory domain. All DNS servers that are running on these domain controllers can act as primary servers for the zone and accept dynamic updates. Active Directory replicates on a per-property basis, propagating only relevant changes.
 * Support for aging and scavenging of records.

The DNS service can scan and remove records that are no longer needed. When you enable this feature, you can prevent stale records from remaining in the DNS.
 * Support for secure dynamic updates in Active Directory-integrated zones.

You can configure Active Directory-integrated zones for secure dynamic update so that only authorized users can make changes to a zone or record.
 * Improved ease of administration.
 * Administration from the command prompt.
 * Enhanced name resolution.
 * Enhanced caching and negative caching.
 * Interoperability with other DNS server implementations.
 * Integration with other network services.
 * Incremental zone transfer.
 * Support for new resource record types.

back to the top

How Windows 2000-Based Computers Update Their DNS Names
By default, computers that run Windows 2000 and are statically configured for TCP/IP try to dynamically register host address (A) and pointer (PTR) resource records for IP addresses that are configured and used by their installed network connections. By default, all computers register records based on their full computer name.

For Windows 2000 computers, the primary full computer name (which is a fully qualified domain name [FQDN]) is the primary DNS suffix of the computer that is appended to the computer name. To determine the primary DNS suffix of the computer and the computer name, right-click My Computer, click Properties, and then click the Network Identification tab.

Dynamic updates can be sent for any of the following reasons or events:
 * An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
 * An IP address lease changes or renews any one of the installed network connections with the DHCP server. For example, when the computer is started or if you use the ipconfig /renew command.
 * You use the ipconfig /registerdns command to manually force a refresh of the client name registration in DNS.
 * At startup time, when the computer is turned on.

When one of these events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This process is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections that are not configured to use DHCP.

NOTES:
 * The dynamic update process for Windows 2000-based computers that use DHCP to obtain their IP address is different than the process that is described in this section. For more information, see the Integration of DHCP with DNS section and the Windows DHCP Clients and DNS Dynamic Update Protocol section of this article.
 * The update process that is described in this section assumes Windows 2000 installation defaults are in effect. Specific names and update behavior is tunable when advanced TCP/IP properties are configured to use non-default DNS settings.
 * In addition to the full computer name (or primary name) of the computer, you can configure additional connection-specific DNS names and optionally register or update them in DNS.

back to the top

An Example of How Dynamic Update Works
For Windows 2000, dynamic updates are typically requested when either a DNS name or an IP address changes on the computer. For example, a client named &quot;oldhost&quot; is first configured in System properties to have the following names:

Computer name: oldhost

DNS domain name of computer: example.microsoft.com

Full computer name: oldhost.example.microsoft.com

In this example, no connection-specific DNS domain names are configured for the computer. If you rename the computer from &quot;oldhost&quot; to &quot;newhost,&quot; the following name changes occur:

Computer name: newhost

DNS domain name of computer: example.microsoft.com

Full computer name: newhost.example.microsoft.com

After the name change is applied in System properties, Windows 2000 prompts you to restart the computer. After the computer restarts Windows, the DHCP Client service performs the following sequence to update DNS:  The DHCP Client service sends a start of authority (SOA) type query by using the DNS domain name of the computer.

The client computer uses the currently configured FQDN of the computer (such as &quot;newhost.example.microsoft.com&quot;) as the name specified in this query. The authoritative DNS server for the zone that contains the client FQDN responds to the SOA-type query.

For standard primary zones, the primary server (owner) that is returned in the SOA query response is fixed and static. It always matches the exact DNS name as it is displayed in the SOA resource record stored with the zone. However, if the zone that is being updated is directory-integrated, any DNS server that is loading the zone can respond and dynamically insert its own name as the primary server (owner) of the zone in the SOA query response. The DHCP Client service attempts to contact the primary DNS server.

The client processes the SOA query response for its name to determine the IP address of the DNS server that is authorized as the primary server for accepting its name. The client proceeds to perform the following procedure (if required) to contact and dynamically update its primary server:  The client sends a dynamic update request to the primary server that is determined in the SOA query response.

If the update succeeds, no further action is taken. If this update fails, the client next sends an NS-type query for the zone name that is specified in the SOA record. When the client receives a response to this query, it sends an SOA query to the first DNS server that is listed in the response. After the SOA query is resolved, the client sends a dynamic update to the server that is specified in the returned SOA record.

