none
DHCP Credentials user account DNS ACL's

    問題

  • I have a normal user account set within my W2K8 R2 DHCP Credentials options and no server members within the DNSProxyUpdate group. I also have the DHCP DDNS 'Always register the (A) and (PTR) records' enabled to assist with DNS Scavenging, but all Forward and Reverse DNS records are still being registered and owned by the SYSTEM user account.

    Upon checking the security options on these DNS records, I have discovered that my assigned DHCP Credentials user account only has Read and Write access to these records, but not update or delete. Hence why the SYSTEM account is registering the records and probably why Scavenging is not working how I intended it to be.

    Question: How do you set the default DNS ACL's for the DHCP Credentials user account?

    Cheers,

    Cosmo

    2012年6月12日 上午 08:15

解答

  • Cosmo,

    Sorry, as I said, I'm fresh out of ideas. Have you considered calling support? They can remote in and find out why.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月27日 下午 06:33

所有回覆

  • Hello Cosmo, 

    According to below link, Using the DnsProxyUpdate group is not recommended on a DC. So, please have a look in to this for more details about DnsProxyUpdate group.

    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx


    Regards, Ravikumar P

    2012年6月12日 下午 01:06
  • The credential used is just a plain-Jane Domain User account, nothing special, and no modifications to the account or ACLs required. Review my blog posted by Exrapul.

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月12日 下午 01:37
  • Ace,

    I have W2K8 R2 DNS and DHCP configured exactly per your above mentioned blog, but this DHCP Credentials user account doesn't have full ACL rights to the records, plus the SYSTEM account is still registering them.

    Can you think of anything else that would cause these issues?

    2012年6月12日 下午 11:12
  • Hi,

    Thank you for the post.

    You should wait some days for DNS Scavenging.

    Try this test: manual remove one computer DNS record via DNS console, run command ipconfig /release and ipconfig /renew on the computer, then check the computer DNS record permission.

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    2012年6月14日 上午 03:53
  • Thank you, but the main question I would like answered is why are the DNS records owner still SYSTEM and not my recently entered DHCP Credentials user account, which only has Read and Write access to the records. 

    I even restarted the DNS and DHCP servicse on all the required DC's, but still no change  :-(

    2012年6月14日 上午 06:55
  • I'vehad this setup at multiple customer sites with scavenging configured, and I see the same thing using ADSI Edit to look at the security tab of a DNS host record created by DHCP. 

    And that has nothing to do with scavenging. Scavenging is a separate background process that uses timestamps. Make sure the scavenge times are equal to ir less than the Lease time. And as Rick said, you have to wait for it to happen. With a 7 day, you're looking at around 3 weeks.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月14日 下午 12:24
  • Ace,

    Thanks for your response, however my main question is still why is SYSTEM the owner of the DNS records and not my Credentials user account. This means the security hole that I'm trying to mitigate by having DHCP installed on a DC, is still there. You're above mentioned blogg states not to use the DNSProxyUpdate group as it produces weird results (which I have also experienced), so what other avenues do I have to close this security hole?

    2012年6月14日 下午 09:48
  • Ace,

    I've been performing some tests and I can only get the Credentails user account to have Full Access to the (PTR) record, but NOT the (A) after I deleted the DNS record and DHCP lease and then rebooted the computer. Plus, the SYSTEN account was still the Owner of both records and this is with the DHCP DDNS option to register both (A) and (PTR) records is set. But upon re-performing the same test on the same PC, both (A) and (PTR) records went back to Write (as shown below). Why?

    This whole process seems sooooo buggy and why is MS still stating to use the DNSProxyUpdate group option with the Credentials user account, when you and I have experienced weird results (e.g. Scavenging of static records)?

    2012年6月15日 上午 12:48
  • Are you saying that you've configured DHCP with credentials AND put the DC in the DnsUpdateProxy group? You can only use one or the other. I believe if wtih both, the group takes precedence over credentials.

    You're only seeing the credential account on the PTR? Assuming you're just using credentials, and don't have both the DnsUpdateProxy group AND credentials - Did you configure Option 081 (that's the DHCP server properties DNS tab) to force DHCP to register all DHCP clients, as the screenshot below shows? Click here for the full version of the pic.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月17日 上午 04:31
  • 
    2012年6月17日 下午 11:23
  • I couldn't click on the link you posted. It appears the whole post is an image?

    I had the link in my notes:

    How DNS Scavenging and the DHCP Lease Duration Relate,
    Sean Ivey [MSFT], 6/3/2011
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

    .

    I see what you mean in Sean's blog (quoted):
    ----------------------------------------------------------
     Allow the server DHCP to register the addresses on behalf of the clients.

    1. Pros:
      1. The DHCP server will be able to remove the DNS record as soon as the lease expires
      2. If setup correctly no duplicate records should exist.
    2. Cons:
      1. The setup is more involved.
      2. A service account will need to bet setup and joined to the DNSUpdateProxy group adding complexity.

    ----------------------------------------------------------

    .

    However, the Technet article below correct, that is to add the DHCP servers to the DnsUpdateProxy group. No user or service accounts need to be added in that group. It's just for DHCP servers.

    How to configure DNS dynamic updates in Windows Server 2003
    Add members to the DnsUpdateProxy group
    Use the Active Directory Users and Computers snap-in to configure the DnsUpdateProxy security group.
    Note: If you are using multiple DHCP servers for fault tolerance and secure dynamic updates, add each server to the DnsUpdateProxy global   security group.
    http://support.microsoft.com/kb/816592

    .

    However, what you may be seeing is a computer updating its IP at the 7 day refresh period. Even if DHCP

    .

