When you add servers to the DNSUpdateProxy group, it basically REMOVES any security of the objects by granting "Authenticated Users" Full Control to the DNS record => this is what allows other DNS servers (or whoever is added to the DnsUpdateProxy group) to overwrite these records.
As such you should NEVER add DCs to this group (even when hosting your DHCP service on a DC) - otherwise you'll compromise security in your domain. If you want this same "insecurity" for your imported records, you could also grant these permissions or simply add your user account to the DnsUpdateProxy group. Instead - if you are running 2003 - you should configure you DHCP service to register records with a specific account. This way the records are still secured against changes from all Authenticated Users - only DHCP servers configured to use the same account can update the records. It's not as simple as running the service under an account, but it's some option of the DHCP service - I'd have to look it up, but I'm sure others will fill in the details. /Guido -----Original Message----- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 17:29 To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group When specifying DHCP servers in the DnsUpdateProxy, should the ACL For the record show the machine account (DHCPSERV1$) or should it show (DNSUPDATEPROXY)? I'm looking at some Zones, and I see that the DHCP server as having FullControl, and the owner as SYSTEM. Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the record? Also, I am in the middle of scripting converting Reverse zones from a Class B to a more granular Class C scheme. We need to turn on scavenging on only specific zones, and not other to avoid missing records. If I export and re-import these records, my account shows up on the ACL, and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k client can not update these records. Is there a way to import records and retain the DNSUpdateProxy ACL even though it is a system group? Any suggestions? I fear these PTR records would not be able to the refreshed until after they are scavenged.... Jef List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
