none
Danger of setting DNS Dynamic Updates to Secure Only? RRS feed

  • Question

  • I'll try to be concise in explaining the reason for my question.  About a year ago, we accidentally changed the dynamic updates setting on our AD integrated domain DNS zone to "secure only" from "nonsecure and secure".  About 2 weeks later (after the 7 + 7 scavenging/aging period), multiple server DNS records (non-DHCP) went missing as the servers did not have rights to update their own records under "secure only".  At the time, we just set it back to "nonsecure and secure" and planned to address at a later time.

    Now, we have been following the blogs from Ace Fekay and working through DHCP/DNS settings and permissions along with the correct Lease/Aging/Scavenging. 

    Our concern now is whether we can change our DNS zone to "secure only" and the servers (non-DHCP) will be able to update their own records correctly.  I have read multiple articles, etc and compared security settings against a vanilla test domain controller to see what permissions are missing on our DNS zone but I can't seem to find anything amiss.

    Any recommendations or tools/scripts I can run against my records to see if the permissions are set correctly and there are no dangers/roadblocks to changing the zone back to "secure only"?

    Tuesday, June 25, 2019 8:24 PM

All replies

  • Hello,

    Thank you for posting in this forum.

    " multiple server DNS records (non-DHCP) "

    These machines are domain members, right? non-DHCP means that their IP addresses are statically configured instead of assigned by DHCP, right?

    If so, you can change the zone back to "secure only".

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 9:37 AM
  • Hi,

    Just checking the current situation of your problem.
    Please let us know if you would like further help.

    Best regards,
    Leon

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 28, 2019 8:56 AM
  • Hi,
    Was your issue resolved? 
    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,
    Leon

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 2, 2019 7:16 AM