If the update succeeds, no further action is taken.</li> If this update fails, the client repeats the SOA query process by sending to the next DNS server that is listed in the response.</li></ol> </li> After the primary server that can perform the update is contacted, the client sends the update request and the server processes it.

The contents of the update request include instructions to add A (and possibly PTR) resource records for &quot;newhost.example.microsoft.com&quot; and remove these same record types for &quot;oldhost.example.microsoft.com&quot; (the name that was previously registered).

The server also checks to ensure that updates are permitted for the client request. For standard primary zones, dynamic updates are not secured and any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings.</li></ol>

Dynamic updates are sent or refreshed periodically. By default, Windows 2000 sends a refresh once every 24 hours. If the update occurs and there are no changes to zone data, the zone remains at its current version and no changes are written. Updates that result in actual zone changes or increased zone transfers only if names or addresses actually change.

Note Names are not removed from DNS zones if they become inactive or if they are not updated within the refresh interval (24 hours). DNS does not use a mechanism to release or tombstone names, although DNS clients do attempt to delete or update old name records when a new name or address change is applied.

When the DHCP Client service registers A and PTR resource records for a Windows 2000 computer, it uses a default caching Time-To-Live (TTL) value of 15 minutes for host records. This value determines how long other DNS servers and clients cache a computer's records when they are included in a query response.

back to the top

Integration of DHCP with DNS
With Windows 2000, a DHCP server can enable dynamic updates in the DNS namespace for any of its clients that support these updates. Scope clients can use DNS dynamic update protocol to update their host name-to-address mapping information (which is stored in zones on the DNS server) whenever changes occur to their DHCP-assigned address. A Windows 2000 DHCP server can perform updates on behalf of its DHCP clients to any DNS server.

back to the top

How DHCP/DNS Update Interaction Works
You can use the DHCP server to register and update the PTR and A resource records on behalf of its DHCP-enabled clients. When you do so, you must use an additional DHCP option, the Client FQDN option (option 81). This option permits the client to provide its FQDN as well as instructions to the DHCP server on how it would like the server to process DNS dynamic updates (if any) on its behalf.

When this option is issued by a qualified DHCP client, such as a DHCP-enabled computer that is running Windows 2000, it is processed and interpreted by Windows 2000 DHCP servers to determine how the server initiates updates on behalf of the client.

For example, you can use any of the following configurations to process client requests:
 * The DHCP server registers and updates client information with its configured DNS servers according to the client request.

After you install a new DHCP server, this configuration becomes the default configuration for Windows 2000 DHCP servers and clients. In this mode, any Windows 2000 DHCP client can request the way in which the DHCP server performs updates of its host A and PTR resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS.

To configure the DHCP server to register client information according to the client's request, open the DHCP properties for the server, click the DNS tab, click Properties, and then click Update DNS only if DHCP client requests.
 * The DHCP server always registers and updates client information with its configured DNS servers.

This configuration is a modified configuration that is supported for Windows 2000 DHCP servers and clients. In this mode, the DHCP server always performs updates of the client's FQDN and leased IP address information, both its host A and PTR resource records, regardless of whether the client has requested to perform its own updates.

To configure a DHCP server to register and update client information with its configured DNS servers, open the DHCP properties for the server, click the DNS tab, click Properties, and then click Always update DNS.
 * The DHCP server never registers and updates client information with its configured DNS servers.

To use this configuration, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. When you use this configuration, no client host A or PTR resource records are updated in DNS for DHCP clients.

To configure the server to never update client information, open the DHCP properties for the DHCP server or one of its scopes on the Windows 2000 DHCP server, click the DNS tab, click Properties, and then clear the Automatically update DHCP client information in DNS check box. By default, updates are always performed for newly installed Windows 2000 DHCP servers and any new scopes that you create for them.

back to the top

Windows DHCP Clients and DNS Dynamic Update Protocol
DHCP clients that are running Windows 2000 and earlier versions of Windows interact differently when they perform the DHCP/DNS interactions that are described in the preceding section. The following examples show how this process varies in different cases.

back to the top

An Example of a DHCP/DNS Update Interaction for Windows 2000 DHCP Clients
Windows 2000 DHCP clients interact with DNS dynamic update protocol in the following manner:
 * 1) The client initiates a DHCP request message to the server.
 * 2) The server returns a DHCP acknowledgment message to the client, which grants an IP address lease.
 * 3) By default, the client sends a DNS update request to the DNS server for its own forward lookup record (a host A resource record).

