I should provide a little more information. All of my DHCP servers are in the DNSUpdateProxy group that you are referring to. The zone is an AD intergrated zone and only allows secure updates. The DHCP servers are also configure to update DNS instead of the client. All workstations are Windows XP machines.
The problem I am having with any DNS or DHCP server is that if the workstation is first configured with a static ip address or if it gets a DHCP ip address from a DHCP server that is not registered in AD or configured to update DNS the workstation is the creator of the DNS record. Once that machine is changed to use a DHCP server that is in AD and configured to update the DNS record the update fails. The Dhcp server cannot update the DNS record for that workstation. I assume this has something to with the ownership of the record but if you look at the record owner it always belongs to "system" not matter how it is registered. I don't see the "No Owner" that you speak of. I On Tue, 22 Feb 2005 21:12:47 +0100, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > Hi, > > This is a ownership issue as you're talking about multiple DHCP servers. By > default, when DHCP servers register an IP address on behalf of a client then > the DHCP server (the computer account of the DHCP server) becomes the owner > of the registered record. If another DHCP server want to register the same > record with another IP address it is not allowed to do that because it does > not own the record. The story is different when DHCP is hosted on DCs as DCs > are allowed to do everything because "Enterprise Domain Controllers" have > permissions to all records! > To provide for the possibility for other DHCP servers to update the same > records each DHCP server COULD be placed in the DNSUpdateProxy Group, BUT > this ALSO means that records (and the records of the DHCP server itslef) > registered by DHCP servers that are in that group have NO OWNER meaning that > every machine/user has the permission to update those records. THIS IS VERY > INSECURE, especially when DHCP servers are hosted on DCs (as the ALL the DC > record also are insecured!). There is another MORE SECURE way to allow all > (and only) DHCP servers to register/update the same records. > > For W2K and W2K3 configure a user account to be used (a MUST when DHCP is on > a DC!) on each DHCP server so that user account becomes the owner and has > the permissions to register/update the client records. > Configuring a user account can be done in the following way: > * For W2K3: Use the DHCP MMC, right the DHCP server name, select the > advanced tab and configure the "DNS dynamic updates registration > credentials" > * For W2K: the GUI does not provide the same ability as the GUI in W2K3 but > it can be configured through typing the following commands: > NETSH DHCP SERVER \\<servername> SET DNSCREDENTIALS <UserName> <Domain> > <Password> --> press enter (see also > http://support.microsoft.com/?kbid=255134) > > For more info on this see also > http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p > roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan > dard/proddocs/en-us/sag_DHCP_imp_InteroperabilityDNS.asp > > I think this should do it! > > Cheers! > Jorge > > > -----Original Message----- > From: [EMAIL PROTECTED] > To: [email protected] > Sent: 2/22/2005 6:11 PM > Subject: [ActiveDir] AD integrated DNS, DHCP, Static addresses, and record > ownership > > I am looking for detailed documentation that would shed some light on > how dynamic dns works. The initial registration works fine for us but > if the ip address changes the dns entry is not updated. The DHCP > servers are configured to register the workstations ip address. I > don't know if this is a record ownership issue or DNS aging/scavenging > not allowing the update for x days. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
