Configuring DNS Server for Secure Only Dynamic Updates

About Dynamic Updates

During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network. After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as ‘Dynamic Updates’.

Types of DNS Updates

Dynamic updates that DNS server in Windows Server 2008 R2 supports include:

• Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain. Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers.
• Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers.
• None – When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database.

In most production environments, systems administrators configure Secure Only dynamic updates for DNS. This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time.
However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators.

Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server

To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below:

1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools > DNS.
4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured.
7. From the displayed context menu, click Properties.
   

   Click Properties
8. On the zone’s properties box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.
   Note: Secure only option is available only if the DNS zone is Active Directory integrated.
   
   

   Secure Only Dynamic Update

10. Click OK to apply the modified changes.
11. Close DNS Manager snap-in when done.