There are some common misconceptions regarding DNS dynamic updates and DHCP servers. In this post I will share my knowledge about this and how to automatically update PTR-records with dynamic updates enabled.
First off, what is DNS Dynamic Updates? Let’s get that out of the way right away:
- None: Dynamic update is not allowed and all records need to be updated/managed manually.
- Nonsecure and Secure: This setting will allow all dynamic updates, without verifying the authenticity of the source from where update request is coming.
- Secure Only: This setting will allow Dynamic update only if the authenticity of the source is verified by Active Directory. In other words, the source should be a member of the “Authenticated Users” security principle.
Why DNS doesn’t update PTR-records with Secure Dynamic Updates:
This scenario is assuming you have a domain controller running DNS with secure dynamic updates enabled and a DHCP server on the same DC. When an IP address is allocated to a client from the DHCP server and dynamic updates are happening, make sure to understand that;
- The owner of the hostname is the client – the client is therefore responsible of registering its A Record in Forward Lookup Zone.
- The owner of the IP address is the DHCP server – the DHCP server is therefore responsible for registering that client’s PTR Record in Reverse Lookup Zone.
Which means whenever a Windows client is leasing an IP address from the DHCP server, the client will automatically register its own A record in Forward Lookup Zone. However, PTR records will not be created, because the client does not have sufficient permission to tell the DHCP server to do anything (i.e update DNS entries). That permission is something you have to give the DHCP server manually. The DHCP server will then update PTR records on behalf of the clients. In that scenario the DHCP server will be acting like a «client» for the DNS server.
So how do I automatically update PTR records with Secure Dynamic Updates enabled?
- Create a new ‘service’ account (Password never expire/User cannot change password).
2. Add this user to the DnsUpdateProxy security group:
3. In DHCP Manager of your server, right click IPv4 > Properties > Advanced > Credentials. Add your newly created “DHCP client” users credentials:
4. All set. Your DHCP leased Windows clients should now be able to automatically update both A and PTR records.
Note: You should never add other user accounts or security groups directly to the DnsUpdateProxy security group.
A common misconception is that ticking “Always dynamically update DNS A and PTR records” under IPv4 in DHCP manager will automatically update PTR-records for you by using AD’s security context and eventually put the system at a security risk. However that’s not true – If the DHCP Server service detects that it is running on a domain controller (and no alternate credentials for DNS registrations have been configured) it will decide to not do any registrations for DHCP clients and logs event DHCP/1056.