Resource: Windows 2000 Server Resource kit TCP/IP Core Networking Guide  

DNS > Dynamic Update and Secure Dynamic Update

Dynamic Update and Secure Dynamic Update
 

از اين گزينه در DNS زماني استفاده مي شود كه Client ها بتوانند خود ركوردهايي كه لازم دارند را در DNS Server خود تغيير دهند و سپس سرور آن ركوردها

را چك مي كند كه شرايط لازم براي وجود در Zone را دارا باشند .

Dynamic update provides the following benefits:

راه اندازي اين گزينه در هر سرور فوايدي دارد اول اينكه كليه DHCP Clients ها بصورت خودكار A and PTR records را در سرور Register مي كنند
كه اين خود باعث مي شود كه Admin دستي اين ركورد را ايجاد نكند . دوم سرور DHCP به نمايندگي از Client ها اين عمل كه در مورد اول گفته شد را مي تواند
انجام دهد اين عمل بهتر مي باشد چون ممكن است بعضي از Client ها نتوانند عمل Dynamic Update را انجام دهند
  • Enables clients, including DHCP clients, to dynamically register A and PTR resource records with a primary server. This reduces the administrative resources needed to manually manage those records.
  • Enables DHCP servers to register A and PTR resource records on behalf of DHCP clients. This reduces the time needed to manually manage those records and provides support for DHCP clients that cannot perform dynamic updates.
  • Simplifies the setup of Active Directory by allowing domain controllers to be dynamically registered by using SRV records.

Secure dynamic update provides the following benefits:

اما راه اندازي Secure  اين گزينه نيز فوايدي دارد و قوانيني. در اين مورد فقط DNS  سرور هايي كه در dnsNode object و dnsZone object وجود دارند

مي توانند ركوردهاي آن Zone را Update كند در اين روش فوايد زير وجود دارد كه اولا User هاي ناشناس نمي توانند ركوردها را Edit يا Modify كنند .

دوم اينكه شما مشخص مي كنيد كدام USERS يا Groups مي تواند اين ركوردها را دستكاري كنند .

  • Protects zones and resource records from being modified by users without authorization.
  • Enables you to specify exactly which users and groups can modify zones and resource records.

سيستم هاي Dynamic update Clients اول شروع به ارتباط از نوع Dynamic update مي كنند اگر جواب Fails بود نوع Secure dynamic update را
برقرارمي كنند بين خود و سرور. درآدرس Registry زير مي توان نوع Dynamic update را مشخص كرد.
در اين آدرس يك Value بنام UpdateSecurityLevel را اگر مقدار آن را موارد زير قرار دهيد مي توانيد نوع Dynamic update را مشخص كرد
  • 256. Specifies the use of secure dynamic update only.
  • 16. Specifies the use of insecure dynamic update only.
  • 0. Specifies the use of secure dynamic update when an insecure dynamic update is refused. This is the default value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Dynamic Update

Dynamic update از طرف بعضي سرويس ها مي تواند ركوردها را براي سرور DNS بفرستد مانند DHCP Client and DHCP Server و Netlogon
و نيز Clustering Service.
در Windows 2000 Clients سيستم ها در سه حالت Network adaptor مي توانند اطلاعات Dynamic update را به سرور DNS ارسال كند
اين سه حالت كارت شبكه :DHCP adapters, statically configured adapters, and remote access adapters مي باشند.
بصورت پيش فرض يك dynamic update client فقط ركورد A resource record را Dynamic براي سرور ارسال مي كند اما اگر موارد زير رخ دهد
PTR Records نيز مي تواند در سرور DNS ثبت شود .
  • The TCP/IP configuration is changed.
  • The DHCP address is renewed or a new lease is obtained.
  • A Plug and Play event occurs.
  • An IP address is added or removed from the computer when the user changes or adds an IP address for a static adapter. (The user does not need to restart the computer for the dynamic update client to register the name–to–IP address mappings.)

