Share via

register IP address of HP printers to DNS

CorsaroDelVento 61 Reputation points
2026-05-05T18:49:44.8333333+00:00

I use static IP addresses into my company and I wish HP printers can automatically register to Active Directory DNS, so I ask if It's good idea to enable this option "Enabling untrusted access to Active Directory DNS".

I have several doubts about It, have you got any suggestions please ?

Windows for business | Windows Server | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 7,480 Reputation points Independent Advisor
    2026-05-05T19:51:31.2333333+00:00

    Hi CorsaroDelVento,

    Since you are using static IPs for your HP printers, you have two clean ways to handle this without compromising security:

    1. The Best Practice (DHCP Reservations): Instead of hard-coding static IPs on the printers themselves, switch them to DHCP but create DHCP Reservations on your Windows DHCP server.

    Configure your DHCP server to perform DNS dynamic updates on behalf of the clients (the printers).

    This way, the DHCP server (a trusted domain member) handles the registration, and you don't have to lower your DNS security settings.

    2. The Manual Approach (If you must stay static): If you strictly cannot use DHCP, simply create the A (Host) and PTR (Reverse) records manually in your DNS manager once. Since the IPs are static and printers rarely change names, this "set and forget" method is much safer than allowing unauthenticated updates.

    Summary: Stick to Secure Dynamic Updates only. Use DHCP Reservations to let the server do the work, or just create the records manually.

    If this clarifies your strategy, please click "Accept Answer".

    Tracy Le.

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-05-05T18:49:58.8966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    HP printers with static IP addresses can dynamically register in DNS, but enabling broad “untrusted access to Active Directory DNS” is not recommended. A more secure and manageable approach is:

    1. Use DHCP where possible
      If printers can use DHCP reservations instead of hard-coded static IPs, let the DHCP server handle DNS registration. DHCP can be configured to register A/PTR records on behalf of clients, avoiding the need to grant the devices direct dynamic-update permissions. This aligns with the guidance that DHCP servers typically register PTR and optionally A/AAAA records for DHCP clients.
    2. If static IPs are required
      For Windows clients with static IPs, DNS registration is controlled per adapter via the Register this connection's addresses in DNS setting and by system-wide policies/registry keys such as DisableDynamicUpdate and RegistrationEnabled.
      • For Windows hosts, clearing or enabling this option and then triggering registration (for example, via ipconfig /registerdns or restarting the DNS Client service) controls whether they create/update their own A records.
      • For non‑Windows devices (like HP printers), similar automatic registration would require allowing those devices to perform dynamic DNS updates directly against the AD‑integrated zone, which implies granting them update rights and treating them as trusted DNS updaters. This is generally avoided in secure AD environments.
    3. Prefer controlled DNS updates instead of “untrusted access”
      Rather than enabling a broad “untrusted access to Active Directory DNS” setting:
      • Keep dynamic DNS updates restricted to trusted Windows clients, domain controllers (via Netlogon), and DHCP servers.
      • For printers, either:
        • Register their A/PTR records manually in DNS, or
        • Use DHCP reservations so the DHCP server (a trusted principal) performs the dynamic updates.
    4. Use global and per‑adapter controls for Windows hosts only
      If adjusting DNS dynamic registration behavior on Windows servers/clients:
      • System‑wide enable/disable is controlled via DisableDynamicUpdate under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (0 = enable, 1 = disable).
      • Policy DNS_RegistrationEnabled (Dynamic update) under Software\Policies\Microsoft\Windows NT\DNSClient controls whether the DNS client attempts dynamic updates on connections that allow it.
      • Netlogon’s UseDynamicDns controls whether domain controllers register their SRV and A records dynamically.

    In an AD environment, granting generic “untrusted” dynamic-update access to DNS so that printers can self‑register is not advisable. Use DHCP reservations or manual DNS entries for printers, and keep dynamic DNS updates limited to trusted Windows components and services.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.