locked
Enabling user account on DHCP server to update DNS records RRS feed

  • Question

  • Hello,

    I have DHCP server running on Domain Controller. OS is Windows Server 2003 R2 Standard SP1.

    DHCP server has options:

    Enable DNS dynamic updates according to the settings below - Enabled

    Always dynamically update DNS A and PTR records - Enabled

    Discard A and PTR records when lease is deleted - Enabled

    Dynamically update DNS A and PTR records for DHCP clients that do not request updates - Enabled

    User account to update DNS records is not set on DHCP advanced settings.

    AD integrated DNS zone allows only secured updates.

    I know this configuration this against MS best practice. I have created a new user account for this purpose.

    My question is, what happens to existing DNS records when I configure this user account to DHCP server? Is there any adverse effects if I make this change? If I take a look at some DNS A record, I see that the Owner of that record is SYSTEM. I suppose this is because DHCP server exists on Domain Controller instead dedicated server.

    Monday, January 20, 2014 10:34 AM

Answers

  • What is not Microsoft best practice? Using a DHCP Credential? That's actually recommended. But using the DnsUpdateProxy group, which is ALSO required to make this work, can be a security issue on a DC. For Windows 2008 R2 and 2012, there's a command we can run to circumvent that, but not on 2003.

    No adverse affect if you make the change, however, you still have more to configure, including scavenging. See my blog and links below.

    If there are any existing DNS host records, since DHCP does not own them, then DHCP will create a record which it does own, but it will be a duplicate because it can not update any pre-existing records. You have to either rmanually delete them or allow Scavenging to do its job.

    *

    ===

    In summary:

    • Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
    • Set DHCP to update everything, whether the clients can or cannot.
    • Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    • Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
    • On Windows 2008 R2 or newer, DISABLE Name Protection.
    • If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0
    • Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    • Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    *

    This blog covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

    *

    Good summary (use in blog)
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Another good Summary:
    Thread: "DNS problem" December 18, 2013
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/37b8b6b3-6cb1-496c-8492-09ded13bab18/dns-problem?forum=winserverNIS

    And snother good discussion that Microsoft support concurred with my settings for a poster that called in to Support, which verified my settings are correct:
    DHCP Server Not Registering A Records for Windows Clients
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/

    *

    ==================
    Why is the DnsUpdateProxy group needed in conjunction with credentials? The technical reason is twofold:
     
    DnsUpdateProxy:
     Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.
     
    DHCP Credentials:
     Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.
     
    The default process is outlined below, and this applies to non-Microsoft
    operating systems, too, but please note that non-Microsoft operating systems
    can't use Kerberos to authenticate to dynbamically update into a Secure Only
    zone, however you can configure Windows DHCP to do that for you.

    Following discussed in:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6f5b82cf-48df-495e-b628-6b1a9a0876ba/regular-domain-user-uses-rsat-to-create-dns-records?forum=winserverNIS

    DNS Record Ownership and the DnsUpdateProxy Group
     http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
     
    Secure Dynamic Update
     http://technet.microsoft.com/en-us/library/cc961412.aspx
    ==================

    *


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by weedee Wednesday, January 22, 2014 6:39 AM
    Tuesday, January 21, 2014 10:13 PM

All replies

  • What is not Microsoft best practice? Using a DHCP Credential? That's actually recommended. But using the DnsUpdateProxy group, which is ALSO required to make this work, can be a security issue on a DC. For Windows 2008 R2 and 2012, there's a command we can run to circumvent that, but not on 2003.

    No adverse affect if you make the change, however, you still have more to configure, including scavenging. See my blog and links below.

    If there are any existing DNS host records, since DHCP does not own them, then DHCP will create a record which it does own, but it will be a duplicate because it can not update any pre-existing records. You have to either rmanually delete them or allow Scavenging to do its job.

    *

    ===

    In summary:

    • Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
    • Set DHCP to update everything, whether the clients can or cannot.
    • Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    • Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
    • On Windows 2008 R2 or newer, DISABLE Name Protection.
    • If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0
    • Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    • Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    *

    This blog covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

    *

    Good summary (use in blog)
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Another good Summary:
    Thread: "DNS problem" December 18, 2013
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/37b8b6b3-6cb1-496c-8492-09ded13bab18/dns-problem?forum=winserverNIS

    And snother good discussion that Microsoft support concurred with my settings for a poster that called in to Support, which verified my settings are correct:
    DHCP Server Not Registering A Records for Windows Clients
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/

    *

    ==================
    Why is the DnsUpdateProxy group needed in conjunction with credentials? The technical reason is twofold:
     
    DnsUpdateProxy:
     Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.
     
    DHCP Credentials:
     Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.
     
    The default process is outlined below, and this applies to non-Microsoft
    operating systems, too, but please note that non-Microsoft operating systems
    can't use Kerberos to authenticate to dynbamically update into a Secure Only
    zone, however you can configure Windows DHCP to do that for you.

    Following discussed in:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6f5b82cf-48df-495e-b628-6b1a9a0876ba/regular-domain-user-uses-rsat-to-create-dns-records?forum=winserverNIS

    DNS Record Ownership and the DnsUpdateProxy Group
     http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
     
    Secure Dynamic Update
     http://technet.microsoft.com/en-us/library/cc961412.aspx
    ==================

    *


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by weedee Wednesday, January 22, 2014 6:39 AM
    Tuesday, January 21, 2014 10:13 PM
  • Hi Ace,

    Thank you for detailed and clear answer. That was exactly the information I was looking for and you also addressed some questions I also had in mind.

    I wrote my first post in haste, but I tried to say that currently there's NO credentials configured on our DHCP servers to update DNS records.

    I'll make sure to read your blogs. Good day!

    Wednesday, January 22, 2014 6:39 AM
  • Glad to hear it was helpful!

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, January 22, 2014 9:34 AM