安全更新在服务器2008 DNS

对使用Active Directory集成（ADI）区在同一系统上结合AD和DNS的大好处是，你可以指定动态更新应该是“安全的”。(This operation is accomplished either through the DNS administrative console or the DNSCMD command line tool. You’re given the choice in the new zone wizard but you can always change it later on.) Dynamic updates (detailed in the RFC 2136 standard document) mean that when systems change their IP address, the DNS database will be automatically updated with this information. With an ADI zone, when a machine makes a dynamic update, it becomes the owner of the associated resource record. (Try it and see.) That machine can submit future updates (e.g. new IP address) because it’s the owner, but other machines can’t update that machine’s resource record. If you look at the access control list for an ADI zone or for an individual record in an ADI zone, you can see exactly who has rights to add and modify records. Basically this mechanism prevents machine A from modifying machine B’s DNS registrations. It also prevents any entity which doesn’t have a legitimate AD account from performing DNS dynamic updates. Secure updates are only available with ADI zones, and it’s probably the single most compelling reason to use such zones, given that attacking an organization’s DNS database can be a pretty effective technique for disrupting an Active Directory network. However, you also have the option of turning off dynamic update entirely, which will increase security even more, at the cost of additional manual administration overhead.