DNS UpdateProxy Group
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
DNS UpdateProxy Group

 
Post new topic   Reply to topic    Windows Server Forum Index -> DNS
Author Message
Jordan Samulaitis
Guest
Posted: Tue Jan 18, 2005 8:46 am    Post subject: DNS UpdateProxy Group Reply with quote
Hello All,

I am trying to verify that my DNSUpdateProxy group is setup correctly, to my
understanding if the DHCP server and DNS server use the DC as the
DNSUpdateProxy group the DC owns the updates.

I looked under the members tab of the DNSUpdateProxy group and noticed the
Administrator account is in there, is that a good enough user to have in
that group? or should i create a specific one for the ownership of the
registrations?

Thanks,

Jordan
Back to top
Brian O'Neil
Guest
Posted: Wed Jan 19, 2005 12:31 am    Post subject: RE: DNS UpdateProxy Group Reply with quote
There are two different scenarios in which you would use the DNSUpdateProxy
group.
1. Your DHCP server is NOT a domain controller. You would put the computer
account of the DHCP server in this group. This "relaxes" the security on the
registered resource records so clients and\or DHCP servers can update the
records.

2. Your DHCP server IS on a 2003 domain controller.
(This only applies to Windows Server 2003; you should never use a Windows
2000 domain controller as a DHCP server.)
Access the DHCP MMC and get the advanced properties of the DHCP server, in
the MMC you can specify an AD user account to register records on behalf of.
Create the user account in AD and enter the user name and password in the
DHCP server. Add this user account to the DNSUpdateProxy group.

You should never put a domain controller computer account in the
DNSUpdateProxy group because it will relax the security of the DC's resource
records to the point of where anyone can update them. Thats a huge security
and reliability vulnerability.

-Brian

"Jordan Samulaitis" wrote:

Quote:
Hello All,

I am trying to verify that my DNSUpdateProxy group is setup correctly, to my
understanding if the DHCP server and DNS server use the DC as the
DNSUpdateProxy group the DC owns the updates.

I looked under the members tab of the DNSUpdateProxy group and noticed the
Administrator account is in there, is that a good enough user to have in
that group? or should i create a specific one for the ownership of the
registrations?

Thanks,

Jordan


Back to top
Roger Abell [MVP]
Guest
Posted: Wed Jan 19, 2005 6:47 am    Post subject: Re: DNS UpdateProxy Group Reply with quote
What specifically made you believe that you needed to use
this group? Normally one has no use for it. If you place in
it a machine account then records registered by that account
will be allowed to be updated (and so "ownership-claimed") by
other machines which next/first attempt to update the record.
Normally this is undesirable behavior although there are
situations where it is needed.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jordan Samulaitis" <jordan@jvsDELETEnetworks.com> wrote in message
news:uolQXDS$EHA.1524@TK2MSFTNGP09.phx.gbl...
Quote:
Hello All,

I am trying to verify that my DNSUpdateProxy group is setup correctly, to
my
understanding if the DHCP server and DNS server use the DC as the
DNSUpdateProxy group the DC owns the updates.

I looked under the members tab of the DNSUpdateProxy group and noticed the
Administrator account is in there, is that a good enough user to have in
that group? or should i create a specific one for the ownership of the
registrations?

Thanks,

Jordan

Back to top
Ulf B. Simon-Weidner [MVP
Guest
Posted: Wed Jan 19, 2005 1:26 pm    Post subject: Re: DNS UpdateProxy Group Reply with quote
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:mvpNoSpam@asu.edu:
Quote:
What specifically made you believe that you needed to use
this group? Normally one has no use for it. If you place in
it a machine account then records registered by that account
will be allowed to be updated (and so "ownership-claimed") by
other machines which next/first attempt to update the record.
Normally this is undesirable behavior although there are
situations where it is needed.


Hi Roger, Jordan,

I wrote some thoughts about the DNSUpdateProxy-Group here:
http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

Feedback / Comments are welcome.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> DNS All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB