Registry Tip #42: Active Directory Integrated Zones Secure Dynamic Update

Hits: Failed to execute CGI : Win32 Error Code = 3


The Windows 2000 supports dynamic update to DNS. Dynamic update to Active Directory DNS can be insecure or secure. Only Active Directory-integrated zones can be configured for secure dynamic update. Updates to an integrated Active Directory zone has the fully integrated security available in Windows 2000. If you are using a BIND-based DNS that supports dynamic update, those updates are "insecure", that is, as compared to those to AD dynamic DNS.

The default behavior of dynamic update clients is to use standard dynamic update and if that fails to negotiate a secure dynamic update. If you are using Windows 2000 Active Directory integrated Dynamic DNS, you can configure clients to always use secure dynamic updates. This is a security enhancement available via the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: UpdateSecurityLevel
Type: REG_DWORD
Value:
256 use secure dynamic update only
16 use insecure dynamic update only
0 use secure dynamic update when insecure dynamic update is refused.
If you disable secure dynamic updates, UpdateSecurityLevel=16, clients will be unable to use dynamic DNS updates if you later introduce Active Directory integrated zones. If you do decide to force the secure updates, your DHCP services need to be installed on member servers and not domain controllers. There is a gotcha! potential where the DHCP server that performs registration of A resource records for its clients can take ownership of names that belong to computers that register their own records.

For more information, Active Directory, DNS, LDAP book recommendations.





Keywords: Windows 2000 Registry Tip, client, UpdateSecurityLevel, AD, DNS, dynamic update, ingrated zone, zones, active directory, bind, secure dynamic update, DHCP, A resource records