none
How to configure DHCP Dynamic updates when using standalone DNS servers? RRS feed

  • Question

  • Thanks in advance for taking a moment to read this.

    I have an Active Directory domain where DNS is running on standalone servers that are not domain controllers (though the DNS servers are members of the domain). I'd like to have DNS records be automatically registered for machines getting their IP addresses via DHCP in a secure manner. How do I do this?

    I don't believe I can allow client machines to register their own records in a secure way. On the DNS servers, the "Dynamic updates" dropdown for each zone gives me the following options:

    1. Nonsecure and secure - I don't want to do this since it's a security vulnerability

    2. None - this seems to prevent all machines (including my DNS server) from registering DNS records.

    There is no "secure" option since only works with AD-integrated DNS, which itself is only allowed if the DNS server is running on a DC, which it's not in my environment. Given that, the only secure option is "none", which prevents client machines from registering DNS records.

    Is there any other way to have client machines register their own DNS records?

    Alternatively, I tried to configure DHCP to automatically register DNS records on behalf of clients. Typically, one would create an account and configure DHCP to use it to update DNS records on behalf of clients by adding it to the DNSupdateProxy security group. I don't have one, I think because my DNS servers are standalone and cannot have AD-integrated DNS zones.

    Any other ways I can get DNS records automatically registered for DHCP clients? I have too many to create static DNS records for them all.

     

    Sunday, August 12, 2018 9:15 AM

Answers

  • Hi,

    Thanks for your reply.

    Yes,Your understanding is correct.

    All the possible options you have mentioned above all have their own drawbacks and can not be avoided.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by huge828288282 Friday, August 17, 2018 9:52 AM
    Monday, August 13, 2018 7:46 AM
    Moderator

All replies

  • Hi,

    Thanks for your question.

    There is no better way to register DNS records.

    Storing the zone in AD is available only if DNS server is a writeabel domain controller.So your standalone DNS server can't create a AD integrated zone.  

    As the result, there is no "secure only" option in dynamic updates.

    If you want to configure DHCP to automatically register DNS records on behalf of clients, you need to tolerate security issues.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 13, 2018 6:15 AM
    Moderator
  • Thanks, very much for that. So is there any other way to accomplish my goal:

    1. Have DNS servers be non-DCs (meaning AD integrated DNS zones are not an option)

    2. Have DNS records for machines in the network be auto-created (without allowing "secure and nonsecure" updates).

    It sounds like you are saying "no", but just wanted to make sure I fully understood.

    Monday, August 13, 2018 6:48 AM
  • Hi,

    Thanks for your reply.

    Yes,Your understanding is correct.

    All the possible options you have mentioned above all have their own drawbacks and can not be avoided.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by huge828288282 Friday, August 17, 2018 9:52 AM
    Monday, August 13, 2018 7:46 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, August 17, 2018 5:50 AM
    Moderator