DHCP Name Protection
DHCP name protection is a feature of the DHCP
service that when used with Dynamic DNS registration prevents a DHCP
client with a name already in the DNS domain zone from registering or
overwriting an existing name that it does not own. This functionality
prevents client and server spoofing and name corruption for statically
configured systems already registered in DNS. You can enable name
protection at either the IPv4 or IPv6 node level or at the scope level.
When configured at the scope level, the settings take precedence over
the IPv4 or IPv6 node settings. To enable DHCP name protection at the
scope level, follow these steps:
1. Open the DHCP console and connect to the desired DHCP server.
2. Expand the IPv4 node, select and right-click the desired scope, and select Properties.
3. Display the DNS tab, and near the bottom in the Name Protection section click the Configure button.
4. In the Name
Protection window, check the Enabled Name Protection check box and
click OK. Click OK again in the Scope Properties window to save the
changes to the scope.
To enable DHCP name protection at the IPv4 node level, follow these steps:
1. Open the DHCP console and connect to the desired DHCP server.
2. In the tree pane, select and right-click IPv4 node and select Properties.
3. Display the DNS tab, and near the bottom in the Name Protection section click the Configure button.
4. In the Name
Protection window, check the Enabled Name Protection check box and
click OK. Click OK again in the Scope Properties window to save the
changes to the scope.
This completes the process of enabling name protection at the IPv4 node and scope level.
DHCP and Dynamic DNS Configuration
When a DHCP server is configured to register
DNS records and provide name protection with Dynamic DNS, a few
configurations are required to enhance reliability of this server. The
first configuration is to set the default DNS registration behavior,
and the second is to create a service account and define this account
in the DHCP server. To configure DHCP and Dynamic DNS settings, follow
these steps:
1. Using Active
Directory Users and Computers console, create a user account in the
domain named, for example, DHCP-SVC and configure a secure password. No
special group membership is required, but set the account to not
require a password change at first logon.
Note
If you want to avoid DNS registration issues,
you can configure this account to have the password never expire. As a
best practice, however, you should change the service account password
in Active Directory and in the DHCP server settings as frequently as
defined in the standard user password policy.
2. Open the DHCP console and connect to the desired DHCP server.
3. Expand the DHCP server, select and right-click the IPv4 node and select Properties.
4. Display the DNS
tab. If name protection is enabled, most of the settings will be grayed
out. Ensure that the check box to enable DNS dynamic update is checked,
as shown in Figure 1.
Figure 1. Enabling DNS dynamic updates for IPv4.
5. Display the Advanced tab and click the Credentials button to open the DNS Dynamic Update Credentials window.
6. Enter the desired
service account name, domain, and password. Confirm the password and
click OK to validate the credentials, as shown in Figure 2.
Figure 2. Defining the DNS dynamic update credentials.
7. Click OK in the IPv4 windows to complete the changes.
8. Restart the DHCP server service.
This completes the DHCP and DNS dynamic update configuration task.
