For Windows 2000, DNS update security is available only for zones that are integrated into Active Directory. Once you directory-integrate a zone, access control list (ACL) editing features are available in the DNS console, so you can add or remove users or groups from the ACL for a specified zone or resource record.
By default, dynamic update security for Windows 2000 DNS servers and clients can be handled as follows:
Windows 2000 DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
Once a zone becomes Active Directory-integrated, Windows 2000 DNS servers default to allowing only secure dynamic updates.
Also, clients use a default update policy that permits them to attempt to overwrite a previously registered resource record, unless they are specifically blocked by update security.
When using standard zone storage, the default for the DNS Server service is to not allow dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to allow all dynamic updates, which permits all updates to be accepted, by passing the use of secure updates.
For Windows 2000 Server, the DHCP Server service can perform proxy registration and update of DNS records for legacy clients that do not support dynamic updates.
If you use multiple Windows 2000 DHCP servers on your network and also configure your zones to allow secure dynamic updates only, you need to use Active Directory Users and Computers to add your DHCP server computers to the built-in DnsUpdateProxyGroup. This will permit all your DHCP servers the secure rights to perform proxy updates for any of your DHCP clients.
For Windows 2000, the use of secure dynamic updates can be compromised by running a DHCP server on a domain controller when Windows 2000 DHCP server is configured to perform registration of DNS records on behalf of its clients. To avoid this issue, deploy DHCP servers and domain controllers on separate computers. If you are not concerned about security of reverse lookup (PTR) records, this precaution is advisable only if the DHCP server is configured to perform registration of host (A) records on behalf of its clients (which is not a default behavior).
Dynamic update is a recent additional DNS standard specification, defined in RFC 2136. For more information, refer to the RFC.
Additional information about DNS dynamic updates and secure updates for Windows 2000 DNS servers and clients is available in the Windows 2000 Server Resource Kit.