Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even if they run DHCP services. Only "Stand alone" (i.e. normal member servers) should be added to the group. I would sincerely suggest that you remove your DCs from the group as you're currently rather unprotected => you could just as well have configured dynamic DNS without the "allow only secure updates" option... as any client/user can easily erase or hijack the DC host-records potentially causing a full outage of your domain/forest.
It might have been an MS recommendation 4 years ago, when they didn't know the product themselves - but you'll not hear that recommedation today. Have a look what permissions Authenticated Users have in Advanced View - may not be Full Control afterall, but at least write access to most of the attributes of the record. -----Original Message----- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 20:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks for the Response. Since DNS is running AD integrated on the DCS, and runs under the System context, they don't need to be added to this group,correct? I think you meant that Stand alone DNS servers would need to be added to this group to facilitate updates,correct? Since coming to this site, I'm wondering why they have the DCs in the DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was an MS recommendation, but I can't find a reason in my head why this would be required. This would cause that insecurity issue, I'd imagine. Am I missing something? Also, I see the records have Authenticated Users on the ACL as SPECIAL, but no properties/rights are checked. This is the result that the Proxygroup creates, correct? So if I need to re-acl those records, this is the correct ACL? THanks, I appreciate the help. I've setup the proxy group before, but never went into great detail trying to figure out someone elses design choices, so I'm learning more about it as I go. This is 2k, and not 2k3 yet, as I would like to use the "service" account for DHCP when we can for these reasons. Jef Original Message: >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >Date: Wed, 5 Nov 2003 19:13:07 +0100 >When you add servers to the DNSUpdateProxy group, it basically REMOVES any >security of the objects by granting "Authenticated Users" Full Control to >the DNS record => this is what allows other DNS servers (or whoever is added >to the DnsUpdateProxy group) to overwrite these records. > >As such you should NEVER add DCs to this group (even when hosting your DHCP >service on a DC) - otherwise you'll compromise security in your domain. If >you want this same "insecurity" for your imported records, you could also >grant these permissions or simply add your user account to the >DnsUpdateProxy group. > >Instead - if you are running 2003 - you should configure you DHCP service to >register records with a specific account. This way the records are still >secured against changes from all Authenticated Users - only DHCP servers >configured to use the same account can update the records. It's not as >simple as running the service under an account, but it's some option of the >DHCP service - I'd have to look it up, but I'm sure others will fill in the >details. > >/Guido > >-----Original Message----- >From: Jef Kazimer [mailto:[EMAIL PROTECTED] >Sent: Mittwoch, 5. November 2003 17:29 >To: [EMAIL PROTECTED] >Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group > >When specifying DHCP servers in the DnsUpdateProxy, should the ACL For the >record show the machine account (DHCPSERV1$) or should it show >(DNSUPDATEPROXY)? > >I'm looking at some Zones, and I see that the DHCP server as having >FullControl, and the owner as SYSTEM. > >Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the >record? > > >Also, I am in the middle of scripting converting Reverse zones from a Class >B to a more granular Class C scheme. We need to turn on scavenging on only >specific zones, and not other to avoid missing records. > >If I export and re-import these records, my account shows up on the ACL, >and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k >client can not update these records. > >Is there a way to import records and retain the DNSUpdateProxy ACL even >though it is a system group? > >Any suggestions? I fear these PTR records would not be able to the >refreshed until after they are scavenged.... > >Jef > > >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