در زمان Dynamic update هر Client وقتي از DHCP Server يك IP جديد بگيرد خود Client اقدام به register كردن name–to–IP address mappings

شما مي توانيد DHCP Server  را بگونه اي تنظيم كنيد كه در زمان IP Lease كردن خود اين عمل را از طرف Clients ها انجام دهد و جلوگيري كنيد از انجام اين
عمل توسط Clients ها .

To prevent the client from registering nametoIP address mappings

  1. Double-click the Network icon in Control Panel.
  2. Right-click the icon for the connection on which you want to disable registration of name–to–IP address mappings, and then click Properties.
  3. Click Internet Protocol (TCP/IP), and then click Properties.
  4. Click Advanced, and then click the DNS tab.
  5. Clear the check box Register this connection's address in DNS.

براي دوباره Register كرد مي توانيد از فرمانهاي زير استفاده كنيد
You can force a re-registration by using the command-line tool Ipconfig. For Windows 2000–based clients, type the
following at the command prompt:

ipconfig /registerdns

For Windows NT 4.0–based clients, type the following:

ipconfig /release

ipconfig /renew

For Microsoft® Windows® 98–based and Microsoft® Windows® 95–based clients, type the following:

winipcfg /renew

Dynamic Update Process

در مرحله اول Clients يك query به شبكه براي پيدا كردن DNS Server و نيز Zone مورد نظر خود كه در بايد اطلاعات Dynamic update را ثبت كند مي فرستد
سرور DNS شبكه بعد از پيدا كردن نام سرور مربوط به Client و نيز نام Zone مورد نظر آنها با يك جواب به Clients مي فرستد .در مر حله بعد Clients شروع به
فرستادن Dynamic update Records مي كند در اين ميان سرورDNS بعد از گرفتن اين ركورد ها قبل ثبت آنها بررسي مي كند كه آيا Secure Dynamic update
 راه اندازي شده يا خير سپس اين ركوردها را ثبت مي كند . مراحل كار را درFigure 6.17 مي توانيد ببينيد.

 

Figure 6.17 shows a typical dynamic update process.

Updates can fail for the following reasons:

اما امكان دارد مراحل كار كه در بالا گفته شد بدلايلي انجام نشود كه در زير شرح داده مي شود .

 

The primary server that is authoritative for the name does not respond.

زماني كه سرور جوابي ندهد امكان  دارد كه يا خاموش باشد يا در دسترس Clients نباشد و يا Replication بين Zone ها در جريان باشد .

The server is not accepting dynamic updates because the zone is being transferred.

در زماني كه يك Zone در حال Transfer كردن اطلاعات خود باديگر سرور ها باشد امكان اين وجود دارد كه ركوردهاي Dynamic update را قبول نكند

The server accepts only secure dynamic updates, and the insecure dynamic update operation failed.

For more information about secure dynamic update, see "Secure Dynamic Update" later in this chapter.

امكان دارد در اين زمان براي Zone تعريف شده باشد كه از Secure dynamic update استفاده شود .

The prerequisites have not been met. For example, the dynamic update client might be trying to update a name for

which no records currently exist.

امكان دارد دراين زمان Client ركوردي را بخواهد ثبت كند كه اين ركود در Zone وجود نداشته باشد

DHCP Clients and Servers

اما ارتباط بين DHCP Client و DNS Server و DHCP Server مي تواند چند حالت باشد .
در سيستم هاي Windows 2000 clients كه از DHCP  براي خود IP مي گيرند نيازي نيست كه سرور DHCP ركورد A را براي DNS بفرستد اما مي تواند ركورد
PTR مانند شكل زير براي DNS ارسال كند اين فرايند در زمان كه سرور مدت زمان اجاره دادن IP به DHCP Client ها تمام شده و IP جديد به سيستم ها مي دهد رخ
مي دهد .
 

