How To Configure Secure Dynamic DNS (Windows Server 2022)

Thanks for watching I appreciate the support. I plan on putting out more videos at least by January

Thanks Hermon! Glad you like them, I plan on putting them out with more regularity

@@OsbornePro that would be awesome, it would also be nice if you had courses, if time allows it for you. I really like your way of explaining. Looking forward. Much respect.

Thank you appreciate it. I was thinking of doing a powershell course at some point

@@OsbornePro that would be great, maybe OS in general, security courses you seem great at it. So starting with the concept of it and implementations.... But you know best. I am absolutely sure your channel is going to bomb anytime soon.

@@hermonkidane1503 I will probably do some videos like you are thinking. My plan was to see what kind of following I could build with UA-cam and use that to put out a course of some kind. I will keep it mind for sure.

@@filipfabicevic3077 thanks for watching! The DHCP server is registering the domain and IP resolution on behalf of the client so as long as the client can get a DHCP address it should work. It sounds like you need to set an ip helper-address on the switch for that VLAN. Make sure the forward look up zone exists on the DHCP server also. In the DNS server check your security settings to see if there are restrictions and what subnets allow updates

Thanks for watching! Event ID 8018 when I looked it up is a Zone Transfer failure. It sounds to me like the DNS records are not able to be updated in DNS because of Zone Transfer restrictions. Open the DNS configuration area. Right click and select Properties (on the DNS server if I remember correctly) and go to the Forwarders tab. Then you want to allow forwarding to your specific DNS servers. This prevents an attacker from having the ability to dump your DNS records.
You should not configure the DHCP Dynamic DNS credentials if you are allowing the clients to secure update themselves. This can create overlaps and permission issues and mismatched records. If you have the dynamic DNS account update a DNS entry, the device referenced by that DNS entry will not be able to update that record.

Thanks for watching. That’s a great situation to bring up. I don’t think I have a good answer for off the top of my head. I would picture the way to do it would be to add the firewall or whatever is assigning the DHCP addresses to the Dynamic DNs Proxy group in Active Directory and see if it can perform the DNS updates. Otherwise it may be that you would have to change the DHCP server to use the Windows one or add all VPN connection machines to the DynamicDNS proxy group. That would over grant permissions which may or not be acceptable risk to your environment. I’ll have to look into it and let you know if I find anything. If you find a good solution I’d love if you share

@@OsbornePro i have added a new dhcp server to take care of vpn client addresses. The Server is domain joined and a dynamic dns user is configured. Also i added the server to dns proxy group but it is not able to update dns records. Dont know why ..
It deploys leases to the vpn clients but does not update or create dns records.

@@ZZREPLAY in the DHcP server setting so the box checked to register PTR records whether or not the client attempts to register? If that is done take a look at the DNS logs to see if any errors stand out

Thanks for watching! I would still assign the server to the DnsUpdateProxy group. If there ever comes a time when the role is moved off the server, it can be seen the current server is a member of that group and it will make whoever looks at it take notice possibly preventing or shortening a resolution. Twenty years from now some IT guy will say thank you Wyatt. This is not needed however when you issue that command. The link below references if that helps you decide whatever is best for you.
Your summary of actions looks complete to me and yes use "dnscmd /config /OpenAclOnProxyUpdates 0" since your DC is also a DHCP server. Here is a link to Microsoft's mention of this learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff631099(v=ws.10)#summary

@OsbornePro awesome! Thank you! This was the first video of yours that I have seen and it was perfect. Explain everything so well. Will definitely recommend to others and watch more of your tutorials!

