Re: DNS Server Refuses Updates from DHCP

Tech-Archive recommends: Fix windows errors by optimizing your registry

Will wrote:
"Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx> wrote in
message news:ep5Hi#0$GHA.4292@xxxxxxxxxxxxxxxxxxxxxxx
Will wrote:
I really hate to run services as domain accounts, since Microsoft
stores the passwords of such accounts in system memory as clear
text, and it's a common hacker trick when doing a buffer overload
on a service to grab those accounts and passwords and use them for
further attacks. Would there be any way to run the DHCP service
as one of the reserved accounts like Network Service?

You do not need to run the DHCP service as a domain account, right
click on the server in the DHCP console, select properties, select
the Advanced tab, click the credentials button, enter a dedicated
user account credentials. This user needs not be a member of any
special group, but all DHCP servers must use the same credentials,
and I recommend a strong non-expiring password. This account is used
by DHCP to take ownership of records it registers, so it can update
the record when the IP changes and remove the records when the lease
expires.
I also recommend adding Windows 2000 and Microsoft option 002, which
will release the lease when the client is shutdown. Windows clients
do not normally release their IP lease on shutdown and will attempt
to use the IP again when it starts.

Thanks for this additional information. Can you help me understand
what good is a local (non domain) account for the DHCP server in
helping to authenticate its privilege level to the domain controller?

Do not use a local non-domain account for the DHCP server to authenticate
with DNS, create a dedicated Domain user account with no special
priviledges.


I was (maybe wrongly) assuming that the reason to require an account
to run the DHCP server was so that the same account could be added to
the special group DNSUpdateProxy that is authorized to update DNS
records remotely. Up to now the only entity I had placed into that
group was the DHCP server's machine object, in the hopes that it
might be authenticated by the DC's DNS and authorized to update DNS
directly.

If DNS is accepting only secure updates, the DNSUpdateProxy group cannot
make secure updates..
Thoroughly read the article Jorge posted. Especially, read the first
sentence of the paragraph under this heading: "Securing records when using
the DnsUpdateProxy group"

"DNS domain names that are registered by the DHCP server are not secure when
the DHCP server is a member of the DnsUpdateProxy group."

Why are you bucking all recommendations by many users and Microsoft
themselves to use a dedicated user account to update DNS?

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Quantcast