Secure and Nonsecure Dynamic Updates

active-directorydomain-name-systemwindows 7windows-server-2008-r2

Domain Controller: Windows Server 2008 R2

Client: Windows 7

For the past 3-4 days, I was trying to register some client desktops / laptops to get their DNS entry dynamically by various methods such as ipconfig /registerdns & re-adding to domain.

Still they didn't get registered with the DC (DNS manager). In the DNS, Dynamic updates is set to Secure only (It is an Active Directory Integrated Zone).

For testing, I changed the Dynamic update to Nonsecure and Secure and after running ipconfig /registerdns, it gets registered.

I don't understand why it doesn't get registered when Dynamic update is set to Secure only.

I know Secure only means it will register and update only if it gets authenticated.

But my question is the client desktop / laptop is already joined to a Domain and I also re-joined to the domain. Still it doesn't get registered in DNS (when Dynamic update is set to Secure only)

It's a security risk if I keep Dynamic update set to to Nonsecure and Secure.

Best Answer

To have Secure Dynamic Updates you have to use Microsoft DHCP Service, which is Authorized in your domain. Then DHCP service will update your DNS records automatically.

Related Solutions

GPO – Setting ‘Register This Connection’s Addresses in DNS’

There isn't a group policy setting to do what you're trying to do-- you're going to have to use a script.

First, I'd recommend reviewing the "Explain" tab for the settings you described above. You'll see that none of the settings actually turn on the registration behaviour you're looking for.

Assuming your machines get DNS settings from DHCP, and assuming that you don't mind this setting set back to the stock setting on all their network interfaces, assign the following in a Startup Script to the affected computers:

for /f "usebackq tokens=3* delims= " %%i in (`netsh interface ip show dns ^| find "Configuration for interface"`) do netsh interface ip set dns name=%%j source=dhcp primary

That will set the DNS client to get its address from DHCP, and reset the stock registration setting on all network interfaces on a Windows XP machine.

(An aside: You ought to figure out how your users changed that setting in the first place and stop them. It sounds like you have people who have 'Administrator' rights who shouldn't.)

Cisco DHCP and Windows DNS without Nonsecure updates

It looks like you're seeing the default permissions that are applied to DNS objects when non-secure updates to an Active Directory-integrated zone are performed. Now that you've switched over to requiring secure updates the clients don't have permission to perform the updates.

At this point your options would be to:

Add the computer account with "Write All Properties", "Read Permissions", and "All Validated Writes" permission to each DNS record (ideally with a script but you can test by adding the permission "by hand" on a single record and performing an ipconfig /registerdns on the subject client computer).
Delete the old DNS records (either "by hand" or by way of "Aging and Scavenging") and allow the clients to register new records securely.

If you're at all able to just delete the old records and let the clients re-register themselves I think you'll find that course the easiest to manage.

Related Topic