Thanks for watching! In case this helps you setup what you would like I have a PowerShell configuration script that you may find useful at github.com/OsbornePro/ConfigTemplates/blob/main/ConfigureDynamicDNS.ps1
Since remote management of servers can vary it is not able to be executed in one go. I would recommend having the script open on your desktop or laptop. Remote into the DHCP server and remote into your DNS server. Then copy and paste in the sections I created. For existing environments you can use the below commands for your setup.
#======================================================
# EXECUTE BELOW COMMANDS ON ACTIVE DIRECTORY SERVER
#======================================================
# Create the Dynamic DNS user with normal user permissions
$DHCPServer = Read-Host -Prompt "What is the hostname of your DHCP server? EXMAPLE: dhcp01"
New-ADUser -Name "Dynamic DNS" -GivenName "Dynamic" -Surname "DNS" -SamAccountName "dyndns" -AccountPassword (Read-Host -AsSecureString "Enter strong password for account. This password should be very long") -ChangePasswordAtLogon $False -Description "This account is used by the DHCP servers to register Dynamic DNS updates" -DisplayName "Dynamic DNS" -Enabled $True
Get-ADUser -Filter 'SamAccountName -like "dyndns"' -SearchBase "CN=Users,DC=$env:USERDOMAIN,DC=com" | Set-ADUser -PasswordNeverExpires:$True -CanNotChangePassword:$True
# Create the required DHCP groups in Active Directory
New-ADGroup -Name "DHCP Administrators" -DsiplayName "DHCP Administrators" -SamAccountName "DHCP Administrators" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have DHCP administrative permissions"
New-ADGroup -Name "DHCP Users" -DsiplayName "DHCP Users" -SamAccountName "DHCP Users" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have limited DHCP permissions"
Write-Output "[*] Adding DHCP server to DNSUpdateProxy group which is required for Dynamic DNS"
Add-ADGroupMember -Identity DnsUpdateProxy -Members "$($DHCPServer)$"
#==============================================================
# Execute these commands on the DHCP server (Configure Dynamic DNS)
#==============================================================
# Authorize the DHCP server in Active Directory
Add-DhcpServerInDC -DnsName $FQDN -IPAddress $DhcpIpAddress
$CheckAuthorizedDhcpServer = Get-DhcpServerInDC
If ($CheckAuthorizedDhcpServer.DnsName -contains "$($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain)") {
Write-Output "[*] Successfully authorized DHCP server $($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain) in Active Directory"
Write-Output "[*] Notifying 'Server Manager' application of the update"
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
} Else {
Throw "Make sure you are a member of the 'Enterprise Admins' Security Group then try again. DHCP server is not authorized in Active Directory. "
} # End If Else
#===============================================================
# THE BELOW IS FOR CONFIGURING NEW DHCP SCOPES with Dynamic DNS
#===============================================================
$Domain = Read-Host -Prompt "Enter the domain name to join EXAMPLE: domain.com "
$DnsServer = Read-Host -Prompt "Enter the IP Address of your primary DNS Server "
$PrimaryDC = Read-Host -Prompt "Enter the IP Address of your primary Active Directory Server "
$NTPServer = Read-Host -Prompt "Enter the IP Address of your NTP Server (Typicaly your DC) "
$DhcpIpAddress = Read-Host -Prompt "Enter the DHCP servers IP Address "
$DefaultGateway = Read-Host -Prompt "Enter the default gateway Address for the DHCP scope "
$NewHostname = Read-Host -Prompt "Enter the hostname for your DHCP server "
$InterfaceAlias = (Get-NetAdapter)[0].InterfaceAlias
$ScopeName = Read-Host -Prompt "Enter an identifying name for your new DHCP Scope EXAMPLE: Servers :"
$ScopeID = Read-Host -Prompt "Enter your Scope ID EXAMPLE: 192.168.137.0 :"
$StartRange = Read-Host -Prompt "Enter the starting range for DHCP scope EXAMPLE: 192.168.137.1 :"
$EndRange = Read-Host -Prompt "Enter the ending rnage for the DHCP scope EXMAMPLE: 192.168.137.254 :"
$FQDN = "$($NewHostname).$($Domain)"
Write-Output "[*] Setting the server level DNS Dynamic Update configuration settings"
Set-DhcpServerv4DnsSetting -ComputerName $FQDN -DynamicUpdates Always -NameProtection $True
Set-DhcpServerDnsCredential -Credential (Get-Credential -Message "Enter credentials for the normal user account used to update Dynamic DNS records through the DHCP server") -ComputerName $FQDN
Write-Output "[*] Enabling the ability to deny assigning IP addresses to MAC addresses"
Set-DhcpServerv4FilterList -ComputerName $FQDN -Allow $False -Deny $True
Write-Output "[*] Creating an initial scope on the DHCP server and setting options"
Add-DhcpServerv4Scope -Name $ScopeName -StartRange $StartRange -EndRange $EndRange -Description "Default $ScopeName subnet" -SubnetMask 255.255.255.0 -State Active
Add-DhcpServerv4ExclusionRange -ScopeId $ScopeID -StartRange $StartRange -EndRange $EndRange -ComputerName $FQDN
Set-DhcpServerv4OptionValue -ComputerName $FQDN -ScopeId $ScopeID -DnsServer $DnsServer -DnsDomain $Domain -Router $DefaultGateway -Force
Set-DhcpServerv4OptionValue -OptionId 42 -Value $NTPServer -ScopeId $ScopeID -ComputerName $FQDN
Write-Output "[*] Disabling NetBIOS in DHCP assignments"
Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Options" -OptionId 1 -Value 1
Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Windows 2000 Options" -OptionId 1 -Value 1