 

 
اما سيستم هاي PREwin2k مانند Win 95 ,Win 98,Win NT 4 اين امكان را ندارند كه FQDN خود را به DHCP سرور ارسال كنند به همين دليل مي توان تنظيم
كرد كه سرور DHCP در زمان دادن IP به آنها اين عمل را انجام دهد .در واقع FQDN هر Client را به DNS Server مي دهد.
براي انجام اين كار بايد در DNS Tab موجود در Properties-DHCP Server در DHCP Console مورد زير را Select كنيد

Enable updates for DNS clients that do not support dynamic updates

 
 

Dynamic Update Process for Adapters Configured by DHCP

در زماني كه DHCP Clients به سرور DHCP موجود در شبكه درخواست مبني بر گرفتن IP يا همان DHCPREQUEST packet را ارسال كرد FQDN هر
Client توسط اين Packet به سرور DHCP داده مي شود . و سرور DHCP توسط همين FQDN به Clients هاي خود جواب مي دهد يا همان Packet معروف

DHCP acknowledgment DHCPACK را به DHCP Clients ارسال مي كند. درجدول زير قسمت FQDN يك DHCPREQUEST packet را مشاهده مي كنيد

 

Table 6.6 Fields in the FQDN Option of the DHCPREQUEST Packet

Field Explanation
Code Specifies the code for this option (81).
Len Specifies the length of this option (minimum of 4).
Flags Can be one of the following values:

0. Client wants to register the A resource record and requests that the server update the PTR resource record.

1. Client wants server to register the A and PTR resource records.

3. DHCP server registers the A and PTR resource records regardless of the request of the client.

RCODE1 and

RCODE 2

The DHCP server uses these fields to specify the response code from an A resource record registration performed on the client's behalf and to indicate whether it attempted the update before sending DHCPACK.
Domain Name Specifies the FQDN of the client.
 
در جداول زير شما مي توانيد مراحل كاري سرور DHCP و سرور DNS در مورد Dynamic update را در دو نوع DHCP Client يعني Win2k و PREWin2k
را مشاهده كنيد در جدول زير مي توان ديد كه A resource Records و PTR resource Record چگونه و در چه حالتهايي قرارمي گيرند .

Figure 6.18 Windows 2000-based Client

 
 
در اين جدول سيستم هايي كه Dynamic Update را پشتيباني نمي كنند را مشاهده مي كنيد

Figure 6.19 Client That Does Not Perform Dynamic Updates (Pre Windows 2000-based)

 

Configuring Dynamic Update for DHCP Clients 

در حالت پيش فرض در آدرس زير مشاهده مي كنيد كه سيستم كار Update  كردن A resource record را خود انجام مي دهد و PTR resource record را
از سرور DHCP درخواست مي كند كه انجام دهد
 
  1. Right-click My Network Places, and then click Properties.
  2. Right-click the connection you want to configure, and then click Properties.
  3. Select Internet Protocol (TCP/IP), click Properties, and click Advanced, and select the DNS tab.
  4. By default, Register this connection's address in DNS is selected and Use this connection's DNS suffix in DNS registration is not selected, causing the client to request that the server update the PTR resource record and the client updates the A resource record using the primary DNS suffix.

Configuring Dynamic Update for DHCP Servers

To configure dynamic update for the Windows 2000 DHCP server

  1. Click Start, point to Programs and Administrative Tools, and then click DHCP.
  2. Expand the tree next to the name of the server.
  3. Right-click the scope you're configuring, and then click Properties.
  4. Click the DNS tab.
  5. If it is not already selected, select Automatically update DHCP client information in DNS.
  6. If you want the server to register whichever records the client requested that it register, select the option Update DNS only if DNS client requests.
  7. If you want the server to always register both A and PTR resource records, select the option Always update DNS.
  8. If you want the server to always register both A and PTR resource records on behalf of clients that do not support the FQDN option, select Enable updates for DNS clients that do not support dynamic update.

Automatically update DHCP client information in DNS.

اين گزينه براي راه اندازي و پشتيباني سرور DHCP از Dynamic update بايد فعال باشد
 

Update DNS only if DNS client requests.

اگر بخواهيم سرور هر دو ركورد را وقتي يك DHCP Client درخواست كرد Update كند بايد اين گزينه

را انتخاب كنيد

 

Always update DNS.

