Zone File Name
For
standard zones not stored in Active Directory, the default zone
filename is created by adding a .dns extension to the zone name. The
Zone File Name text box on the General tab allows you to change the
default name of this file.
Dynamic Updates
The
General tab also allows you to configure the dynamic updates settings
for a zone. Three dynamic update settings are available for Active
Directory-integrated DNS zones: None, Nonsecure And Secure, and Secure
Only. For standard zones, only two settings are available: None and
Nonsecure And Secure.
When you select
the None setting in the properties for a zone, you must manually
perform registrations and updates to zone records. However, when you
enable either the Nonsecure And Secure setting or the Secure Only
setting, client computers can automatically create or update their own
resource records. This functionality greatly reduces the need for
manual administration of zone records, especially for DHCP clients and
roaming clients.
Figure 3 illustrates a typical dynamic update process.
Whenever
a triggering event occurs on a DNS client computer, the DHCP Client
service, not the DNS Client service, attempts to perform a dynamic
update of the A resource record with the DNS server. This update
process is designed so that if a change to the IP address information
occurs because of DHCP, this update is immediately sent to the DNS
server. The DHCP Client service attempts to perform this dynamic update
function for all network connections used on the system, including
those not configured to use DHCP. Whether this attempt at a dynamic
update is successful depends first and foremost on whether the zone has
been configured to allow dynamic updates.
Dynamic Update Triggers
The following events trigger the DHCP Client service to send a dynamic update to the DNS server:
The DNS client computer is turned on.
An
IP address lease changes or renews with the DHCP server for any one of
the local computer’s installed network connections—for example, when
the computer is started or if the Ipconfig /renew command is used.
An
IP address is added, removed, or modified in the Transmission Control
Protocol/Internet Protocol (TCP/IP) properties configuration for any
one of the local computer’s installed network connections.
A member server within the zone is promoted to a domain controller.
The
Ipconfig /registerdns command is used on a DNS client computer to
manually force a refresh of the client name registration in DNS.
Secure Dynamic Updates
Secure
dynamic updates can be performed only in Active Directory-integrated
zones. For standard zones, the Secure Only option does not appear in
the Dynamic Updates drop-down list box. These updates use the secure
Kerberos authentication protocol to create a secure context and ensure
that the client updating the resource record is the owner of that
record.
Note
Only
clients running a version of Windows 2000, Microsoft Windows XP, or
Windows Server 2003 can attempt to send dynamic updates to a DNS
server. Dynamic updates are not available for any version of Windows
NT, Windows 95, Microsoft Windows 98, or Microsoft Windows Millenium
Edition (Me). However, a DNS client computer (such as a DHCP server)
can perform dynamic updates on behalf of other clients if the server is
configured to do so. |
Secure Dynamic Updates and the DnsUpdateProxy group
When
only secure dynamic updates are allowed in a zone, only the owner of a
record can update that record. (The owner of a record is the computer
that originally registers the record.) This restriction can cause
problems in situations where a DHCP server is being used to register
host (A) resource records on behalf of client computers that cannot
perform dynamic updates. In such cases, the DHCP server becomes the
owner of the record, not the computers themselves. If the down-level
client computer is later upgraded to Windows 2000 or some other
operating system that is capable of performing dynamic updates, the
computer will not be recognized as the owner and will consequently be
unable to update its own records. A similar problem might arise if a
DHCP server fails that has registered records on behalf of down-level
clients: none of the clients will be able to have their records updated
by a backup DHCP server.
To avoid such problems,
add to the DnsUpdateProxy security group DHCP servers that register
records on behalf of other computers. Members of this group are
prevented from recording ownership on the resource records they update
in DNS. This caveat consequently loosens security for these records
until they can be registered by the real owner.
Tip
Expect to be tested on DnsUpdateProxy on the exam. |
Aging
By clicking Aging on the General tab, you can open the Zone Aging/Scavenging Properties dialog box, as shown in Figure 4. These properties provide a means of finding and clearing outdated records from the zone database.
