On Microsoft DNS servers, there are three possible configurations for dynamic updates:. If enabling Dynamic updates is required for a company, it is highly recommended to use Secure only dynamic updates option.
This is because a DNS update source is considered as trusted only if:. You need to note here that the DHCP servers will not be able to identify if the DHCP client is trusted or not and will request the updates on behalf of its client. This is because, in the ACLs of these records, the clients do not have the permission to update their own records.
Office Office Exchange Server. Allow Only Secure Dynamic Updates. In the console tree, right-click the applicable zone, and then click Properties. In Dynamic Updates , click secure only. Secure dynamic update is supported only for AD DS-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates.
This is best accomplished when other best practices have been followed in the network configuration. These include but are not limited to:. The benefits are numerous, but a few are the multi-master updates and replication. In normal DNS only one server can be the owner of the zone and have a writable copy, in multi-master any primary server can write to the database spreading the load and often bringing a master copy of DNS closer to the end user.
These differences are to the advantage of the statically assigned servers. This is even truer when implementing secured DNS zones. It does this by trimming the fat from the DNS database. If you do not yet have scavenging enabled on you DNS zones I would suggest planning and enacting that change before streamlining your DNS zones.
You are more concerned that DNS can correctly answer all the questions it is asked, than that DNS has too many answers. Proper DNS scavenging can help in this, while aggressive strategies can put us at risk. Be aware of how your services, that use DNS, update their records in the database. Statically assigned Microsoft clients update their DNS records daily every 24 hours. If the DHCP clients are updating their own records they follow the 24 hour standard interval You may find contradiction for this in some articles, see the network capture below taken on an XP machine, validated on Win 7.
Most of the vulnerabilities the PCI compliance scan found in the one installation i've recently certified, were a couple of patches needed on the server, but the most pointed to the firewall, once it was hardened I've passed the site PCI compliance. I couldn't get this figured out so we opened a ticket with Microsoft. I had to open a ticket with Microsoft on this. If you have support, that may be the best way to go.
It appears you've already followed all the steps I took to clear the problem. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks.
0コメント