look at the ACL with ADSIedit - it should not be empty. Is there an "Everyone" ACL?
-----Original Message----- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 22:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks. I would agree with you, but being a new person on this site, I'm looking to get my facts straight before I bring it up. The Records show the Authenticated users, with NOTHING set, which is kind of odd to me. I am glad you understand what I am getting at here, as I thought I was misunderstanding how this should work. Jef Original Message: >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >Date: Wed, 5 Nov 2003 21:48:13 +0100 >Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even >if they run DHCP services. Only "Stand alone" (i.e. normal member servers) >should be added to the group. I would sincerely suggest that you remove >your DCs from the group as you're currently rather unprotected => you could >just as well have configured dynamic DNS without the "allow only secure >updates" option... as any client/user can easily erase or hijack the DC >host-records potentially causing a full outage of your domain/forest. > >It might have been an MS recommendation 4 years ago, when they didn't know >the product themselves - but you'll not hear that recommedation today. > >Have a look what permissions Authenticated Users have in Advanced View - may >not be Full Control afterall, but at least write access to most of the >attributes of the record. > > >-----Original Message----- >From: Jef Kazimer [mailto:[EMAIL PROTECTED] >Sent: Mittwoch, 5. November 2003 20:15 >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group > >Guido, > >Thanks for the Response. > >Since DNS is running AD integrated on the DCS, and runs under the System >context, they don't need to be added to this group,correct? I think you >meant that Stand alone DNS servers would need to be added to this group to >facilitate updates,correct? > >Since coming to this site, I'm wondering why they have the DCs in the >DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was >an MS recommendation, but I can't find a reason in my head why this would be >required. This would cause that insecurity issue, I'd imagine. Am I >missing something? > >Also, I see the records have Authenticated Users on the ACL as SPECIAL, but >no properties/rights are checked. This is the result that the Proxygroup >creates, correct? > >So if I need to re-acl those records, this is the correct ACL? > >THanks, I appreciate the help. I've setup the proxy group before, but >never went into great detail trying to figure out someone elses design >choices, so I'm learning more about it as I go. > >This is 2k, and not 2k3 yet, as I would like to use the "service" account >for DHCP when we can for these reasons. > >Jef > > > >Original Message: >>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>Date: Wed, 5 Nov 2003 19:13:07 +0100 > >>When you add servers to the DNSUpdateProxy group, it basically REMOVES any >>security of the objects by granting "Authenticated Users" Full Control to >>the DNS record => this is what allows other DNS servers (or whoever is >added >>to the DnsUpdateProxy group) to overwrite these records. >> >>As such you should NEVER add DCs to this group (even when hosting your DHCP >>service on a DC) - otherwise you'll compromise security in your domain. If >>you want this same "insecurity" for your imported records, you could also >>grant these permissions or simply add your user account to the >>DnsUpdateProxy group. >> >>Instead - if you are running 2003 - you should configure you DHCP service >to >>register records with a specific account. This way the records are still >>secured against changes from all Authenticated Users - only DHCP servers >>configured to use the same account can update the records. It's not as >>simple as running the service under an account, but it's some option of the >>DHCP service - I'd have to look it up, but I'm sure others will fill in the >>details. >> >>/Guido >> >>-----Original Message----- >>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>Sent: Mittwoch, 5. November 2003 17:29 >>To: [EMAIL PROTECTED] >>Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >> >>When specifying DHCP servers in the DnsUpdateProxy, should the ACL For the >>record show the machine account (DHCPSERV1$) or should it show >>(DNSUPDATEPROXY)? >> >>I'm looking at some Zones, and I see that the DHCP server as having >>FullControl, and the owner as SYSTEM. >> >>Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the >>record? >> >> >>Also, I am in the middle of scripting converting Reverse zones from a Class >>B to a more granular Class C scheme. We need to turn on scavenging on only >>specific zones, and not other to avoid missing records. >> >>If I export and re-import these records, my account shows up on the ACL, >>and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k >>client can not update these records. >> >>Is there a way to import records and retain the DNSUpdateProxy ACL even >>though it is a system group? >> >>Any suggestions? I fear these PTR records would not be able to the >>refreshed until after they are scavenged.... >> >>Jef >> >> >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> > > >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/