Did you know that Windows DHCP server can update records dynamically for its clients on DNS server? Having DHCP server updating DNS records for client machines is very useful if you have a network application that relies so much on the name resolution for its communication. However, the default configuration of Windows DHCP server is to update A and PTR records for the clients only when requested. In most case, it doesn’t work very consistent. In this post, we’ll guide you to Configure DNS Dynamic Update in Windows DHCP Server and ensure it is fully working.
Configure DNS Dynamic Update in Windows DHCP Server
In our post about the concept of refresh and update in DNS server, we have briefly explained the DHCP server can take the ownership of DNS record for its clients. Owner of a record is given the right to modify/delete the record. Now our goal here is to make sure that DHCP server can consistently update the DNS records for all its clients.
Step 1 – Set DHCP server to always dynamically update records
You can start configure DNS dynamic update in Windows DHCP server by opening the DHCP console. Expand the server name > right-click on IPv4 > select Properties > DNS tab.
You’ll see by default on Windows Server 2012 R2 the option to “Enable DNS dynamic updates according to the settings below” is enabled by default and you have two selection options as follow:
- Dynamically update DNS A and PTR records only if requested by the DHCP clients – This is the default selection. This setting means that your DHCP server will only update DNS records for the clients only if the clients for some reason unable to perform the update. As stated below, this may not work correctly, especially if the clients are non-Windows machine.
- Always dynamically update DNS A and PTR records – Now you must change the selection to this option. What will happen is the DHCP server will perform the update regardless the client is able to do it or not.
Now you may also notice there are several other options in the same tab in DHCP server properties. The explanation below will tell you the function of each option and what you need to do with them:
- Discard A and PTR records when lease is deleted — As the name implies, it will delete the previously registered A and PTR record when the DHCP lease for the corresponding client is deleted. Tick the box to enable this option as it will help clean-up unused records in the DNS Server.
- Dynamically update DNS records for DHCP clients that do not request for updates — This option is present just in case you have a very old machine or non-Windows machine as DHCP client that do not perform dynamic update of its own record in the DNS server. Tick the box to enable this option and force the DHCP server to perform DNS update for them.
- Disable dynamic updates for PTR records — When you active this option, your DHCP server will only perform the dynamic update for A records. It’s up to you on what to do with this option, but in this example we don’t tick the box for this option and let the DHCP server to also manage the PTR records.
With all the things configured here, we actually have set the DHCP server to take ownership of all its client records in the DNS server. However, we’re still far from done as there are few additional steps that we must do.
Step 2 — Add the DHCP server to DnsUpdateProxy security group
If the DHCP server is on a different machine than the Domain Controller, make sure to include the DHCP server in the DnsUpdateProxy group in Active Directory (see figure below). Otherwise, the DHCP server will not be able to update the records on DNS server.
Step 3 – Provide credential to secure the DNS dynamic update
This applies if the DNS zone where your DHCP server will register/update records is an Active Directory-integrated zone which allows only secure dynamic updates.
You need to provide a user account in the DHCP server properties. Open the Advanced tab of the DHCP server properties and click the Credentials button.
Fill in the username, domain, and password in the available field.
Note that the account can be a regular user account without any special privilege but it must exist in the same forest as the DNS server. You can also use user account from different forest, as long as its forest has established a forest trust with the forest where the DNS server resides.
Step 4 — Configure name protection
Since we’re enabling the “Dynamically update DNS records for DHCP clients that do not request for updates” option, means that we’re allowing non-domain machine or non-Windows machine to have their records as well in the DNS server. There is a chance such machine has the same host name with other existing machine in the network. If this happen, this could cause confusion in the name resolution.
To prevent such issue, we can activate the DHCP name protection. Back to the DNS tab in DHCP server option, under Name Protection > click Configure.
Tick the box to Enable Name Protection.
With this way, DHCP server will still lease the IP address normally but will not create the DNS record if a record with the same name already exists.
Well, that’s pretty much all the stuffs you need to configure DNS dynamic update in Windows DHCP server. From now, your DHCP server will take care of DNS records for its clients. DHCP server will register and update records for its clients, and will also delete the record for expired leases. This will ensure that DNS server will not be filled up with records for inactive clients. Additionally, you can also configure aging and scavenging in the DNS zone to match the DHCP lease time and this will help clean up the unused records.