And, absolutely correct this is. A DC in this group is a known security problem.
Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > GRILLENMEIER,GUIDO (HP-Germany,ex1) > Sent: Monday, February 17, 2003 1:17 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Inconsistency > > > Warning rgd. the DnsUpdateProxy group: ..."by placing the > computer objects of the DHCP servers as members in this > group, the servers won't become record owners"... => that's > exactly why you don't simply want to add the DHCP server's > computer account to this group, if this happens to be a DC. > Otherwise all records registerd by the DC (incl. his own host > record and especially all the service records) would be > subject to name hijacking. => best practise is still to keep > DHCP off of a DC, especially if you want it to register the > client's IP addresses in DNS > > /Guido > > -----Original Message----- > From: Todd Povilaitis [mailto:[EMAIL PROTECTED]] > Sent: Montag, 17. Februar 2003 18:29 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Inconsistency > > > This is straight out of an excellent book on AD. > > Inside Active Directory > A System Administrators Guide > ISBN 0-201-61621-1 > > [DnsUpdateProxy] > "...DHCP servers may dynamically register DNS resource > records on behalf of DHCP clients. In this case, the DHCP > servers become the owners of those records. This is a > problem if the client or some other DHCP server later wants > to start maintaining those records. By placing the computer > objects of the DHCP servers as members in this group, the > servers won't become record owners, so the problem described > here is resolved..." > > - Todd > > -----Original Message----- > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 17, 2003 09:14 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Inconsistency > > > Thanks Todd, > > But why do I need to add my DHCP Server to the DnsUpdateProxy group? > > -----Original Message----- > From: Todd Povilaitis > [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 17, 2003 5:57 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Inconsistency > > I had the very same problem. It was affecting my scripts > because I wasn't connecting to the machines I thought I was. > > * You need to enable DNS scavenging. Don't set anything > below 48 hours. > * If you are using DHCP, add your DHCP servers to the > DnsUpdateProxy group. > > -Todd > > -----Original Message----- > From: Oluwaseyi Owoeye [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 17, 2003 05:32 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Inconsistency > > > Hi Guys, > > I am having a major problem in my organization over here. I > have set up active directory for about 800 users and about > 500 workstations. But for some reasons or the other my DNS > seems to be misbehaving. When I ping a host I get a reply > from a particular IP address, but when I do a ping -a of the > same IP address I get an entirely different host. For some > reason or the other the record I have in my forward lookup > zones and my reverse lookup zones are not synchronized. Is > there any way I can resolve this inconsistency because it > gets worse and worse everyday. Is there any tool I can use to > correct this. > > Thanks > Seyi > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
