June 24, 2011, 12:01 p.m.
posted by vdv
Configuring DHCP to Support DNS
If you have downlevel clients that you want to register in DNS, you can take advantage of the DHCP proxy features for Dynamic DNS registration. This proxy makes it possible to move large numbers of desktops and servers over to DNS-enabled name resolution very quickly.
The DHCP proxy feature was structured using the provisions of Internet Draft draft-ietf-dhc-dhcp-dns-10.txt, "Interaction Between DHCP and DNS." This draft outlines the use of a new DHCP option called Client FQDN, option 81. This option includes a new message format that a client can use to inform the DHCP server of its FQDN. The DHCP server uses this information to send a DNS Update message to the DNS server on behalf of the client.
Important: If you plan on using DHCP to proxy DNS updates, be sure to use Active Directory Integrated zones with Secure Dynamic Updates enabled. This protects the zone records from accidental or deliberate overwrites. Do not install DHCP on a domain controller. The DHCP service runs in the LocalSystem security context, and therefore has full privileges on the machine. This permits a DHCP client to update any record in DNS, with potentially disastrous results.
Before installing DHCP, you should inventory your current IP address assignments and ensure that you know the hosts that have static addresses. Windows Server 2003 DHCP, along with NT4 SP4, will use ICMP to verify that an address is free before leasing it, but that verification is not comprehensive. When you are ready to install DHCP and set aside addresses to lease, follow Procedure 5.25.
Authorizing a DHCP Server
After the service drivers have been loaded, open the DHCP console. The server icon shows a red down arrow, meaning that the service has not started. If you are installing the service on a domain controller or domain member server, the status in the right pane will show Not Authorized. If you are installing in a workgroup, press F5 to refresh the console. The server status should change to Running.
Windows Server 2003 DHCP has a feature that attempts to prevent rogue DHCP servers from coming on the wire and leasing improper IP addresses. This feature requires a DHCP server to be authorized. An authorized DHCP server has a DHCPClass object in Active Directory. This object can be viewed using the AD Sites and Services console. It is stored under Services | NetServices. Figure shows an example.
Authorize a DHCP server by right-clicking the server icon in the right pane and selecting AUTHORIZE from the flyout menu. The DHCP object is added to the directory automatically. Then, refresh the console by pressing F5. The server status changes to Running. Figure shows an operational DHCP scope with leased addresses.
Verify that the server is issuing addresses by renewing an existing DHCP client. If you are in a routed network that uses DHCP helpers, you need to configure the BOOTP relay agents at your routers to point at the new DHCP server. After you have verified basic operability, take the server out of production by deactivating the scope while you configure the scope options.
Configuring Scope Options
While the scope is deactivated, select the scope options that you want to include in the DHCP ACK packet that is returned to the clients along with their leased address. The list of scope options does not include the new option 81, FQDN Client option. This option is configured separately as part of scope properties. It is covered in the next section. At this point, you need to configure options for DNS server(s), a DNS domain name, and a default gateway. You may have other options you want to include, but these are the basics. To configure scope options, follow the steps in Procedure 5.26.
When a DHCP client leases an address, it gets a configuration packet containing the IP address of one or more DNS servers. The client registers its newly leased address, both the A and PTR records, with the DNS server. You can verify this by checking the DNS console to see whether new addresses appear as Windows Server 2003 DHCP clients get their DHCP configuration packets.
DNS Update Proxy Configuration
If a DHCP client is not running Windows Server 2003 or some other client that supports Dynamic DNS Updates, it will not register its leased DHCP address in DNS. This limits the effectiveness of DNS as a name repository in a peer networking environment, at least if you want to get away from running WINS.
You can configure the DHCP server to act as a DNS update proxy for downlevel clients. Open the server Properties window and select the DNS tab. Figure shows an example.
The Automatically Update DHCP Client Information in DNS selection enables option 81, Client FQDN, for all addresses in the scope. The remaining options are dimmed if this is deselected. Here is a list of the functions for the various configuration options:
If you select the last option that registers downlevel clients by proxy, you'll see the icons appear as dynamic registration icons (fountain pen emblems) as the clients renew their leases. As clients renew their leases, they renew their Dynamic DNS registrations, as well.