4

I've looked through the AD documentation and I was not able to find any conclusive answer to this question. It's plain simple, but hard enough to be answered.

How DDNS of AD works behind the scenes? I know that AD updates the DNS using simple IP address authentication in the DNS servers, but here comes the question: when a client join the domain, Active Directory updates client's DNS record with the client hostname. But who do this update? The client itself or only the Domain Controller?

If it's only the domain controller, I can believe that if a non-Windows machine successfully joins the domain it will get it DNS name updated on the DNS server through the DC request.

Thanks,

Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91

3 Answers3

5

By default the client itself does its own DDNS update if it is XP or newer. A DHCP server can perform proxy updates for DNS clients that don't support updating their own client records.

You can also force a client registration via ipconfig /registerdns

Here's a good link, simple enough: http://technet.microsoft.com/en-us/library/cc771255.aspx

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
2

From what I understand, MS clients can update their resource records (Understanding Dynamic Update) via secure, AD integrated updates.

Also, MS DHCP can do this on behalf of a client (e.g. non-MS devices). This requires non-secure updates, IIRC.

Chipster
  • 131
  • 2
  • 2
    Is your second paragraph correct? I was under the impression that if the DHCP server does the DNS update, and uses a valid Active Directory account, then the update is "secure". – myron-semack Apr 23 '14 at 15:25
  • Great point, and I _think_ it can be setup either way. Leave it to a guy from an ISC-centric BIND/DHCP shop. :-) – Chipster Apr 23 '14 at 15:36
0

Windows DNS can use T-SIG updates, but natively uses GSS-TSIG. GSS-TSIG is pretty different and does not use any keys etc.. Basically any authenticated user with the correct privilege's can update the AD DNS. All MS updates appear to use the DNAPI E.G. dnsapi.dll, yes the same commonly used for MX lookups by programmers far and wide.