Microsoft Secure DNS and Authenticated Users group interdependencies

Hi all,

This is pretty long and winded post, but please bear with me. I would really appreciate anyone who considers themselves DNS experts to take a good look at this post. If I can get a concise answer or suggesting it would be GREATLY appreciated.

I noticed a peculiarity while testing DNS in the lab. This looks like everything is working essentially as designed, but it's just VERY different from what I would expect. Check [1] for the actual steps performed.

What I'm seeing is that on AD integrated DNS running on w2k3 R2 SP1 (DNS.EXE v5.2.3790.1830), if I have Secure Updates Only enabled on the zone, I can only update the records if Authenticated Users group has write access. The key here is the Authenticate Users group. If I add a computer to DNS-Test group and give this group full control over that computer A record, the dynamic update will not happen. Only if Authenticated Users group has a write access will the record update.

Another peculiarity is the importance of READ permission on Authenticated Users group.

If the a record is set with default permissions and Authenticated Users has elevated permissions set [2], after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. While I don't see anything strange with adding client to the ACE so it can modify the record, changing of explicitly assigned permissions automatically by the system is interesting at least. If Authenticated Users has WRITE permissions but not READ permissions the record will be updated, but not permission changes described here will occur.

What is VERY peculiar in this example is that it seems that when Authenticated Users group has READ and WRITE permissions on a record, DNS server removes and recreates the record (or at least fully resets the permissions to default) and adds PC to record's ACE, essentially fully resetting the records as if it was just created. If, however, READ permissions are removed from Authenticated Users and only WRITE is set, the record will be dynamically updated by the PC but no reset of permissions will occur.

Also I have I have mentioned above, PC's membership in any group with WRITE (or higher, or any) permissions on the record other that Authenticated Users will NOT allow dynamic update at all.

I am looking for an article or any information on how exactly this was meant to work, specifically the Authenticated Users group dependency to be able to dynamically update records. Also if someone could try this in their lab and let me know the results, I would appreciate it. Perhaps this can be found somewhere at MSDN, but I was unsuccessful in locating the description on how this should work.

[1]
To replicate this scenario I did the following:
1. Set DNS to AD integrated and Secure Updates Only
2. Dynamically register DNS record for a PC. (ipconfig /register DNS)
3. Modify security setting for A record for the dynamically registered record from step 2. (Remove PC's ACE from the record)
4. Change IP on the record to something different and verify that PC is no longer able to modify its record. (Run ipconfig /register DNS from the PC)
5. Add PC to any group (DNS-Test) and give this group Full Control permissions on the PC's A record.
6. Run ipconfig /register DNS from the PC and verify that PC still cannot update its record. (If this works differently for you, it means that my lab is bad somehow)
7. Modify the record's ACE to give Authenticated Users READ and WRITE access. (Or use DSACL command. You can also add any number of other groups and users to record's permissions just to see them disappear in the next step.)
8. Run ipconfig /register DNS from the PC again and notice the record being fully reset with PC being added to the record ACE.


[2]
For this to work I used the DSACL command to set the record to the following permissions (CCRCWSWP):
CC - Create Child Object
RC - Read security information
WS - Write to self object
WP - Write property
For the purposes of demonstrating this effect clicking READ and WRITE checkboxes in GUI will do the same. (The DSACL example command was found on http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03.aspx)

Best regards,

Daniel Shlyam | Infrastructure Architect
Avanade Inc
im: danielsh@xxxxxxxxxxx

.

Relevant Pages

  • Re: Microsoft Secure DNS and Authenticated Users group interdependencies
    ... I really like to understand how MS secure DNS process works and WHY does MS DNS in such an interesting relationship with Authenticated Users group. ... If the a record is set with default permissions and Authenticated Users has elevated permissions set, after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. ...
    (microsoft.public.windows.server.dns)
  • Re: Mistake, please help !
    ... Under ADSIedit I have open the properties and find a permissions tab, ... > entry for the authenticated users group with the full control DENY ...
    (microsoft.public.exchange.admin)
  • Re: GPO for user not applied
    ... Authenticated users lacked read permissions on the OU where the user object is. ... This may be caused the Authenticated Users group having no permissions on ... computers, make sure that Authenticated Users group has read permission. ...
    (microsoft.public.win2000.group_policy)
  • Re: External Trust - unable to assign permissions
    ... I have resolved the unable to assign permissions problem. ... security authority cannot be contacted", and no objects can be found. ... I was reluctant to get into the DNS configuration due to the fact they we ... DNS servers. ...
    (microsoft.public.windows.server.networking)
  • Re: Prevent "Authenticated Users" from browsing Active Directory
    ... > properties/security and remove everyone and authenticated users from the ... > permissions - that is why I recommend removing the whole group. ... > enterprise administrator, schema administrator, administrators, and ...
    (microsoft.public.win2000.security)