Permissions Required For DHCP/DNS Dynamic Updates - microsoft.public.windows.server.dns

Message from discussion Permissions Required For DHCP/DNS Dynamic Updates

Ulf B. Simon-Weidner [MVP]

View profile

More options Nov 10 2004, 3:09 pm

Newsgroups: microsoft.public.windows.server.dns

From: "Ulf B. Simon-Weidner [MVP]" <nospam2-...@usw-consulting.com>

Date: Wed, 10 Nov 2004 20:09:59 +0000

Local: Wed, Nov 10 2004 3:09 pm

Subject: Re: Permissions Required For DHCP/DNS Dynamic Updates

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

"Todd Lehmann" <ToddLehm...@discussions.microsoft.com> wrote in message

news:ToddLehmann@discussions.microsoft.com:

> This worked perfectly. Thanks so much for your help!

Hello Todd,

Are you sure? I disagree. You were setting the permissions to add and
change DNS-Entries underneath the OU where the service account is, and
this is not the place where DNS-Entries are stored. If it's working
than you gave the account more rights via a group or something. The
DHCP-Server should not be able to create or overwrite records. However,
since you were putting it into the DNS-Update-Proxy group every
authenticated user was able to overwrite those settings. You will
propably having issues later assigning one IP to another computer and
rewriting the PTR-Record.

And do you have Windows 2000 or Windows Server 2003? In Windows Server
2003 you should not change the account under which the DHCP-Server
runs, you are able to configure the account separately in the
properties of the server (not the service). If you have 2000 than it's
OK.

Your command line should look like

If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-DOMAIN:

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S

If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-FOREST:

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S

If you use Windows 2000 or Windows Server 2003 and replicate the Zone
to all DCs (the only option available in W2k):

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;

dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S

I'm not 100% sure about the Distinguished names - evening here and I'm
to lazy right now to fire up a DC to verify. Please make sure you are
using the right DN, best way to verify your DN is navigating to it
using ADSIEdit.msc from the resource kit, verify that this is the zone
where the approbiate DNS-Records are being written, then copy the
distinguished name.

By default the DHCP-Server is supposed to update the reverse lookup
entries only, so you only need to configure this zone (the in-addr.arpa
thing). If you use downlevel client or have configured the DHCP-Server
to make other entries (A-Records) you'll have to configure those zones
as well.

Let me know if you have any issues (or need me to fire up one of my
Test-DCs).

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org

Reply to author Forward