اين گزينه زماني انتخاب مي شود كه ما بخواهيم سرور هر دو ركورد را Update كند
 

Enable updates for DNS clients that do not support dynamic update.

اگر بخواهيم سرور از طرف سيستم هايي كه FQDN را پشتيباني نمي كنند نيز عمل Update  كردن ركوردها را انجام دهد اين گزينه بايد فعال باشد
 

Discard forward (name-to-address) lookups when leases expire.

اگر اين گزينه را فعال كنيد سيستم بعد از پايان مدت زمان اجاره يك IP به يك DHCP Client در DNS ركورد A Resource Record  را پاك مي كند
 

If you have any multihomed dynamic update clients and at least one adapter is using DHCP, select the option Update according to client request (the default). If the DHCP server is configured to register both A and PTR resource records, the DHCP server replaces all A resource records for the name it attempts to register.

For more information about the FQDN option and integration between DNS and DHCP, see the Internet Engineering Task Force (IETF) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Search for the IETF Internet-Draft "Interaction Between DHCP and DNS."

Statically Configured and Remote Access Clients

Statically configured clients and remote access clients اين نوع سيستم ها  به DHCP Server براي ثبت ركوردهاي A , PTR اعتماد نمي كنند
Statically configured clients هر زمان كه شروع به كار كنند خود ركوردهاي A , PTR را در DNS ثبت مي كنند امكان دارد اين سيستم ها 24 ساعته روشن
باشند اين مورد امكان دارد باعث خراب شدن ركورد شود و نياز به Refresh شدن در طول شبانه روز دارد

Remote access clients اين نوع سيستم ها هر وقت كه Dial-up Connection آنها ساخته شود ركوردهاي A , PTR را مي سازند و هر وقت اين Connection

توسط User بسته شود اين ركوردها نيز پاك مي شود اگر در 4 ثانيه يك remote access client نتواند ركوردهاي خود را در DNS پاك كند بعد از بسته شدن
آن Connection يك ركورد خراب يا Stale record در Database سرور DNS بوجود مي آيد البته سرور RRAS معمولا خود اقدام به پاك كردن ركوردها از سرور
DNS مي كند .

Multihomed Clients

به سيستمي كه در شبكه بيشتر از يك Network Adapter دارا مي باشد مي توان Multihomed Clients گفت. معمولا اين سيستم ها كار ارتباط بين دو شبكه مجزا
را برعهده دارند .البته در شكل زير Adapter B مي تواند يك Modem باشد.
در شكل زير Client1.noam.reskit.com با يكDHCP Adapter با LAN ارتباط دارد و IP خود را در سرور NoamDC1 ثبت مي كند و با RAS Adapter نيز
به Internet متصل مي باشد كه IP خود را در سرور ISPNameServer موجود در Internet ثبت كرده.
در زمان Dynamic update نمي تواند هر دو IP Address را در دو سرور جداگانه ثبت كند يعني ركورد PTR را نمي تواند به دو سرور جدا از هم بفرستد ام در عوض

ركورد A را براي هر دو سرور مي فرستد و عمل name–to–IP address mapping براي هر دو Adapter انجام مي دهد

 

Figure 6.20 Dynamic Update for Multihomed Clients

 

STATUS

RECORD TYPE

ADDRESS

nametoIP address mappings

A Resource record

  1. Right-click My Network Places, and then click Properties.

  2. Right-click the connection you want to configure, and then click Properties.

  3. Select Internet Protocol (TCP/IP), click Properties, and click Advanced, and select the DNS tab.

  4. select Register this connection's address in DNS

IP address–to–host mappings

PTR Resource record

  1. Right-click My Network Places, and then click Properties.

  2. Right-click the connection you want to configure, and then click Properties.

  3. Select Internet Protocol (TCP/IP), click Properties, and click Advanced, and select the DNS tab.

  4. select Use this connection's DNS suffix in DNS registration

 

