Guido, I know my description is not doiong justice to what I am seeing. :)
The ACL has an ACE for Everyone, Authenticated users, DnsADmins, etc it lists Authenticated Users as "Special" and when you look at the properties, it shows the Read All Properties and Write AlL properties, but NONE of the Allow/Deny boxes are checked. So I'm curious what access this actually means. I hope that makes more sense, but I can give you a screen shot. :) J Original Message: >From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >Date: Wed, 5 Nov 2003 22:15:07 +0100 >look at the ACL with ADSIedit - it should not be empty. Is there an >"Everyone" ACL? > >-----Original Message----- >From: Jef Kazimer [mailto:[EMAIL PROTECTED] >Sent: Mittwoch, 5. November 2003 22:07 >To: [EMAIL PROTECTED] >Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group > >Guido, > >Thanks. I would agree with you, but being a new person on this site, I'm >looking to get my facts straight before I bring it up. > >The Records show the Authenticated users, with NOTHING set, which is kind of >odd to me. > >I am glad you understand what I am getting at here, as I thought I was >misunderstanding how this should work. > >Jef > >Original Message: >>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED] >>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>Date: Wed, 5 Nov 2003 21:48:13 +0100 > >>Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even >>if they run DHCP services. Only "Stand alone" (i.e. normal member servers) >>should be added to the group. I would sincerely suggest that you remove >>your DCs from the group as you're currently rather unprotected => you could >>just as well have configured dynamic DNS without the "allow only secure >>updates" option... as any client/user can easily erase or hijack the DC >>host-records potentially causing a full outage of your domain/forest. >> >>It might have been an MS recommendation 4 years ago, when they didn't know >>the product themselves - but you'll not hear that recommedation today. >> >>Have a look what permissions Authenticated Users have in Advanced View - >may >>not be Full Control afterall, but at least write access to most of the >>attributes of the record. >> >> >>-----Original Message----- >>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>Sent: Mittwoch, 5. November 2003 20:15 >>To: [EMAIL PROTECTED] >>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >> >>Guido, >> >>Thanks for the Response. >> >>Since DNS is running AD integrated on the DCS, and runs under the System >>context, they don't need to be added to this group,correct? I think you >>meant that Stand alone DNS servers would need to be added to this group to >>facilitate updates,correct? >> >>Since coming to this site, I'm wondering why they have the DCs in the >>DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was >>an MS recommendation, but I can't find a reason in my head why this would >be >>required. This would cause that insecurity issue, I'd imagine. Am I >>missing something? >> >>Also, I see the records have Authenticated Users on the ACL as SPECIAL, >but >>no properties/rights are checked. This is the result that the Proxygroup >>creates, correct? >> >>So if I need to re-acl those records, this is the correct ACL? >> >>THanks, I appreciate the help. I've setup the proxy group before, but >>never went into great detail trying to figure out someone elses design >>choices, so I'm learning more about it as I go. >> >>This is 2k, and not 2k3 yet, as I would like to use the "service" account >>for DHCP when we can for these reasons. >> >>Jef >> >> >> >>Original Message: >>>From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> >>>To: [EMAIL PROTECTED] >>>Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>>Date: Wed, 5 Nov 2003 19:13:07 +0100 >> >>>When you add servers to the DNSUpdateProxy group, it basically REMOVES any >>>security of the objects by granting "Authenticated Users" Full Control to >>>the DNS record => this is what allows other DNS servers (or whoever is >>added >>>to the DnsUpdateProxy group) to overwrite these records. >>> >>>As such you should NEVER add DCs to this group (even when hosting your >DHCP >>>service on a DC) - otherwise you'll compromise security in your domain. If >>>you want this same "insecurity" for your imported records, you could also >>>grant these permissions or simply add your user account to the >>>DnsUpdateProxy group. >>> >>>Instead - if you are running 2003 - you should configure you DHCP service >>to >>>register records with a specific account. This way the records are still >>>secured against changes from all Authenticated Users - only DHCP servers >>>configured to use the same account can update the records. It's not as >>>simple as running the service under an account, but it's some option of >the >>>DHCP service - I'd have to look it up, but I'm sure others will fill in >the >>>details. >>> >>>/Guido >>> >>>-----Original Message----- >>>From: Jef Kazimer [mailto:[EMAIL PROTECTED] >>>Sent: Mittwoch, 5. November 2003 17:29 >>>To: [EMAIL PROTECTED] >>>Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group >>> >>>When specifying DHCP servers in the DnsUpdateProxy, should the ACL For >the >>>record show the machine account (DHCPSERV1$) or should it show >>>(DNSUPDATEPROXY)? >>> >>>I'm looking at some Zones, and I see that the DHCP server as having >>>FullControl, and the owner as SYSTEM. >>> >>>Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the >>>record? >>> >>> >>>Also, I am in the middle of scripting converting Reverse zones from a >Class >>>B to a more granular Class C scheme. We need to turn on scavenging on only >>>specific zones, and not other to avoid missing records. >>> >>>If I export and re-import these records, my account shows up on the ACL, >>>and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k >>>client can not update these records. >>> >>>Is there a way to import records and retain the DNSUpdateProxy ACL even >>>though it is a system group? >>> >>>Any suggestions? I fear these PTR records would not be able to the >>>refreshed until after they are scavenged.... >>> >>>Jef >>> >>> >>>List info : http://www.activedir.org/mail_list.htm >>>List FAQ : http://www.activedir.org/list_faq.htm >>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>>List info : http://www.activedir.org/mail_list.htm >>>List FAQ : http://www.activedir.org/list_faq.htm >>>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>> >>> >> >> >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>List info : http://www.activedir.org/mail_list.htm >>List FAQ : http://www.activedir.org/list_faq.htm >>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> > > >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
