Is this going to be a short-lived condition in that eventually you will have
removed all clients using static addresses? If so, I would suggest dealing
with it on a case by case basis by simply removing the static entry from DNS
at the point the client is configured to use DHCP.
If it's not fleeting and users regularly change that aspect of their
configuration you may want to first consider preventing that ... the only
other ~solutions (and I use that word tentatively) that I can think of leave
the zone either completely (1) or partially (2) exposed to DOS attacks -
1. Configure the zone to allow non-secure updates
2. Add every member computer (or only those known to use static addresses)
to DNSupdateProxy
- note that I've never tried or tested this, at first glance my
logic appears sound
* DNS Records registered in an AD integrated DNS zone by computer accounts
that are members of the DNSUpdateProxy group do not offer protection against
being overwritten by other dynamic updates (either by mistake or
maliciously).
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James Cate
Sent: Wednesday, February 23, 2005 7:25 AM
To: [email protected]
Subject: Re: [ActiveDir] AD integrated DNS, DHCP, Static addresses, and re
cord ownership
I should provide a little more information. All of my DHCP servers are in
the DNSUpdateProxy group that you are referring to. The zone is an AD
intergrated zone and only allows secure updates. The DHCP servers are also
configure to update DNS instead of the client. All workstations are Windows
XP machines.
The problem I am having with any DNS or DHCP server is that if the
workstation is first configured with a static ip address or if it gets a
DHCP ip address from a DHCP server that is not registered in AD or
configured to update DNS the workstation is the creator of the DNS record.
Once that machine is changed to use a DHCP server that is in AD and
configured to update the DNS record the update fails. The Dhcp server
cannot update the DNS record for that workstation.
I assume this has something to with the ownership of the record but if you
look at the record owner it always belongs to "system" not matter how it is
registered.
I don't see the "No Owner" that you speak of.
I
On Tue, 22 Feb 2005 21:12:47 +0100, Jorge de Almeida Pinto
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> This is a ownership issue as you're talking about multiple DHCP
> servers. By default, when DHCP servers register an IP address on
> behalf of a client then the DHCP server (the computer account of the
> DHCP server) becomes the owner of the registered record. If another
> DHCP server want to register the same record with another IP address
> it is not allowed to do that because it does not own the record. The
> story is different when DHCP is hosted on DCs as DCs are allowed to do
> everything because "Enterprise Domain Controllers" have permissions to all
records!
> To provide for the possibility for other DHCP servers to update the
> same records each DHCP server COULD be placed in the DNSUpdateProxy
> Group, BUT this ALSO means that records (and the records of the DHCP
> server itslef) registered by DHCP servers that are in that group have
> NO OWNER meaning that every machine/user has the permission to update
> those records. THIS IS VERY INSECURE, especially when DHCP servers are
> hosted on DCs (as the ALL the DC record also are insecured!). There is
> another MORE SECURE way to allow all (and only) DHCP servers to
register/update the same records.
>
> For W2K and W2K3 configure a user account to be used (a MUST when DHCP
> is on a DC!) on each DHCP server so that user account becomes the
> owner and has the permissions to register/update the client records.
> Configuring a user account can be done in the following way:
> * For W2K3: Use the DHCP MMC, right the DHCP server name, select the
> advanced tab and configure the "DNS dynamic updates registration
> credentials"
> * For W2K: the GUI does not provide the same ability as the GUI in
> W2K3 but it can be configured through typing the following commands:
> NETSH DHCP SERVER \\<servername> SET DNSCREDENTIALS <UserName>
> <Domain> <Password> --> press enter (see also
> http://support.microsoft.com/?kbid=255134)
>
> For more info on this see also
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/stan
> dard/p
> roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/200
> 3/stan dard/proddocs/en-us/sag_DHCP_imp_InteroperabilityDNS.asp
>
> I think this should do it!
>
> Cheers!
> Jorge
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: [email protected]
> Sent: 2/22/2005 6:11 PM
> Subject: [ActiveDir] AD integrated DNS, DHCP, Static addresses, and
> record ownership
>
> I am looking for detailed documentation that would shed some light on
> how dynamic dns works. The initial registration works fine for us but
> if the ip address changes the dns entry is not updated. The DHCP
> servers are configured to register the workstations ip address. I
> don't know if this is a record ownership issue or DNS aging/scavenging
> not allowing the update for x days.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
