RE: [ActiveDir] Secure DNS

[Darren Sykes]

I think the simple answer is yes. Use a DC as your primary DNS server. You can set ACLS on the DNS zone just as you would any other resource. Though, if I remember rightly the actual permissions are on a machine basis, so machines in the domain can register themselves (of machines by default). I don’t think the user you’re logged in as has any effect though I could be completely wrong (the logic being the DHCP/DNS registration will be done before login). However, you would also have to consider the problems with other clients (Linux and the like) when using secure DNS.   Darren.   -----Original Message----- From: Barber Tom [mailto:[EMAIL PROTECTED]] Sent: 05 June 2002 15:00 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Secure DNS   Forgive me if this has been discussed before; I think I need some basic answers.     Current environment:   Educational environment (college).   Windows 2000 Native Mode, Single domain, Single Forest   Windows 2000 DNS Server, non-DC   Every conceivable client OS from Win 9x to Linux.   Here's the issue.  Our current DNS utilizes Dynamic Updates, and includes both servers and clients.  This is working OK, except when someone (in our case usually a student) decides to name their computer the same name as a server.  An example:  Someone names their machine HOME.  There is a server here named HOME.  When the computer is added to the domain, DHCP provides an IP address, then either DHCP or the computer (depends on OS) dynamically updates the DNS record of HOME to point to the "new" HOME machine.  Obviously, we see this as an issue - basically students can "take over" the name of a server.  This has happened only a few times, and it was inadvertent; we would like to make it technically difficult or even impossible to do.   So...my question is, can I make my main DNS server a DC, then secure our DNS in some way to only allow certain users or domain computers to dynamically update the Host records?  Also, how much granularity is there to Secure DNS?   Anyone with insight...thanks for your responses.     -Tom Barber Systems Manager Alfred State College