Re: Permissions Required For DHCP/DNS Dynamic Updates
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 11/10/04
- Next message: jv: "dns request timed out----Please help"
- Previous message: Giftzwerg: "Root hints ... stopped working?"
- In reply to: Todd Lehmann: "Re: Permissions Required For DHCP/DNS Dynamic Updates"
- Next in thread: Todd Lehmann: "Re: Permissions Required For DHCP/DNS Dynamic Updates"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Nov 2004 20:09:59 +0000
"Todd Lehmann" <ToddLehmann@discussions.microsoft.com> wrote in message
news:ToddLehmann@discussions.microsoft.com:
> This worked perfectly. Thanks so much for your help!
>
Hello Todd,
Are you sure? I disagree. You were setting the permissions to add and
change DNS-Entries underneath the OU where the service account is, and
this is not the place where DNS-Entries are stored. If it's working
than you gave the account more rights via a group or something. The
DHCP-Server should not be able to create or overwrite records. However,
since you were putting it into the DNS-Update-Proxy group every
authenticated user was able to overwrite those settings. You will
propably having issues later assigning one IP to another computer and
rewriting the PTR-Record.
And do you have Windows 2000 or Windows Server 2003? In Windows Server
2003 you should not change the account under which the DHCP-Server
runs, you are able to configure the account separately in the
properties of the server (not the service). If you have 2000 than it's
OK.
Your command line should look like
If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-DOMAIN:
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=DomainDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
If you use Windows Server 2003 and replicate the Zone to all
DNS-Servers in the AD-FOREST:
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=ForestDnsZones,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
If you use Windows 2000 or Windows Server 2003 and replicate the Zone
to all DCs (the only option available in W2k):
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:CCDC;dnsNode;
dsacls "DC=%ZONE NAME GOES HERE%,CN=MicrosoftDNS,DC=System,
dc=180solutions,dc=com" /G 180solutions\svc_dhcp:wp;;dnsNode /I:S
I'm not 100% sure about the Distinguished names - evening here and I'm
to lazy right now to fire up a DC to verify. Please make sure you are
using the right DN, best way to verify your DN is navigating to it
using ADSIEdit.msc from the resource kit, verify that this is the zone
where the approbiate DNS-Records are being written, then copy the
distinguished name.
By default the DHCP-Server is supposed to update the reverse lookup
entries only, so you only need to configure this zone (the in-addr.arpa
thing). If you use downlevel client or have configured the DHCP-Server
to make other entries (A-Records) you'll have to configure those zones
as well.
Let me know if you have any issues (or need me to fire up one of my
Test-DCs).
-- Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner WebSite: http://www.windowsserverfaq.org
- Next message: jv: "dns request timed out----Please help"
- Previous message: Giftzwerg: "Root hints ... stopped working?"
- In reply to: Todd Lehmann: "Re: Permissions Required For DHCP/DNS Dynamic Updates"
- Next in thread: Todd Lehmann: "Re: Permissions Required For DHCP/DNS Dynamic Updates"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