Time to Live

هر وقت Dynamic update ركوردهاي PTR , A را در DNS به ثبت رساند اين ركوردها TTL= 20 Minutes  شما مي توانيد با تغيير آدرس Registry زير

مقدار اين زمان را تغيير دهيد . در اين آدرس يك DWORD value بنام DefaultRegistrationTTL وجود دارد كه مدت زمان را مشخص مي كند مدت زمان بالا
Risk را بالا مي برد ولي ترافيك را پايين و مدت زمان كوتاه برعكس مي باشد .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Resolving Name Conflicts

در زماني كه Dynamic update  انجام مي شود Client متوجه مي شود كه نام يا IP Address كه مي خواهد در DNS ثبت كند قبلا توسط سيستم ديگري ثبت شده
سيستم بعد از اين اتفاق به سيستمي كه با آن Name conflict داشته رجوع مي كند براي تغيير IP آن و دادن يك IP Address جديد. اگر Zone در حالت
secure dynamic update تنظيم نشده باشد هر User مي تواند با تغيير IP اين مشكل را حل كند ولي در حالت secure dynamic update فقط افرادي كه
در گروه هاي خاصي قراردارند مي توانند اين عمل را انجام دهند
شما بجاي تغيير دادن IP Address مي توانيد عمل زير را انجام دهيد يعني در واقع كاري كنيد كه سيستم در Event viewer در زمان انجام اين خطا يك پيغام Error
را ايجاد كند براي اين كار در آدرس Registry زير بايد يك DWORD Value بنام DisableReplaceAddressesInConflicts با مقدار 1 ايجاد كنيد
The entry can be 1 or 0, which specify one of the following:
  • 1. If the name that the client is trying to create already exists, the client does not try to overwrite it.
  • 0. If the name that the client is trying to create already exists, the client tries to overwrite it. This is the default value.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
 
Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

 

Secure Dynamic Update

شما مي توانيد از Secure Dynamic update در Active directory integrated Zone استفاده كنيد در اين زمان ACL مشخص مي كند كه كدام Users و يا

كدام Groups مي توانند يك Zone را Modify كنند .

access control list (ACL)
A list of security protections that apply to an entire object, a set of the object's properties, or an individual property of an object. There are two types of access control lists: discretionary and system. See also access control entry; discretionary access control list; security descriptor; system access control list.
 
Note

Secure dynamic update is available only on Active Directory–integrated zones.

 

Configuring Secure Dynamic Update

زماني كه شما يك Active directory Integrated Zone ايجاد مي كنيد بصورت Default نوع Secure dynamic update را بخود مي گيرد . اما زماني كه يك

Standard Primary Zone را به Active directory integrated Zone تبديل مي كنيد نوع Dynamic update  را بخود مي گيرد .

براي تغيير نوع مراحل زير بايد انجام شود

To configure secure dynamic update

  1. In the DNS console, right-click the zone for which you want to configure dynamic update, and then click Properties.
  2. In the Allow dynamic updates? box, select Only secure updates.

Controlling Update Access to Zones

در Secure dynamic update فقط Computer ,Users كه در ACL مشخص شده اند مي توانند يك dnsNode object ايجاد كنند يا Modify كنند . پيش فرض

ACL به كليه Authentication User groups و كليه Authentication computers groups موجود در ADS كه Forest باشد Permission مي دهد براي

Create and Modify كردن dnsNode objects موجود در شبكه معمولا Creator owner هر object بر آن Permission از نوع Full Control دارد .

شما مي توانيد Permission افراد را از طريق DNS Console و يا از طريق Active directory Users and Computers console تغيير دهيد

DNS Console

To view the ACL for a dnsZone or dnsNode object

  1. In the DNS console, right-click the zone or record you want to view, and then click Properties.
  2. Click the Security tab.
Active directory Users and Computers console
You can view and change the permissions for all DNS objects on the Security tab for the object, from within the Active Directory Users and Computers console
 

Note

ACLs are assigned on a per-name basis. Therefore, if you had two different records for the same FQDN, they map to the same object in Active Directory and have the same ACLs. For example, the following records have the same ACLs:

