Dynamic update

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dynamic update

Dynamic update enables DNS client computers to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.

The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each server configured to load either a standard primary or directory-integrated zone. By default, the DNS Client service will dynamically update host (A) resource records (RRs) in DNS when configured for TCP/IP. For more information about RFCs, see DNS RFCs.

How client and server computers update their DNS names

By default, computers that are statically configured for TCP/IP attempt to dynamically register host (A) and pointer (PTR) resource records (RRs) for IP addresses configured and used by their installed network connections. By default, all computers register records based on their fully qualified domain name (FQDN).

The primary full computer name, a FQDN, is based on the primary DNS suffix of a computer appended to its Computer name.

Both of these settings are displayed or configured from the Computer Name tab in System properties. For more information, see View system properties.

Notes

  • By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network (VPN) connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Configure TCP/IP to use DNS and the Microsoft Windows Resource Kits Web site.

  • By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.

  • By default, the primary DNS suffix portion of a computer's FQDN is the same as the name of the Active Directory domain to which the computer is joined. To allow different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the domain object container. This attribute is managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).

    For more information, see Programming interfaces and Directory access protocol.

Dynamic updates can be sent for any of the following reasons or events:

  • An IP address is added, removed, or modified in the TCP/IP properties configuration for any one of the installed network connections.

  • An IP address lease changes or renews with the DHCP server any one of the installed network connections. For example, when the computer is started or if the ipconfig /renew command is used.

  • The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.

  • At startup time, when the computer is turned on.

  • A member server is promoted to a domain controller.

When one of the previous events triggers a dynamic update, the DHCP Client service (not the DNS Client service) sends updates. This is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-address mappings for the computer. The DHCP Client service performs this function for all network connections used on the system, including connections not configured to use DHCP.

Notes

  • The process of how dynamic updates are performed for computers running Windows 2000, Windows XP, or Windows Server 2003 operating systems that use DHCP to obtain their IP address is different than is described in this section. For more information, see Using DNS servers with DHCP.

  • The update process described in this section assumes that installation defaults are in effect for computers running Windows 2000, Windows XP, or servers running Windows Server 2003. Specific names and update behavior is tunable where advanced TCP/IP properties are configured to use non-default DNS settings.

    In addition to the full computer name (or primary name) of the computer, additional connection-specific DNS names can be configured and optionally registered or updated in DNS. For more information, see Configuring multiple names or Configure TCP/IP to use DNS.

Example: How dynamic update works

Dynamic updates are typically requested when either a DNS name or IP address changes on the computer. For example, suppose a client named "oldhost" is first configured in System properties with the following names:

Computer name

oldhost

DNS domain name of computer  

example.microsoft.com

Full computer name

oldhost.example.microsoft.com 

In this example, no connection-specific DNS domain names are configured for the computer. Later, the computer is renamed from "oldhost" to "newhost", resulting in the following name changes on the system:

Computer name

newhost

DNS domain name of computer  

example.microsoft.com

Full computer name

newhost.example.microsoft.com 

Once the name change is applied in System properties, you are prompted to restart the computer. When the computer restarts Windows, the DHCP Client service performs the following sequence to update DNS:

  1. The DHCP Client service sends a start of authority (SOA) type query using the DNS domain name of the computer.

    The client computer uses the currently configured FQDN of the computer (such as "newhost.example.microsoft.com") as the name specified in this query.

  2. The authoritative DNS server for the zone containing the client FQDN responds to the SOA-type query.

    For standard primary zones, the primary server (owner) returned in the SOA query response is fixed and static. It always matches the exact DNS name as it appears in the SOA RR stored with the zone. If, however, the zone being updated is directory-integrated, any DNS server loading the zone can respond and dynamically insert its own name as the primary server (owner) of the zone in the SOA query response.

  3. The DHCP Client service then attempts to contact the primary DNS server.

    The client processes the SOA query response for its name to determine the IP address of the DNS server authorized as the primary server for accepting its name. It then proceeds to perform the following sequence of steps as needed to contact and dynamically update its primary server:

    1. It sends a dynamic update request to the primary server determined in the SOA query response.

      If the update succeeds, no further action is taken.

    2. If this update fails, the client next sends an NS-type query for the zone name specified in the SOA record.

    3. When it receives a response to this query, it sends an SOA query to the first DNS server listed in the response.

    4. After the SOA query is resolved, the client sends a dynamic update to the server specified in the returned SOA record.

      If the update succeeds, no further action is taken.

    5. If this update fails, then the client repeats the SOA query process by sending to the next DNS server listed in the response.

  4. Once the primary server is contacted that can perform the update, the client sends the update request and the server processes it.

    The contents of the update request include instructions to add A (and possibly PTR) RRs for "newhost.example.microsoft.com" and remove these same record types for "oldhost.example.microsoft.com", the name that was previously registered.

    The server also checks to ensure that updates are permitted for the client request. For standard primary zones, dynamic updates are not secured, so any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings.

Dynamic updates are sent or refreshed periodically. By default, computers send a refresh once every 7 days. If the update results in no changes to zone data, the zone remains at its current version and no changes are written. Updates result in actual zone changes or increased zone transfer only if names or addresses actually change.

Note that names are not removed from DNS zones if they become inactive or are not updated within the refresh interval (7 days). DNS does not use a mechanism to release or tombstone names, although DNS clients do attempt to delete or update old name records when a new name or address change is applied.

When the DHCP Client service registers A and PTR resource records for a computer, it uses a default caching Time to Live (TTL) of 15 minutes for host records. This determines how long other DNS servers and clients cache a computer's records when they are included in a query response.

Secure dynamic update

DNS update security is available only for zones that are integrated into Active Directory. Once you directory-integrate a zone, access control list (ACL) editing features are available in the DNS console so you can add or remove users or groups from the ACL for a specified zone or resource record. For more information, see Modify security for a resource record or Modify security for a directory-integrated zone.

By default, dynamic update security for DNS servers and clients can be handled as follows:

  • DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.

    Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.

  • Once a zone becomes Active Directory-integrated, DNS servers running Windows Server 2003 default to allowing only secure dynamic updates.

    When using standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to allow all dynamic updates which permits all updates to be accepted.

Important

  • The DHCP Server service can perform proxy registration and update of DNS records for legacy clients that do not support dynamic updates.

    For information, see Using DNS servers with DHCP.

Notes

  • Dynamic update is a recent additional DNS standard specification, defined in RFC 2136. For more information, refer to the RFC. For information on obtaining RFCs, see TCP/IP RFCs.

  • For more information about DNS dynamic updates and secure updates, see Using the Windows Deployment and Resource Kits.

  • The dynamic registration of DNS resource records can be restricted with the use of registry entries. For more information, see article Q246804, "How to Enable/Disable Windows 2000 Dynamic DNS Registrations," in the Microsoft Knowledge Base.