Alternately, the server can perform this update to the DNS server on behalf of the client if both the client and its configuration are modified accordingly.
 * 1) The server sends updates for the DHCP client's reverse lookup record (a PTR resource record) by using the process that is defined by the DNS dynamic update protocol.

back to the top

An Example of a DHCP/DNS Update Interaction for Windows DHCP Clients That Use a Version of Windows That Is Earlier Than Windows 2000
Earlier versions of Windows DHCP clients do not support the DNS dynamic update process directly and cannot directly interact with the DNS server. For these DHCP clients, updates are typically handled in the following manner:
 * 1) The client initiates a DHCP request message (DHCPREQUEST) to the server.
 * 2) The server returns a DHCP acknowledgment message (DHCPACK) to the client, which grants an IP address lease.
 * 3) The server sends updates to the DNS server for the client's forward lookup record, which is a host A resource record.
 * 4) The server also sends updates for the client's reverse lookup record, which is a PTR resource record.

back to the top

Secure Dynamic Updates
For Windows 2000, DNS update security is available only for zones that are integrated into Active Directory. After you directory-integrate a zone, you can use the access control list (ACL) editing features that are available in the DNS snap-in to add or remove users or groups from the ACL for a specified zone or resource record.

For more information, see Windows 2000 Help and search for either &quot;To modify security for a resource record&quot; or &quot;To modify security for a directory integrated zone.&quot;

By default, dynamic update security for Windows 2000 DNS servers and clients is handled in the following manner:
 * 1) Windows 2000 DNS clients attempt to use unsecured dynamic updates first. If an unsecured update is refused, clients try to use a secure update.

Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.
 * 1) After a zone becomes Active Directory-integrated, Windows 2000 DNS servers only allow secure dynamic updates by default.

When you use standard zone storage, the DNS Server service does not allow dynamic updates on its zones by default. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to allow all dynamic updates, which permits all updates to be accepted by passing the use of secure updates.

Important For Windows 2000 Server, the DHCP Server service can perform proxy registration and update of DNS records for legacy clients that do not support dynamic updates.

If you use multiple Windows 2000 DHCP servers on your network and configure your zones to allow secure dynamic updates only, use the Active Directory Users and Computers snap-in to add your DHCP server computers to the built-in DnsUpdateProxy group. When you do so, all of your DHCP servers have the secure rights to perform proxy updates for any of your DHCP clients. For more information, see Windows 2000 help and search for &quot;Using DNS servers with DHCP&quot; or &quot;Manage groups&quot;

Caution In Windows 2000, the secure dynamic updates functionality can be compromised if you run a DHCP server on a domain controller if Windows 2000 DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers. If you are not concerned about security of reverse lookup PTR resource records, this precaution is only advisable if the DHCP server is configured to perform registration of host A resource records on behalf of its clients (which is not the default behavior).

For more information, see the Security Considerations When You Use the DnsUpdateProxy group section of this article.

back to the top

How to Allow Only Secure Dynamic Updates

 * 1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
 * 2) Under DNS, expand the applicable DNS server, expand Forward Lookup Zones (or Reverse Lookup Zones), and then click the applicable zone.
 * 3) On the Action menu, click Properties.
 * 4) On the General tab, verify that the zone type is Active Directory-integrated.
 * 5) In the Allow dynamic updates? box, click Only secure updates.

Caution In Windows 2000, the secure dynamic updates functionality can be compromised if you run a DHCP server on a domain controller and Windows 2000 DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers. If you are not concerned about security of reverse lookup PTR resource records, this precaution is only advisable if the DHCP server is configured to perform registration of host A resource records on behalf of its clients (which is not a default behavior).

Notes
 * The secure dynamic update functionality is supported only for Active Directory-integrated zones. If you configure a different zone type, you must change the zone type and directory integrate the zone before you secure it for DNS dynamic updates.
 * Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, &quot;Dynamic Updates in the Domain Name System (DNS UPDATES).&quot;

back to the top

How to Use the DnsUpdateProxy Security Group
You can configure a Windows 2000 DHCP server so that it dynamically registers host A and PTR resource records on behalf of DHCP clients. If you use secure dynamic updates in this configuration with Windows 2000 DNS servers, resource records may become stale.