به هر نامي يك ACL واگذار مي شود بنابراين اگر دو ركورد متفاوت در مورد بك نام يا يك FQDN يكسان داشته باشيم هر دوي آنها در يك object يكسان قرارمي گيرند

بنابراين اگر مثال زير را در نظر بگيريم بايد بدانيم كه هر دوي آنها ACLs يكساني دارند

host1.reskit.com    A       172.16.15.9

host1.reskit.com    MX    mailer.reskit.com

 

Reserving Names

You can reserve FQDNs so that only certain users can use them. To do so, create the FQDN in the DNS console, then modify its ACL so that only particular computer, user, or users can change the set of records associated with the FQDN.

DNS Standards for Secure Dynamic Update

 
 
Windows 2000 supports secure dynamic updates through the Generic Security Service Application Program Interface (GSS-API, specified in RFC 2078) rather than Domain Name System Security Extensions (RFC 2535) or Secure Domain Name System Dynamic Update (RFC 2137). The GSS-API provides security services independently of the underlying security mechanism.
 

The GSS-API specifies a way to establish a security context by passing security tokens. The client generates the initial token and sends it to the server. The server processes the token and, if it is necessary, returns a subsequent token to the client. The process repeats until negotiation is complete and a security context has been established. After the security context has been established, it has a finite lifetime during which it can be used to create and verify the transaction signature on messages between the two parties.

 
 

Windows 2000 implements the GSS-API using an algorithm specified in the IETF Internet-Draft "GSS Algorithm for TSIG (GSS-TSIG)." This algorithm uses Kerberos v5 authentication protocol as its underlying security mechanism. Other security providers such as smart cards or certificates have not been tested. The algorithm uses the following resource records to provide security services:

 
 

TKEY. A resource record specified in the IETF Internet-Draft "Secret Key Establishment for DNS (TKEY RR)," as the vehicle to transfer security tokens between the client and the server and to establish secret keys to use with the TSIG resource record.

 
 

TSIG. A resource record specified in the IETF Internet-Draft "Secret Key Transaction Signatures for DNS (TSIG)," to send and verify signature-protected messages.

 

To see the TKEY and TSIG records being passed across the network, you can use Network Monitor. Versions 6.12 and later decode the resource records.

 

TKEY Resource Record

 

Table 6.7 describes the structure of the TKEY resource record, as described in the IETF Internet-Draft "Secret Key Establishment for DNS (TKEY RR)."

 

Table 6.7 TKEY Resource Record

Field Data Type Comment
NAME domain name Differs with mode and context
TTYPE u_int16_t TKEY
CLASS u_int16_t Ignored; should be zero
TTL u_int32_t Should be zero
RDLEN u_int16_t Length of RDATA field
RDATA    
Algorithm domain name Determines how the secret keying material exchanged by using the TKEY resource record is used to derive the algorithm-specific key
Inception u_int In number of seconds since January 1, 1970 GMT
Expiration u_int32_t In number of seconds since January 1, 1970 GMT
Mode u_int16_t Scheme for key agreement
Error u_int16_t Error code
Key size u_int16_t Size of Key data field in octets
Key data octet stream Differs with mode
Other size u_int16_t Not used
Other data octet stream Not used
 

TSIG Resource Record

 

Table 6.8 describes the structure of the TSIG resource record, as described in the IETF Internet-Draft "Secret Key Transaction Signatures for DNS (TSIG)," to send and verify signature-protected messages.

 

Table 6.8 Structure of TSIG Resource Record

Field Data Type Comment
Algorithm name domain name Name of the algorithm, expressed as a domain name
Time signed u_int48_t Seconds since 1-Jan-70 UTC
Fudge u_int16_t Seconds of error permitted in Time signed field
Signature size u_int16_t Number of octets in Signature field
Signature octet stream Defined by Algorithm name field
Error u_int16_t Expanded RCODE covering signature processing
Other len u_int16_t Length, in octets, of Other data field
Other data octet stream Undefined
 
 

Secure Dynamic Update Process

 

To initiate a secure dynamic update, the client first initiates the TKEY negotiation process, to determine the underlying security mechanism and to exchange keys. Next, the client sends the dynamic update request containing resource records to add, delete, or modify to the server, signed with the TSIG resource record, and the server sends an acknowledgment. Finally, the server attempts to update Active Directory on behalf of the client.