    In summary, I can't find any specific article that explains this portion of it, that is the Security tab and what you're seeing. I'm out of ideas. Unless someone else can offer anything, my recommendation is to give Microsoft support a call to explain what's going on. If you do choose this option, please provide us an update with what they tell you.
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月18日 上午 05:45
  • 

    Cosmo,

    I contacted Sean Ivey, and the info in his blog has been corrected. :-)

    I'm trying to find more specific info on your ACL question. Hang in there.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月19日 下午 04:16
  • Cosmo,

    I checked a couple of my customer sites and I found one site that the A records did not have the DHCP account as owner.

    As a test, let's put the DHCP server into the DnsUpdateProxy group, and continue using the DHCP credentials, restart the DHCP service, delete an A record, and re-run ipconfig /release then a /renew, and check the record's ACL, and let us know what you come up with.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月19日 下午 09:10
  • Ace,

    Firstly, thanks for your continued interested in my issue  :-)

    I'm one step ahead of you, I tried that yesterday afternoon and unfortunately no change (i.e. both record types still have SYSTEM as owner and the user account only with Write access).

    I placed all my DC/DHCP servers into the DnsUpdateProxy group, with the Credentails user account still enabled, deleted both (A) and (PTR) records from DNS, deleted the DHCP lease entry for this IP address and then rebooted all the DC's (in a test lab), then finally rebooted the Win7 client PC.

    2012年6月20日 上午 06:46
  • It's funny, well not really funny, that when I checked my customer sites, the ones with Windwos 2008 and SBS 2008 and newer show the user account is owner on the A record. There is one customer site with 2003 that shows SYSTEM as the owner, and I have them set identically.

    And another funny thing is the SBS servers have the SBS server by default in the DnsUpdateProxy group, but the 2003 doesn't. I put it in the group, deleted a workstation record, restarted the service, then ran a /renew at the workstation and it still shows SYSTEM. But the PTR shows the credentials account as owner.

    So it's not giving me expected results whether with only credentials or both the group and credentials. It's got me stumped. Did I miss something on it?

    My next step is to run the netsh command to configure credentials and see what that does. I don't want to delete and recreate the scope, but if I have to, it's not a big deal with 30 workstations.

    I also reached out to some private contacts in our MVP group about this, and referenced this thread. I'll post back if I get a response.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月20日 下午 06:34
  • Ace,

    At last I've found the smoking gun, being the (A) and (PTR) that are created by DHCP with ACL 'Full Control' and the Owner being the DHCP Credentials User account, DON'T have 'Authenticated Users' listed in its record's ACL list. The problem DNS records (as mentioned above) have 'Authenticated Users' list, but with NO rights. Examples of this fact are shown in the below screen dump.

    But out of my DHCP Scope that contained about 50 active leases, only about 7 had the correct DHCP Credentials user account and OWNER. Plus, some of the correctly registered (PTR) records had incorrectly registered (A) records, or even missing (A) records!!!!

    My Dev and Prod network consists of a combination of W3K3 SP2 and W2K8 R2 DC's in W2K3 Functional mode, plus a combination of XP and Win7 PC's (i.e. slowly migrating over to the two new OS's). The problem 'seems' to occur to both XP and Win7 DNS records.

    I'm leaning towards the clients and not the DHCP servers having the issue (bug). What's your feeling?

     

    2012年6月21日 上午 06:33
  • Interesting. So tehre is some inconsistencies. I'm not sure if I would blame it on the workstation. I think it's in DHCP. Do you find it happening on 2003 DHCP, or 2008 DHCP?

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月22日 下午 04:21
  • That particular DHCP scope is hosted on a W2K3 DC server.

    Before I temporarily disable this scope and re-create it on a W2K8 R2 DC and delete some of the current DNS records that have been incorrectly registered, is there anything else you can think of?

    2012年6月22日 下午 10:49
  • That particular DHCP scope is hosted on a W2K3 DC server.

    Before I temporarily disable this scope and re-create it on a W2K8 R2 DC and delete some of the current DNS records that have been incorrectly registered, is there anything else you can think of?

    No, other than calling support, as Jordi on the STTNG "Generations" movie said, "I'm fresh out of warp cores!"

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月22日 下午 11:19
  • Ace,

    I tried moving the DHCP scope over to a W2K8 R2 DC with the below DHCP settings and Win7 clients, but still no luck in getting both records owned by the DHCP Credential Service account  :-(

    The (A) record still had the SYSTEM account as owner, whereas the (PTR) record had the Service account as owner and Full Control, plus the SYSTEM account still has Full Control -> which means the security whole is still open  :-(

    This thing is so inconsistent!!!

    2012年6月26日 下午 11:40
  • Cosmo,

    Sorry, as I said, I'm fresh out of ideas. Have you considered calling support? They can remote in and find out why.

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年6月27日 下午 06:33
  • Hi Cosmo, please keep us updated on what was the cause of this behaviour.

    We also had some system owned DNS records, what we noticed was:

    We also had a 3rd DC that was in another site (not the first site name) and some clients were registering DNS there, cause new subnetworks had not been mapped to sites and services under the "first site name" DC as they should have.

    It might be that replicated records haave owner tag of "system" and not the machine account or DHCP update credentials.

    Also we cleaned and old WINS service which was still running somewhere (dont ask).

    After these, the DNS records seemed to have correct owners.

    What we also noticed, some of the SYSTEM owned records also registered IPV6 , even though it was disabled, and those machines had UAC on. (added info just for troubleshooting purposes)

    -Mikko

    2012年7月3日 上午 08:05
  • Hello Cosmo,

    Did You find the cause of the issue or any possible workaround? We are having the very same issue, so I would really appreciate any help.

    Sincerely,
    Vince

    2013年1月8日 上午 11:01