For example, consider the following scenario:
 * 1) A Windows 2000 DHCP server (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
 * 2) Because the DHCP server successfully created the name, it becomes the owner of the name.
 * 3) After the DHCP server becomes the owner of the client name, only that DHCP server can update the name.

In some circumstances, this process may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because it is not the owner of the name.

In a similar example, DHCP1 registers client the name &quot;host.example.microsoft.com&quot; in DNS on behalf of its clients, and then you upgrade that computer from an earlier version of Windows to Windows 2000. Because the DHCP server (DHCP1) is the owner of this name, the client cannot update its DNS records after the computer is upgraded to Windows 2000.

To resolve this problem, a new built-in security group called DnsUpdateProxy is provided in Windows. Any object that is created by the members of this group has no security. The first user that is not a member of the DnsUpdateProxy group to modify the set of records that is associated with a client becomes its owner. Therefore, if every DHCP server that is registering resource records for older clients is a member of this group, you do not have problems with updates that result from ownership.

back to the top

How to Add Members to the DnsUpdateProxy Group
Use the Active Directory Users and Computers snap-in to configure the DnsUpdateProxy security group. For more information, refer to Windows 2000 help, and search for &quot;To add a member to a group&quot;.

Note If you are using multiple DHCP servers for fault tolerance and you use secure dynamic updates, add each of the computers that are operating a Windows 2000 DHCP server to the DnsUpdateProxy global security group.

back to the top

Security Considerations When You Use the DnsUpdateProxy Group
You can resolve some DNS update concerns about maintaining secure updates if you add all DHCP servers to the DnsUpdateProxy group. However, you face additional security concerns when you add all DCHP severs to this group.

For example, any DNS domain names that are registered by the computer that is running the DHCP server are not secure. The host A resource record for the DHCP server itself is not secure. This issue is more significant if the DHCP server that is a member of the DnsUpdateProxy group is installed on a domain controller. To prevent this problem, manually specify a different owner for any DNS records that are associated with the DHCP server itself.

In this case, all service location (SRV), host A, or alias (CNAME) resource records that are registered by the Netlogon service for the domain controller are not secure. To prevent this problem, do not install a DHCP server on a domain controller.

If you run a Windows 2000 DHCP server on a Windows 2000 domain controller, the DHCP server has full control over all DNS objects stored in Active Directory because the DHCP server is running under the computer account (in this case, the domain controller).

back to the top

Configuring DNS Dynamic Update
The dynamic update functionality that is included in Windows 2000 follows RFC 2136. Dynamic update allows clients and servers to register DNS domain names (PTR resource records) and IP address mappings (A resource records) to an RFC 2136-compliant DNS server.

A Windows 2000 Professional-based computer does not have to use dynamic update to be a member of a Windows 2000 domain; however, your administrative workload increases because you are required to manually update DNS information in this scenario. In Windows 2000, clients can send dynamic updates for three different types of network adapters: DHCP adapters, statically configured adapters, and remote access adapters. Regardless of the adapter that is used, the DHCP Client service sends dynamic updates to the authoritative DNS server. The DHCP Client service runs on all computers regardless of whether they are configured as DHCP clients.

back to the top

How to Configure DNS Dynamic Update for DHCP Clients
By default, Windows 2000-based DHCP clients are configured to request that the client register the A resource record and the server register the PTR resource record. By default, the name that is used in the DNS registration is a concatenation of the computer name and the primary DNS suffix. To change this default name, open the TCP/IP properties of your network connection.

To change the dynamic update defaults on the dynamic update client:
 * 1) Right-click My Network Places, and then click Properties.
 * 2) Right-click the connection that you want to configure, and then click Properties.
 * 3) Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab.

By default, Register this connection's address in DNS is selected and Use this connection's DNS suffix in DNS registration is not selected. This default configuration causes the client to request that the client register the A resource record and the server register the PTR resource record. In this case, the name to be used in DNS registration is a concatenation of the computer name and primary DNS suffix of the computer.
 * 1) Click to select the Use this connection's DNS suffix check box in DNS registration.

