Registry Tip #42: Active Directory Integrated Zones Secure Dynamic Update |
Hits: Failed to execute CGI : Win32 Error Code = 3
|
The default behavior of dynamic update clients is to use standard dynamic update and if that fails to negotiate a secure dynamic update. If you are using Windows 2000 Active Directory integrated Dynamic DNS, you can configure clients to always use secure dynamic updates. This is a security enhancement available via the following registry hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: UpdateSecurityLevel
Type: REG_DWORD
Value:
256 use secure dynamic update only
16 use insecure dynamic update only
0 use secure dynamic update when insecure dynamic update is refused.
If you disable secure dynamic updates, UpdateSecurityLevel=16, clients will be unable to use dynamic DNS updates if you later introduce Active Directory integrated zones. If you do decide to force the secure updates, your DHCP services need to be installed on member servers and not domain controllers. There is a gotcha! potential where the DHCP server that performs registration of A resource records for its clients can take ownership of names that belong to computers that register their own records.
For more information, Active Directory, DNS, LDAP book recommendations.
Keywords: Windows 2000 Registry Tip, client, UpdateSecurityLevel, AD, DNS, dynamic update, ingrated zone, zones, active directory, bind, secure dynamic update, DHCP, A resource records