Follow up discussion on the DNSUpdateProxy-Group

2K3 - Register PTR nur unsicher m?glich - Seite 2 - MCSEboard.de MCSE Forum

2K3 - Register PTR nur unsicher m?glich - Seite 2 - MCSEboard.de MCSE Forum — Fri, 04 Apr 2008 22:09:33 GMT

Pingback from 2K3 - Register PTR nur unsicher m?glich - Seite 2 - MCSEboard.de MCSE Forum

re: Follow up discussion on the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Sun, 31 Jul 2005 22:58:00 GMT

Hello Michel-Vincent,

as I stated in http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx you are able to define an account which is used for the registration of the DNS-Records under WS2k3 and W2k SP2. In WS2k3 you can specify the account directly in the DHCP-Server Properties, in W2k you can let the service run under that account.

So there's no need to put the DC in the DNSUpdateProxy-Group - just let DHCP register the records using a predefined account.

Ulf

re: Follow up discussion on the DNSUpdateProxy-Group

Ulf B. Simon-Weidner — Mon, 18 Jul 2005 16:07:00 GMT

Hello Simon

Your description of the DNSUpdateProxy issue is clear.
But is there a solution to the DHCP + DC issue?
I understand one should not install an AD-integrated DNS on a W2K(3) server and have that server account be a member of the DNSUpdateProxy group, as critical entries in the _mscdcs zone will be unsecure.

In other words, you cannot have the best of both worlds: if the DHCP/DC is a member of DNSUpdateProxy, it creates a security gap; if it is not, its computer account will become the sole owner of the clients record(s), and no one else will be able to update those records. Is this statement correct?

Any solution/workaround to this issue?