Permissions Required For DHCP/DNS Dynamic Updates
Todd Lehmann
configure an dedicated account that the DHCP Server service can use to update
DNS records. Does anyone know what explicit permissions need to be supplied
to the dedicated account in order for it to work properly? And am I correct
to assume that I will need to add the DNSUpdateProxy group to the security
tab on both the DNS and DHCP servers?
P.S. - our AD/DNS/DHCP are all on the same servers. We have two.
--
Todd Lehmann
Client Services Analyst
Help!
Ulf B. Simon-Weidner [MVP]
news:ToddL...@discussions.microsoft.com:
Do not use the dnsUpdateProxy-Group - you don't need it! What this
group does is making updates which are not secure. Computers which are
not in this group create the DNS-Records for themselves and change the
rights on those records that they are the only ones being able to
change them (they own the record, there's no reason for anyone else to
change it). Default behavior is that W2k+ Clients register their names
(A-Records) while the DHCP-Server registers their pointer record. The
right to change the records is set to the computer account if you don't
change it.
If you put a computer into the dnsupdateproxy group it will allow any
computer to update it's records, which is just bad. The only reason for
that is that you were not able to provide fault tolerance for multiple
DHCP-Servers in Windows 2000 prior SP2 (IIRC) if you were using secure
dynamic updates because one server would create a record and after it
fails the other server would not be able to change the record.
Since W2k SP2 you are able to specify an account for creating the
records. In W2k you'll have to modify the account which is used by the
DHCP-Server service, in WS2k3 you are able to configure it in the
properties of the server (and you don't even need to modify the account
under which the service runs - which is good).
Not using the dnsupdateproxy group is especially important on DCs,
since they create their domain records and any other computer would be
able to change them if they belong to the group. I don't need to tell
you what that might cause.
Back to the rights you need to give to the dhcp-account. I'm quite
sure, but haven't tested. Here's a link where we discussed that:
http://groups.google.com/groups?selm=MPG.1a6529905...@msnews.microsoft.com
And did I mention not to use the dnsupdateproxy group? ;-)
If you need fault tolerance you can specify the same account on
multiple computers now - so there's not need for the group.
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Todd Lehmann
Todd Lehmann
Installed W2K3 Support Tools on SEADC01 and used DSACLS to modify the
permissions on service account svc_dhcp in the Service Accounts OU.
Command line was:
dsacls cn=svc_dhcp,ou="service accounts",dc=180solutions,dc=com /N /G
180solutions\svc_dhcp:ccdc;dnsNode
and
dsacls cn=svc_dhcp,ou="service accounts",dc=180solutions,dc=com /G
180solutions\svc_dhcp:ccdc;:dnsNode /I:S
Setup DHCP Server on SEADC01 to use new service account. Implemented on 11/9
@ 5:37pm. Watched logs for 10 minutes, no errors yet. Will let it run
overnight, if still no errors, will remove from DNSUpdateProxy group and let
run overnight.
Do you see any errors? I am having a hard time translating the example in
the Google newsgroup to our real-world stuff.
"Ulf B. Simon-Weidner [MVP]" wrote:
Todd Lehmann
"Ulf B. Simon-Weidner [MVP]" wrote:
Ulf B. Simon-Weidner [MVP]
news:ToddL...@discussions.microsoft.com:
>
Hello Todd,
Are you sure? I disagree. You were setting the permissions to add and
change DNS-Entries underneath the OU where the service account is, and
this is not the place where DNS-Entries are stored. If it's working
than you gave the account more rights via a group or something. The
DHCP-Server should not be able to create or overwrite records. However,
since you were putting it into the DNS-Update-Proxy group every
authenticated user was able to overwrite those settings. You will
propably having issues later assigning one IP to another computer and
rewriting the PTR-Record.
And do you have Windows 2000 or Windows Server 2003? In Windows Server
2003 you should not change the account under which the DHCP-Server
runs, you are able to configure the account separately in the
properties of the server (not the service). If you have 2000 than it's
OK.
Your command line should look like
If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-DOMAIN:
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-FOREST:
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
If you use Windows 2000 or Windows Server 2003 and replicate the Zone
to all DCs (the only option available in W2k):
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
I'm not 100% sure about the Distinguished names - evening here and I'm
to lazy right now to fire up a DC to verify. Please make sure you are
using the right DN, best way to verify your DN is navigating to it
using ADSIEdit.msc from the resource kit, verify that this is the zone
where the approbiate DNS-Records are being written, then copy the
distinguished name.
By default the DHCP-Server is supposed to update the reverse lookup
entries only, so you only need to configure this zone (the in-addr.arpa
thing). If you use downlevel client or have configured the DHCP-Server
to make other entries (A-Records) you'll have to configure those zones
as well.
Let me know if you have any issues (or need me to fire up one of my
Test-DCs).
Todd Lehmann
What if I did this: create a user account and place that in the
DNSUpdateProxy group and make the DHCP server run under that account,
and take all computer accounts out of DNSUpdateProxy... Or does that
still create a security problem?
Ulf B. Simon-Weidner [MVP] wrote:
> http://groups.google.com/groups?selm=MPG.1a6529905370240a989847@msnews
Ulf B. Simon-Weidner [MVP]
message news:tlehma...@hajamaji.180solutions.com:
> Ulf,
>
> What if I did this: create a user account and place that in the
> DNSUpdateProxy group and make the DHCP server run under that account,
> and take all computer accounts out of DNSUpdateProxy... Or does that
> still create a security problem?
>
Haven't tried that, but I'm pretty sure that you'll have the same
result.
Why would you want to use the DNSUpdateProxy group anyways - just use
the same account to register dns-records on every dhcp-server which
needs to write at the same zones, and they'll be secure.