DHCP, DNS and the DNSUpdateProxy-Group

re: Follow up discussion on the DNSUpdateProxy-Group

TrackBack — Sun, 31 Jul 2005 13:58:00 GMT

re: DHCP, DNS and the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Sun, 27 Mar 2005 04:35:00 GMT

Hi Bob,

I've answered your question in a new Blogentry:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx

Thanks for the answer again, if you have comments they are always welcome and apprechiated.

Ulf

Follow up discussion on the DNSUpdateProxy-Group

TrackBack — Sat, 26 Mar 2005 19:29:00 GMT

Training, Speaking at CeBit, and getting a boost on Testing

TrackBack — Wed, 23 Mar 2005 21:18:00 GMT

re: DHCP, DNS and the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Sat, 12 Mar 2005 04:31:00 GMT

How does this solve the problem that the DNSUPDATEPROXY group was designed to fix, namely the prevention of stale records and the ability of upgrade clients (NT --> 2000) to refresh and update records created for them by the DHCP server?

re: DHCP, DNS and the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Wed, 16 Feb 2005 04:55:00 GMT

Hi Max,

sorry for answering so late - those Trainings and their preparation keep my busy right now.

You have a Offline DC? Then you need to be very carefull that you replicate them once in a while - latest every 60 days. There are other solutions to provide DHCP redundancy. If you have different subnets, you can put the DHCP-Servers on different subnets and split the scopes (the router needs to support BootP Forwarding / DHCP-Relaying). You'd also be able to configure the subnet on both DHCP-Servers, but activate it on just one. Enable conflict detection. Or cluster the DHCP-Server. Or install and configure DHCP on both servers, configure the same scopes, but put the DHCP-Server Service on one machine to deactivated and stop it.

Back to the reason of your question - do NOT use the DnsUpdateProxy-Group - configure both DHCP-Server Services to run under a specific Serviceaccount. As stated in the Blog DnsUpdateProxy is bad - it makes your dynamic updates as reliable as if they were "unsecure" - and this is paticulary bad if you are running DHCP on a DC. Create a Serviceaccount and configure the DHCP-Services to run under that account. That's much more secure.

re: DHCP, DNS and the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Thu, 03 Feb 2005 23:35:00 GMT

I have one dhcp online(DC) and one offline (DC) (backup)
The domain it's 2000 native mode one forest one domain
the dns zone is integrated in AD and allow only security update
i just wanna know if i need to start the backup dhcp server (stopping the another one) i need the dnsupdateproxy group and set with the netsh
command an account ?

thanks
Max