RE: [ActiveDir] Secure DNS

[Barber Tom]

Elizabeth:   Thanks for the input.   Students are allowed to bring their own machines onto the campus.  Although this isn't a large campus (3500 students), many of these students wish to have their machines added to the domain because they can then easily map to resource shares.   From what I understand, by default Windows 2000 allows users of a domain (and they already have their user account when they arrive on campus) ten times to add a computer to the domain.  Yes, I can make it impossible for students to add machines to the domain; this would basically flood our under staffed Help Desk the first month of classes this Fall.   I am attempting to find a solution that would not burden our staff any more than is necessary.       -Tom Barber Systems Manager Alfred State College   -----Original Message----- From: Elizabeth Farrell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 05, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Secure DNS   The first thing that I would do is create locked-down users account templates for all the students. The lock-down being that they could not change the machine names. If they are daft enough not to check that there isn't another computer on the domain with that host name, they do not deserve admin privileges or is there a specific reason they are allowed to wreak potential chaos like this? Ensure @ machine (local) level that the boxes are locked down and distribute admin privileges sparingly. That is my advice.   Regards E.   -----Original Message----- From: Barber Tom [mailto:[EMAIL PROTECTED]] Subject: [ActiveDir] Secure DNS Forgive me if this has been discussed before; I think I need some basic answers.     Current environment:   Educational environment (college).   Windows 2000 Native Mode, Single domain, Single Forest   Windows 2000 DNS Server, non-DC   Every conceivable client OS from Win 9x to Linux.   Here's the issue.  Our current DNS utilizes Dynamic Updates, and includes both servers and clients.  This is working OK, except when someone (in our case usually a student) decides to name their computer the same name as a server.  An example:  Someone names their machine HOME.  There is a server here named HOME.  When the computer is added to the domain, DHCP provides an IP address, then either DHCP or the computer (depends on OS) dynamically updates the DNS record of HOME to point to the "new" HOME machine.  Obviously, we see this as an issue - basically students can "take over" the name of a server.  This has happened only a few times, and it was inadvertent; we would like to make it technically difficult or even impossible to do.   So...my question is, can I make my main DNS server a DC, then secure our DNS in some way to only allow certain users or domain computers to dynamically update the Host records?  Also, how much granularity is there to Secure DNS?   Anyone with insight...thanks for your responses .  Clearswift monitors, controls and protects all its messaging traffic in compliance with its corporate email policy using Clearswift products. Find out more about Clearswift, its solutions and services at http://www.clearswift.com ******************************************************************************************************** This communication is confidential and may contain privileged information intended solely for the named addressee(s). It may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. If you have received this communication in error, please notify Clearswift by emailing [EMAIL PROTECTED] quoting the sender and delete the message and any attached documents. Clearswift accepts no liability or responsibility for any onward transmission or use of emails and attachments having left the Clearswift domain.