 

Figure 6.21 shows the dynamic update process that takes place between a Windows 2000–based client and server, if both are configured with the default settings.

 

Figure 6.21 Secure Dynamic Update Process

In step 1, the client queries the local name server to determine which server is authoritative for the name it is attempting to update (using the process described in "DNS Queries," found earlier in this chapter). The local name server responds with the name of the zone and the primary server that is authoritative for the zone.

In step 2, the client attempts a non-secure update, and the server refuses the non-secure update. Had the zone been configured for non-secure dynamic update rather than secure dynamic update, the server would have instead attempted to add, delete, or modify resource records in Active Directory.

In step 3, the client and server begin TKEY negotiation. First, the client and server negotiate an underlying security mechanism. Windows 2000 dynamic update clients and servers both propose the Kerberos protocol, so they decide to use it. Next, by using the security mechanism, they verify one another's identity and establish security context.

In step 4, the client sends the dynamic update request to the server, signed with the TSIG key that was generated by using the security context established in step 3. The DNS server verifies the origin of the dynamic update packet by using the security context and the TSIG key.

In step 5, the server attempts to add, delete, or modify resource records in Active Directory. Whether or not it can make the update depends on whether the client has the proper permissions to make the update and whether the prerequisites have been satisfied.

In step 6, the server sends a reply to the client stating whether or not it was able to make the update, signed with the TSIG key. If the client receives a spoofed reply, it throws it away and waits for a signed response.

 
 

Security for DHCP Clients That Do Not Support the FQDN Option

DHCP clients that do not support the FQDN option are not capable of dynamic updates. Therefore, if you want their A and PTR resource records dynamically registered in DNS, you must configure the DHCP server to perform dynamic updates on their behalf.

However, you do not want the DHCP server to perform secure dynamic updates on behalf of DHCP clients that do not support the FQDN option. If a DHCP server performs a secure dynamic update on a name, the DHCP server becomes the owner of that name, and only that DHCP server can update the name. This can cause problems in a few different circumstances. For example, suppose that the DHCP server DHCP1 created an object for the name nt4host1.reskit.com and then stopped responding, and that the backup DHCP server, DHCP2, tried to update the name; DHCP2 is not able to update the name because it does not own the name. In another example, suppose DHCP1 added an object for the name nt4host1.reskit.com, and then the administrator upgraded nt4host1.reskit.com to a Windows 2000–based computer. Because the Windows 2000–based computer did not own the name, it would not be able to update its own name.

Therefore, if you have enabled secure dynamic update, you might want to perform a special configuration for any DHCP server that will perform dynamic updates. Place the server in a special security group called DNSUpdateProxy. Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.

 

To add a DHCP Server to the DNSUpdateProxy group

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, double-click the domain node.
  3. Double-click the Users folder.
  4. In the details pane, right-click the group and click Properties.
  5. Click the Members tab, then click Add.
  6. Click Look in to display a list of domains from which users and computers can be added to the group and click the domain containing the server you want to add.
  7. Click the server to be added and then click Add.


Caution

If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain controller it has full control over DNS objects stored in the Active Directory.

Windows 2000 DHCP clients register their own A resource records; therefore, putting a DHCP server in the DNSUpdateProxy group does not affect the security of the A resource records for Windows 2000 DHCP clients.


Note

The A resource record corresponding to the DHCP server has no security if the server is placed in the DNSUpdateProxy group. However, you can manually modify the ACL through the DNS console.

For more information about interaction between DNS and DHCP, see the Windows 2000 Server Help.

 
 

Last Updated: October 01, 2006

Winteacher.com
DNS > Dynamic Update and Secure Dynamic Update

 © 2003-2006 Winteacher.com . All rights reserved