I did look at it with both the DNS MMC, and then went into ADSI Edit as you suggested. They have the same empty boxes.
Weirdness I tell you! Weirdness!!! Original Message: >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >Date: Wed, 5 Nov 2003 22:38:17 +0100 >it does makes sense, as you've probably got a permission set that's filtered >from the UI (via the dssec.dat file in you sytems32 folder...) - that's why >you should look at it via ADSIedit, which doesn't filter any permissions in >the UI. > >I don't have anything to test around here right now so I can't compare what >the ACL should be. > >-----Original Message----- >From: Jef Kazimer [mailto:[EMAIL PROTECTED] >Sent: Mittwoch, 5. November 2003 22:29 >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group > >Guido, > >I know my description is not doiong justice to what I am seeing. :) > >The ACL has an ACE for Everyone, Authenticated users, DnsADmins, etc > >it lists Authenticated Users as "Special" and when you look at the >properties, it shows the Read All Properties and Write AlL properties, but >NONE of the Allow/Deny boxes are checked. So I'm curious what access this >actually means. > >I hope that makes more sense, but I can give you a screen shot. :) > >J > >Original Message: >>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>Date: Wed, 5 Nov 2003 22:15:07 +0100 > >>look at the ACL with ADSIedit - it should not be empty. Is there an >>"Everyone" ACL? >> >>-----Original Message----- >>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>Sent: Mittwoch, 5. November 2003 22:07 >>To: [EMAIL PROTECTED] >>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >> >>Guido, >> >>Thanks. I would agree with you, but being a new person on this site, I'm >>looking to get my facts straight before I bring it up. >> >>The Records show the Authenticated users, with NOTHING set, which is kind >of >>odd to me. >> >>I am glad you understand what I am getting at here, as I thought I was >>misunderstanding how this should work. >> >>Jef >> >>Original Message: >>>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>>Date: Wed, 5 Nov 2003 21:48:13 +0100 >> >>>Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even >>>if they run DHCP services. Only "Stand alone" (i.e. normal member >servers) >>>should be added to the group. I would sincerely suggest that you remove >>>your DCs from the group as you're currently rather unprotected => you >could >>>just as well have configured dynamic DNS without the "allow only secure >>>updates" option... as any client/user can easily erase or hijack the DC >>>host-records potentially causing a full outage of your domain/forest. >>> >>>It might have been an MS recommendation 4 years ago, when they didn't know >>>the product themselves - but you'll not hear that recommedation today. >>> >>>Have a look what permissions Authenticated Users have in Advanced View - >>may >>>not be Full Control afterall, but at least write access to most of the >>>attributes of the record. >>> >>> >>>-----Original Message----- >>>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>>Sent: Mittwoch, 5. November 2003 20:15 >>>To: [EMAIL PROTECTED] >>>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>> >>>Guido, >>> >>>Thanks for the Response. >>> >>>Since DNS is running AD integrated on the DCS, and runs under the System >>>context, they don't need to be added to this group,correct? I think you >>>meant that Stand alone DNS servers would need to be added to this group to >>>facilitate updates,correct? >>> >>>Since coming to this site, I'm wondering why they have the DCs in the >>>DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was >>>an MS recommendation, but I can't find a reason in my head why this would >>be >>>required. This would cause that insecurity issue, I'd imagine. Am I >>>missing something? >>> >>>Also, I see the records have Authenticated Users on the ACL as SPECIAL, >>but >>>no properties/rights are checked. This is the result that the Proxygroup >>>creates, correct? >>> >>>So if I need to re-acl those records, this is the correct ACL? >>> >>>THanks, I appreciate the help. I've setup the proxy group before, but >>>never went into great detail trying to figure out someone elses design >>>choices, so I'm learning more about it as I go. >>> >>>This is 2k, and not 2k3 yet, as I would like to use the "service" account >>>for DHCP when we can for these reasons. >>> >>>Jef >>> >>> >>> >>>Original Message: >>>>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>>>To: [EMAIL PROTECTED] >>>>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>>>Date: Wed, 5 Nov 2003 19:13:07 +0100 >>> >>>>When you add servers to the DNSUpdateProxy group, it basically REMOVES >any >>>>security of the objects by granting "Authenticated Users" Full Control to >>>>the DNS record => this is what allows other DNS servers (or whoever is >>>added >>>>to the DnsUpdateProxy group) to overwrite these records. >>>> >>>>As such you should NEVER add DCs to this group (even when hosting your >>DHCP >>>>service on a DC) - otherwise you'll compromise security in your domain. >If >>>>you want this same "insecurity" for your imported records, you could also >>>>grant these permissions or simply add your user account to the >>>>DnsUpdateProxy group. >>>> >>>>Instead - if you are running 2003 - you should configure you DHCP service >>>to >>>>register records with a specific account. This way the records are still >>>>secured against changes from all Authenticated Users - only DHCP servers >>>>configured to use the same account can update the records. It's not as >>>>simple as running the service under an account, but it's some option of >>the >>>>DHCP service - I'd have to look it up, but I'm sure others will fill in >>the >>>>details. >>>> >>>>/Guido >>>> >>>>-----Original Message----- >>>>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>>>Sent: Mittwoch, 5. November 2003 17:29 >>>>To: [EMAIL PROTECTED] >>>>Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>>> >>>>When specifying DHCP servers in the DnsUpdateProxy, should the ACL For >>the >>>>record show the machine account (DHCPSERV1$) or should it show >>>>(DNSUPDATEPROXY)? >>>> >>>>I'm looking at some Zones, and I see that the DHCP server as having >>>>FullControl, and the owner as SYSTEM. >>>> >>>>Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the >>>>record? >>>> >>>> >>>>Also, I am in the middle of scripting converting Reverse zones from a >>Class >>>>B to a more granular Class C scheme. We need to turn on scavenging on >only >>>>specific zones, and not other to avoid missing records. >>>> >>>>If I export and re-import these records, my account shows up on the ACL, >>>>and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k >>>>client can not update these records. >>>> >>>>Is there a way to import records and retain the DNSUpdateProxy ACL even >>>>though it is a system group? >>>> >>>>Any suggestions? I fear these PTR records would not be able to the >>>>refreshed until after they are scavenged.... >>>> >>>>Jef >>>> >>>> >>>>List info : http://www.activedir.org/mail_list.htm >>>>List FAQ : http://www.activedir.org/list_faq.htm >>>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>>List info : http://www.activedir.org/mail_list.htm >>>>List FAQ : http://www.activedir.org/list_faq.htm >>>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>> >>>> >>> >>> >>>List info : http://www.activedir.org/mail_list.htm >>>List FAQ : http://www.activedir.org/list_faq.htm >>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>List info : http://www.activedir.org/mail_list.htm >>>List FAQ : http://www.activedir.org/list_faq.htm >>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>> >>> >> >> >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> > > >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
