See inline answers and ALSO SEE FOR SPECIFIC INFO ON THIS:> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_DHCP_imp_InteroperabilityDNS.asp
Jorge
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James Cate
Sent: Wednesday, February 23, 2005 16:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD integrated DNS, DHCP, Static addresses, and re cord ownership
I should provide a little more information. All of my DHCP servers are in the DNSUpdateProxy group that you are referring to. The zone is an AD intergrated zone and only allows secure updates. The DHCP servers are also configure to update DNS instead of the client. All workstations are Windows XP machines.
REACTION: Security is weakened when using the DNSUpdateProxy group. All records that are registered by DHCP servers member of the group have no owner and can be update by anyone. This insecure and thus NOT recommended!
The problem I am having with any DNS or DHCP server is that if the workstation is first configured with a static ip address or if it gets a DHCP ip address from a DHCP server that is not registered in AD or configured to update DNS the workstation is the creator of the DNS record. Once that machine is changed to use a DHCP server that is in AD and configured to update the DNS record the update fails. The Dhcp server cannot update the DNS record for that workstation.
REACTION: If the client gets a static address and registers it in DNS then it becomes the owner of the record. When the same client is reconfigured to be a DHCP client and the DHCP server wants to register/update the record of the client with a new IP address, then the DHCP server is not allowed to do that because it is not the owner of the record.
QUESTION: why does the client get a static address assigned in the first place when you could also use DHCP?
QUESTION: a DHCP server that is not registered in AD? Do you mean not authorized? If it is a W2K or W2K3 DHCP server that is not registered/authorized in AD then it should not be able to deliver IP addresses. This is only possible if the DHCP server is NT4
I assume this has something to with the ownership of the record but if you look at the record owner it always belongs to "system" not matter how it is registered.
I don't see the "No Owner" that you speak of.
REACTION: With no owner I mean no explicit owner like a computer account (like COMPUTERNAME$). If the client registers the record then the client will become the owner and if you check the ACL you'll that the computer has permissions to change it. Because of this the DHCP server will not be able to register/update the record.
On Tue, 22 Feb 2005 21:12:47 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote:
> Hi,
>
> This is a ownership issue as you're talking about multiple DHCP
> servers. By default, when DHCP servers register an IP address on
> behalf of a client then the DHCP server (the computer account of the
> DHCP server) becomes the owner of the registered record. If another
> DHCP server want to register the same record with another IP address
> it is not allowed to do that because it does not own the record. The
> story is different when DHCP is hosted on DCs as DCs are allowed to do
> everything because "Enterprise Domain Controllers" have permissions to all records!
> To provide for the possibility for other DHCP servers to update the
> same records each DHCP server COULD be placed in the DNSUpdateProxy
> Group, BUT this ALSO means that records (and the records of the DHCP
> server itslef) registered by DHCP servers that are in that group have
> NO OWNER meaning that every machine/user has the permission to update
> those records. THIS IS VERY INSECURE, especially when DHCP servers are
> hosted on DCs (as the ALL the DC record also are insecured!). There is
> another MORE SECURE way to allow all (and only) DHCP servers to register/update the same records.
>
> For W2K and W2K3 configure a user account to be used (a MUST when DHCP
> is on a DC!) on each DHCP server so that user account becomes the
> owner and has the permissions to register/update the client records.
> Configuring a user account can be done in the following way:
> * For W2K3: Use the DHCP MMC, right the DHCP server name, select the
> advanced tab and configure the "DNS dynamic updates registration
> credentials"
> * For W2K: the GUI does not provide the same ability as the GUI in
> W2K3 but it can be configured through typing the following commands:
> NETSH DHCP SERVER \\<servername> SET DNSCREDENTIALS <UserName>
> <Domain> <Password> --> press enter (see also
> http://support.microsoft.com/?kbid=255134)
>
> For more info on this see also
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/stan
> dard/p
> roddocs/en-us/Default.asp?url="">
> 3/stan dard/proddocs/en-us/sag_DHCP_imp_InteroperabilityDNS.asp
>
> I think this should do it!
>
> Cheers!
> Jorge
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 2/22/2005 6:11 PM
> Subject: [ActiveDir] AD integrated DNS, DHCP, Static addresses, and
> record ownership
>
> I am looking for detailed documentation that would shed some light on
> how dynamic dns works. The initial registration works fine for us but
> if the ip address changes the dns entry is not updated. The DHCP
> servers are configured to register the workstations ip address. I
> don't know if this is a record ownership issue or DNS aging/scavenging
> not allowing the update for x days.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