If you select this check box, the client requests that the server update the PTR record by using the name that is a concatenation of the computer name and the connection-specific DNS suffix. If the DHCP server is configured to register DNS records according to the client's request, the client registers the following records:
 * 1) * The PTR record, which uses the name that is a concatenation of the computer name and the primary DNS suffix.
 * 2) * The A record, which uses the name that is a concatenation of the computer name and the primary DNS suffix.
 * 3) * The A record, which uses the name that is a concatenation of the computer name and the connection-specific DNS suffix.
 * 4) To configure the client to make no requests for DNS registration, click to clear the Register this connection's address in DNS check box. If you clear this check box, the client does not attempt to register any A or PTR DNS records that correspond to this connection.

back to the top

DNS Dynamic Update on Statically Configured and Remote Access Clients
Statically configured clients and remote access clients do not communicate with the DHCP server. Statically configured Windows 2000-based clients dynamically update their A and PTR resource records every time they start in case the records become corrupted in the DNS database. Remote access clients dynamically update A and PTR resource records when a dial-up connection is made. They also attempt to unregister the A and PTR resource records when the user closes down the connection. However, if a remote access client fails to unregister a resource record within four seconds, the connection is closed, and the DNS database contains a stale record. If the remote access client fails to unregister a resource record, it adds a message to the event log, which you can view by using the Event Viewer. The remote access client never deletes stale records.

back to the top

How to Configure DNS Dynamic Update on Multiple-Homed Clients
If a dynamic update client is multiple-homed (if it has more than one adapter and an associated IP address), it registers all of its IP addresses with DNS by default. If you do not want the client to register all of its IP addresses, you can configure it to not register one or more IP addresses in the network connection properties.

To prevent the computer from registering all its IP addresses:
 * 1) Right-click My Network Places, and then click Properties.
 * 2) Click the connection that you want to configure, and then click Properties.
 * 3) Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click the DNS tab.
 * 4) Click to clear the Register this connection's address in DNS check box.

You can also configure the computer to register its domain name in DNS. For example, if you have a client that is connected to two different networks, you can configure the client to have a different domain name on each network.

back to the top

How to Configure DNS Dynamic Update on a Windows 2000 DNS Client Computer
To configure DNS dynamic update on a Windows 2000 DNS client computer:
 * 1) Click Start, point to Settings, and then click Network and Dial-up Connections.
 * 2) Right-click the network connection that you want to configure, and then click Properties.
 * 3) Click either the General tab (for the local area connection) or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
 * 4) Click Advanced, and then click the DNS tab.
 * 5) To use DNS dynamic update to register both the IP addresses for this connection and the full computer name of the computer, click to select the Register this connection's addresses in DNS check box. This check box is selected by default.
 * 6) To configure a connection-specific DNS suffix, type the DNS suffix in the DNS suffix for this connection box.
 * 7) To use DNS dynamic update to register the IP addresses and the connection-specific domain name for this connection, click to select the Use this connection's DNS suffix in DNS registration check box. This check box is selected by default.

back to the top

How to Configure DNS Dynamic Update on a Windows 2000 DNS Server
To enable DNS dynamic update on a Windows 2000 DNS server:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click DNS.
 * 2) Click the appropriate zone under either Forward Lookup Zones or Reverse Lookup Zones.
 * 3) On the Action menu, click Properties.
 * 4) On the General tab, verify that the zone type is either Primary or Active Directory-integrated.
 * 5) If the zone type is Primary, click Yes in the Allow dynamic updates? list.
 * 6) If the zone types is Active Directory-integrated, click either Yes or Only secure updates in the Allow dynamic updates? list, depending on whether you want DNS dynamic updates to be secure.

back to the top

How to Configure DNS Dynamic Update on a Windows 2000 DHCP Server
To configure DNS dynamic update for a Windows 2000 DHCP server:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click DHCP.
 * 2) Click the appropriate DHCP server or a scope on the appropriate DHCP server.
 * 3) On the Action menu, click Properties.
 * 4) Click the DNS tab.
 * 5) To enable DNS dynamic update for DHCP clients that support it, click to select the Automatically update DHCP client information in DNS check box. This check box is selected by default.
 * 6) To enable DNS dynamic update for DHCP clients that do not support it, click to select the Enable updates for DNS clients that do not support dynamic updates check box. This check box is selected by default.

back to the top

How to Enable DNS Dynamic Updates to a DNS Server
Windows 2000 DHCP and DNS servers now support dynamic updates to a DNS server. Windows 2000 clients can dynamically update their forward lookup records themselves with the DNS server after the clients obtain a new IP address from a DHCP server.

