Win2k DNS and DHCP Interoperability
by Mark Jesiel, MCT
We all know that Domain Naming System (DNS) is a critical aspect of Active Directory and the Windows 2000 enhancements to DNS are useful in keeping DNS rolling along.
For example, the support for SRV (Service Resource) records is necessary for locating Domain Controllers (DC) and Global Catalog Servers (GC) and Incremental Zone Transfers can greatly reduce bandwidth usage on our internal network or over WAN links. This article will focus on the benefits of Active Directory Integrated Zones and Dynamic Updates.
With legacy DNS servers we could create Primary Zone DNS Servers, and Secondary Zone DNS Servers. The Primary DNS Server holds the only writeable copy of the zone database and represents a single point of failure. The Secondary DNS Servers hold read only copies of the database and are great for fault tolerance when it comes to name resolution.
With Win2k we can implement an Active Directory Integrated Zone where every DNS Server hosting the zone is a DC, and as such, holds a writeable copy of the zone database thereby eliminating the single point of failure.
Dynamic Updates help maintain the accuracy of the zone console, open the Properties page for the zone you want to configure. In the “Allow Dynamic Updates” drop down box, select “Yes.” That’s it! Now the DNS server will accept resource record registrations and updates from clients and your DHCP servers.
It works like this:
- When a Win2k computer is operating as a DHCP client, it will register and update its own “A” or host resource record with the DNS server.
- When a Win2k DHCP server issues an address to a client, the DHCP server will update the “ptr” or pointer record with the DNS server.
- A Win2k computer with a static IP address will register and update the “A” or host record, as well as the “ptr” or pointer record.
What about those pesky legacy clients? You know, those computers that are simply not capable of updating their own resource records with the DNS server? Well, although a Win2k DHCP server will register the “ptr” records automatically for all DHCP clients, it does not register “A” records by default. To support legacy clients and enable our Win2k DHCP server to update their “A” records, configure the Property on the DNS tab for the DHCP server to “Enable updates for DNS clients that do not support dynamic update.”
- A legacy client configured to operate as a DHCP client will get an IP address from the DHCP server as always.
- The DHCP server will register and update the “A” or host record as well as the “ptr” or pointer record.
- Legacy clients configured with static IP addresses must have their resource records manually administered.
With a Win2k DNS server hosting an Active Directory Integrated Zone we can also implement “Secure Dynamic Updates.” This will do several things. First and foremost, our DNS server will only accept record registration from clients with accounts in Active Directory. This prevents an unknown computer from registering with the DNS server.
Second, when a client does register a resource record, that specific client becomes the owner of that entry in the zone database so only that client may update the record. This is true not only for the DHCP client that registers its own “A” record, but for the DHCP server that registers the “prt” records for all the DHCP clients it leases IP addresses to.
Since there can only be one owner to a record, and each computer has a unique identifying number called a SID, this could pose a problem if I have multiple DHCP servers. To eliminate this problem, when implementing Secure Dynamic Updates, make the DHCP Servers members of the “DNS Update Proxy” security group. This ensures that the DHCP servers can update any record on the DNS server, so all records will stay up to date.
The Win2k Network Infrastructure is the backbone of the network and with the power of Active Directory and the enhancements to the various components (like DNS and DHCP), an administrator now has a formidable toolbox from which to draw.