RE: [ActiveDir] Duplicate DNS entries OR scavenging revisited

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Hello Rich,   yes, Kerberos uses DNS for identity checking, but only when you require mutual authentication - e.g. it's used between DCs to ensure they only replicate with trustworthy machine. It's also use, if you've trusted a machine for delegation.    This will also become important, if you're starting to use applications, and you only want to allow specific clients to be allowed to use the application => using mutual authentication, a client can check that the application is trustworthy while at the same time the application can check that the client you're connecting with is trustworthy.  I haven't worked with such an application yet myself, but can very well imagine that this will be really interesting for financial institutions (broker workstations etc.)   The important thing here is the registration of the machine name in DNS (this must be unique), not the IP address => the name is used to build the SPN (service principal name), similar to the UPN of a user, which must also be unique in the forest.  So if you have multiple machines registering the same IP address (usually clients due to DHCP), this doesn't become a Kerberos issue - however, if you can't ensure unique DNS names and have multiple machines at once registering the same SPN in the forest (is only possible, when you're not using AD integrated DNS and use DNS domain names that don't equal you AD DNS domain names), then mutual authentication will fail => not only for the client, but also for the server (an obvious attack scenario, which is why I recommend using AD integrated DNS if you want to leverage mutual authentication)...   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Freitag, 20. Februar 2004 19:09 To: [EMAIL PROTECTED] Subject: [ActiveDir] Duplicate DNS entries OR scavenging revisited I think I scared everyone off earlier with the Kerberos issue that I hid the DNS question in.  So…   Is it significant (and if so, to what functions) or irrelevant that there are multiple host records for workstations in DNS for the same IP address?    We are considering turning on DNS scavenging.  I’ve read a bit about it, and about using dnscmd to age the existing records, I guess we want to not age static records for our DNS boxes?  We’re running DNS on Server 2003 and AD 2003.   Also if anyone knows… does Kerberos use DNS for identity checking (or any other function)?   Thanks   Rich               -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.