Dynamic DNS is one of the most touted features of Windows 2000 (Win2K). Anyone who has worked with Windows NT’s static DNS servers will appreciate the ease of administration and other improvements that Microsoft’s dynamic DNS provides in Win2K.
Win2K supports dynamic DNS updates based on Request for Comments (RFC) 2136. Unlike static DNS servers, Win2K’s dynamic DNS servers update client Resource Records (RRs) automatically, even if clients move to different locations on the network and obtain IP addresses from a DHCP server. RRs consist of A (Address) records, which contain a mapping from a Fully Qualified Domain Name (FQDN) to an IP address, and PTR (Pointer) records, which contain the mapping from an IP address to a FQDN. Although all versions of Win2K clients automatically benefit from dynamic DNS updates, Windows clients (Windows NT, Windows 9.x) take advantage of dynamic updates only if a Win2K DHCP server is available to service them. Let’s take a closer look at the behavior of these different DHCP clients and how they interact with a dynamic DNS server.
Win2K DHCP Clients
By default, Win2K clients register their A RRs and PTR RRs with a dynamic DNS server. The clients use an FQDN to register their IP addresses. For example, the FQDN of a computer named Mars in the domain sales.microsoft.com will be mars.sales.microsoft.com. At boot-up, a DHCP-enabled Win2K client obtains an IP address, a subnet mask, and any other possible DHCP options from a DHCP server. The DHCP server registers a client’s forward lookup (the A RR) as well as the reverse lookup (the PTR RR) with the dynamic DNS server. When it’s time for an update, the Win2K DHCP client service (not the DNS client service) will update its A RR with the dynamic DNS server. The DHCP server updates the client’s PTR RR. Several actions trigger a dynamic DNS update, including:
- Adding, modifying, or deleting a client’s IP address.
- Changing an IP address lease (e.g., restarting your computer) or renewing it (e.g., with ipconfig /renew).
- Refreshing a client’s registration in dynamic DNS using the ipconfig /registerdns command.
- Again, the DHCP client service performs the updates, not the DNS client service.
Windows DHCP Clients
Windows DHCP clients do not know how to directly talk to a dynamic DNS server. Windows clients obtain IP information at start up, similar to Win2K DHCP clients. The DHCP server registers Windows clients’ A RRs and PTR RRs with the dynamic DNS server on their behalf. When an update triggers, the DHCP server updates both the RRs for the client.
DHCP Option Code 81
The Internet Engineering Task Force (IETF) describes Win2K’s DHCP and DNS interaction in a document posted at ftp://ftp.ietf.cnri.reston.va.us/ internet-drafts/ draft-ietf-dhc-dhcp-dns-10.txt. According to the document, the DHCP server needs to know the DHCP-enabled client’s FQDN to update a client’s PTR RR (IP to FQDN mapping). A new DHCP option called Client FQDN, which has a DHCP option code of 81, lets a client return its FQDN to the DHCP server. Option code 81 gives a DHCP server several ways to update client records, including:
- Always registering both forward (A RR) and reverse (PTR RR) lookups for a DHCP client.
- Never registering forward (A RR) lookup for a DHCP client.
- Registering both forward (A RR) and reverse (PTR RR) lookups for a DHCP client, only when the client requests.
Dynamic Updates
By default, dynamic updates refresh every 24 hours in Win2K (Microsoft’s documentation specified a refresh interval of 12 hours in earlier builds). The dynamic DNS server and the clients cache RRs used in queries by the DHCP client service for a default Time-To-Live (TTL) value of 15 minutes. Screen 1 shows a DNS server in Win2K configured for dynamic updates.
You can configure DNS zones in Win2K in three different ways: Primary, Secondary, or Active Directory (AD) Integrated. Secondary zones don’t support dynamic updates of RRs; they obtain updated information from a Primary zone using a process known as a zone transfer. If you configure a Primary or Secondary zone, the DNS database is stored on the hard disk in a zone file, which is a plain ASCII text file (e.g., winntmag.com.dns). By default, Win2K doesn’t configure a standard Primary zone for dynamic updates. Yes, you heard it right—Microsoft’s dynamic DNS server is not dynamic by default; you have to change its behavior to make it dynamic. Once you configure the server for dynamic updates, DNS updates on a Primary zone are dynamic. However, the information isn’t secure, so any client that attempts to update a record will succeed.
If you’ve configured an AD Integrated zone, the information in the zone file moves to the AD database. This integration with AD provides a mechanism to allow secure dynamic updates so only authorized users can modify an AD Integrated DNS zone. An AD-integrated zone provides Access Control List (ACL) editor in the DNS console, so administrators can add or remove individuals or groups from the ACL for a particular zone or resource record. Another advantage of an AD Integrated zone is the ability to have more than one DNS server update a DNS zone.
By default, the Win2K clients try to use unsecured dynamic updates first. If that request fails, they use secure updates. Unless the DNS server prohibits the clients, the clients try to overwrite their previously registered RRs. When troubleshooting dynamic update problems on clients, look for DNSApi as the source in the Event Viewer’s system log.