Dynamic update

Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

Windows 2000 provides client and server support for the use of dynamic updates, as described in RFC 2136. For DNS servers, the DNS service allows dynamic update to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. By default, client computers running under any version of Windows 2000 dynamically update their host (A) resource records (RRs) in DNS when configured for TCP/IP.

How Windows 2000 computers update their DNS names

By default, computers that run Windows 2000 and are statically configured for TCP/IP attempt to dynamically register host (A) and pointer (PTR) resource records (RRs) for IP addresses configured and used by their installed network connections. By default, all computers register records based on their Full computer name.

For Windows 2000 computers, the primary full computer name, a fully qualified domain name (FQDN), is based on the following system settings:

The Primary DNS suffix of this computer appended to the Computer name.

Both of these settings are displayed or configured from the Network Identification tab in System properties. For more information, see To view your computer's network identification or To configure the primary DNS suffix for a client computer

Dynamic updates can be sent for any of the following reasons or events:

An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.
An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.
The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
At startup time, when the computer is turned on.

When one of the previous events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections not configured to use DHCP.

note Note

The process of how dynamic updates are performed for Windows 2000 computers that use DHCP to obtain their IP address is different than is described in this section. For more information, see Using DNS servers with DHCP
The update process described in this section assumes Windows 2000 installation defaults are in effect. Specific names and update behavior is tunable where advanced TCP/IP properties are configured to use non-default DNS settings.
In addition to the full computer name (or primary name) of the computer, additional connection-specific DNS names can be configured and optionally registered or updated in DNS. For more information, see Configuring multiple names or To configure TCP/IP to use DNS

Example: How dynamic update works

For Windows 2000, dynamic updates are typically requested when either a DNS name or IP address changes on the computer. For example, suppose a client named "oldhost" is first configured in System properties with the following names:

Computer name	oldhost
DNS domain name of computer	example.microsoft.com
Full computer name	oldhost.example.microsoft.com

In this example, no connection-specific DNS domain names are configured for the computer. Later, the computer is renamed from "oldhost" to "newhost", resulting in the following name changes on the system:

Computer name	newhost
DNS domain name of computer	example.microsoft.com
Full computer name	newhost.example.microsoft.com

Once the name change is applied in System properties, Windows 2000 prompts you to restart the computer. When the computer restarts Windows, the DHCP Client service performs the following sequence to update DNS:

The DHCP Client service sends a start of authority (SOA) type query using the DNS domain name of the computer.
The client computer uses the currently configured FQDN of the computer (such as "newhost.example.microsoft.com") as the name specified in this query.
The authoritative DNS server for the zone containing the client FQDN responds to the SOA-type query.
For standard primary zones, the primary server (owner) returned in the SOA query response is fixed and static. It always matches the exact DNS name as it appears in the SOA RR stored with the zone. If, however, the zone being updated is directory-integrated, any DNS server loading the zone can respond and dynamically insert its own name as the primary server (owner) of the zone in the SOA query response.
The DHCP Client service then attempts to contact the primary DNS server.
The client processes the SOA query response for its name to determine the IP address of the DNS server authorized as the primary server for accepting its name. It then proceeds to perform the following sequence of steps as needed to contact and dynamically update its primary server:
1. It sends a dynamic update request to the primary server determined in the SOA query response.
  If the update succeeds, no further action is taken.
2. If this update fails, the client next sends an NS-type query for the zone name specified in the SOA record.
3. When it receives a response to this query, it sends an SOA query to the first DNS server listed in the response.
4. After the SOA query is resolved, the client sends a dynamic update to the server specified in the returned SOA record.
  If the update succeeds, no further action is taken.
5. If this update fails, then the client repeats the SOA query process by sending to the next DNS server listed in the response.
Once the primary server is contacted that can perform the update, the client sends the update request and the server processes it.
The contents of the update request include instructions to add A (and possibly PTR) RRs for "newhost.example.microsoft.com" and remove these same record types for "oldhost.example.microsoft.com", the name that was previously registered.

The server also checks to ensure that updates are permitted for the client request. For standard primary zones, dynamic updates are not secured, so any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings. For more information, see Secure dynamic updates

Dynamic updates are sent or refreshed periodically. By default, Windows 2000 sends a refresh once every 24 hours. If the update results in no changes to zone data, the zone remains at its current version and no changes are written. Updates result in actual zone changes or increased zone transfer only if names or addresses actually change.

Note that names are not removed from DNS zones if they become inactive or are not updated within the refresh interval (24 hours). DNS does not use a mechanism to release or tombstone names, although DNS clients do attempt to delete or update old name records when a new name or address change is applied.

When the DHCP Client service registers A and PTR resource records for a Windows 2000 computer, it uses a default caching Time-To-Live (TTL) of 15 minutes for host records. This determines how long other DNS servers and clients cache a computer's records when they are included in a query response.

Secure dynamic update

For Windows 2000, DNS update security is available only for zones that are integrated into Active Directory. Once you directory-integrate a zone, access control list (ACL) editing features are available in the DNS console so you can add or remove users or groups from the ACL for a specified zone or resource record. For more information, see To modify security for a resource record or To modify security for a directory integrated zone

By default, dynamic update security for Windows 2000 DNS servers and clients can be handled as follows:

Windows 2000 DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.
Once a zone becomes Active Directory-integrated, Windows 2000 DNS servers default to allowing only secure dynamic updates.
When using standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to allow all dynamic updates which permits all updates to be accepted, by passing the use of secure updates.

Important

For Windows 2000 Server, the DHCP Server service can perform proxy registration and update of DNS records for legacy clients that do not support dynamic updates.
If you use multiple Windows 2000 DHCP servers on your network and also configure your zones to allow secure dynamic updates only, you need to use Active Directory Users and Computers to add your DHCP server computers to the built-in DnsUpdateProxyGroup. This will permit all of your DHCP servers the secure rights to perform proxy updates for any of your DHCP clients.

For information, see Using DNS servers with DHCP or Manage groups

caution Caution

For Windows 2000, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when Windows 2000 DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers. If you are not concerned about security of reverse lookup (PTR) records, this precaution is only advisable if the DHCP server is configured to perform registration of host (A) records on behalf of its clients (which is not a default behavior). For more information, see Security concerns when using the DnsUpdateProxy group

note Note

Dynamic update is a recent additional DNS standard specification, defined in RFC 2136. For more information, refer to the RFC. For information on obtaining RFCs, see TCP/IP RFCs
Additional information about DNS dynamic updates and secure updates for Windows 2000 DNS servers and clients is available in the Windows 2000 Server Resource Kit. For more information, see Windows 2000 Resource Kit