In Windows 2000 DHCP server, you can dynamically update the DNS records for pre-Windows 2000 clients that cannot do it for themselves. This feature currently works only with the Windows 2000 DHCP and DNS servers.

To enable a DHCP server to dynamically update the DNS records of its clients:
 * 1) Select the scope or DHCP server on which you want to permit dynamic DNS updates.
 * 2) On the Action menu, click Properties, and then click the DNS tab.
 * 3) Click to select the Automatically Update DHCP Client Information In DNS check box.
 * 4) To update a client's DNS records based on the type of DHCP request that the client makes and only when it is requested, click Update DNS Only If DHCP Client Requests.
 * 5) To always update a client's forward and reverse lookup records, click Always Update DNS.
 * 6) Click to select the Discard Forward Lookups When Leases Expire check box to have the DHCP server delete the Host resource record for a client when its DHCP lease expires and is not renewed.
 * 7) Click to select the Enable Updates For DNS Clients That Do Not Support Dynamic Updates check box to enable the DHCP server to update the forward and reverse lookup records for clients that cannot update their own forward lookup records. If you do not select this check box, the DHCP server does not automatically update the DNS records of non-Windows 2000 clients.

back to the top

Additional Advanced DHCP/DNS Server Configuration Options
In addition to the standard DHCP/DNS interactions, you can configure the Windows 2000 DHCP server to perform the following optional update tasks:
 * You can configure the server to not send updates for a discarded client host (A) resource record when the client lease expires.

When you enable the DHCP server to perform DNS updates, the server always sends updates to discard the client PTR resource records when the lease expires. You can configure the server to discard client host A resource records when a client's lease expires (by default, the server discards these records).

To modify this setting at the applicable DHCP server, open the DHCP properties, click the DNS tab, click Properties, and then clear the Discard forward (name-to-address) lookups when leases expires check box.
 * You can configure the server to not send updates for clients that cannot use the Client FQDN option (option 81) to request the way that updates are handled.

By default, the DHCP server sends updates for clients that do not support option 81. This allows the server to perform proxy updates in DNS for all of its DHCP clients that are running earlier versions of Windows operating systems.

To modify this setting at the applicable DHCP server, open the DHCP properties, click the DNS tab, click Properties, and then click to clear or click to select the Enable updates for DNS clients that do not support dynamic updates check box.

back to the top

How to Disable DNS Dynamic Update
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Dynamic update is configured on Windows 2000 Professional-based clients by default. To disable dynamic update for all network interfaces: <ol> Start Registry Editor (Regedt32.exe).</li> Locate and click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters

</li> Add the following value:

Value name: DisableDynamicUpdate

Data type: REG_DWORD

Data value: 0x1

</li></ol>

To disable dynamic update for all a specific interface: <ol> Start Registry Editor (Regedt32.exe).</li> Locate and click the following registry key, where  is the device ID of the network interface card for the interface for which you want to disable dynamic update:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Tcpip\Parameters\Interfaces\ 

</li> Add the following value:

Value name: DisableDynamicUpdate

Data type: REG_DWORD

Data value: 0x1

</li></ol>

back to the top

Troubleshooting
For additional information about how to troubleshoot DNS Dynamic Update in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

287156 Troubleshooting Windows 2000 DNS dynamic update problems

back to the top

REFERENCE
For additional information about DNS dynamic updates, refer to the following resources: is available from the following Resources:

Windows 2000 DNS White Paper

&quot;Introduction to DNS&quot; chapter in the Windows 2000 Server Resource Kit

&quot;Windows 2000 DNS&quot; chapter in the Windows 2000 Server Resource Kit

Dynamic Host Configuration Protocol for Windows 2000 Server

For additional information about DNS dynamic updates in Microsoft Windows 2003, click the following article number to view the article in the Microsoft Knowledge Base:

816592 How to configure DNS dynamic update in Windows 2003

back to the top

Keywords: kbhowtomaster KB317590

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.