DNS record ownership and the DnsUpdateProxy group

Similar Messages

• DNS record ownership for DHCP clients

  my configuration:
  dhcp/dns/dc installed on same system - Windows 2008 R2 SP1 in domain environment.
  all zones configured to secure updates only with aging and scavenging enabled
  dhcp servers are member of DNSupdateproxy group.
  dhcp are configured with standard domain user account (this user was made a member of dnsupdateproxy as well, DOES THAT MATTER?)
  dhcp scopes are configured with default DNS setup (force DNS update by DHCP)
  now...
  all DNS records for endpoint devices on dhcp lease (windows7, mac os X, ubuntu) are owned by SYSTEM
  in security tab for some DNS records i can see service account with write permission to record ( i believe this is desired state)
  in other records service account has no permission but timestamps are still updated by computer account (hostname$ has write permission). these records have pencil icon on computers in dhcp lease table.
  Problem with this (hostname$ has write permissions) is when user connect to network via VPN (obtains dhcp lease) it get's two records registered in DNS -> 1 record for ip distributed by dhcp server and 2nd record for his home private network.
  Have anyone seen this before?
  i've tried deleting DNS records / releasing ip on endpoint device (example win7). It would not register to DNS by DHCP. However if i do ipconfig /registerdns it will do it, but dhcp service account won't have permission no this record.

  Apparently it appears that DHCP may not be configured with credentials, DHCP DNS settings are not configured to force DHCP to register ALL requests, nor has the DHCP server itself have been added to the DnsUpdateProxy group. These are all prerequisites
  for DHCP to own all records, otherwise you will see default behavior, which is:
  By default, a Windows 2000 and newer statically configured machines will
  register their A record (hostname) and PTR (reverse entry) into DNS.
  If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
  the machine itself to register its own A record, but DHCP will register its PTR
  (reverse entry) record.
  The entity that registers the record in DNS, owns the record.
  In summary:
  Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
  Set DHCP properties, DNS tab, to update everything, whether the clients can or cannot.
  Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
  Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
  On Windows 2008 R2 or newer, DISABLE Name Protection.
  If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
  dnscmd /config /OpenAclOnProxyUpdates 0
  Configure Scavenging one one DNS server. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length. What it scavenges will replicate to others anyway.
  DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
  Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 
  Good summary:
  How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
  DNS Record Ownership and the DnsUpdateProxy Group
   http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
  DNS Record Ownership and the DnsUpdateProxy Group
  "... to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated (NON-ADMIN) user account and
  configure DHCP servers to perform DNS dynamic updates with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."
  http://technet.microsoft.com/en-us/library/dd334715(WS.10).aspx
  DNS record ownership and the DnsUpdateProxy group
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279/
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Our Band purchased Logic Pro and it was loaded to one member's Macbook Pro. Unfortunately, he passed away with cancer in May. How can we transfer the ownership and the software (it was downloaded) to a new user's Macbook?

  Our Band purchased Logic Pro and it was loaded to one member's Macbook Pro. Unfortunately, he passed away with cancer in May. How can we transfer the ownership and the software (it was downloaded) to a new user's Macbook?

  Hi Kurt,
  The Mac IIci is not even powering on at all. Tried again with wih a tested power cable and no luck. 
  I think it's best that take  this issue to the Older Hardware Community. Not only did I see a fair number of replacement parts for the IIci avaiable online, but there also vintage external floppy drives as well. I'm not giving up.
  Thank you for your time and interest in helping.

• How to take a value of the first record/occurrence and the last record?

  Hi experts
  Can anyone help me to tell me:
  How to make IP can take a value of the first record/occurrence and the last record in CSV file?
  I need to take the first and last to put StarTime of first record y StopTime of last record in the target file
  This is my Original CSV File
  20110820,220DNE0220,140.13 ,0.000 ,E01,0
  20110820,240FGC4280,103.80 ,0.000 ,E01,0
  20110821,220DNE0220,142.58 ,0.000 ,E01,0
  20110821,240FGC4280,88.70 ,0.000 ,E01,0
  20110822,220DNE0220,151.92 ,0.000 ,E01,0
  20110822,240FGC4280,91.47 ,0.000 ,E01,0
  Where:
  The firts field is date.
  I require it so my Target File
  20110820,20110822,140.13 ,0.000 ,E01,0
  20110820,20110822,103.80 ,0.000 ,E01,0
  20110820,20110822,142.58 ,0.000 ,E01,0
  20110820,20110822,88.70 ,0.000 ,E01,0
  20110820,20110822,151.92 ,0.000 ,E01,0
  20110820,20110822,91.47 ,0.000 ,E01,0
  Thaks..

  Hi lizcam,
  A. Use FCC at sender side, it will convert CSV to XML like this
  Input XML
  <documentName>
  <recordset>
  <record>
    <Time>20110820</Time>
    <ID>220DNE0220</ID>
    <Quan>140.13</Quan>
    <Volume>0.000</Volume>
    <Auc>E01</Auc>
    <No>0</No>
  </record>
  </recordset>
  </documentName>
  Create a target DT like this
  Output XML
  <recordset>
  <record>
    <StartTime>20110820</StartTime>
    <EndTime>20110822</EndTime>
    <Quan>140.13</Quan>
    <Volume>0.000</Volume>
    <Auc>E01</Auc>
    <No>0</No>
  </record>
  </recordset>
  In MM,
  1.Time -> CopyValue[0] -> StartTime
  2.Time -> below UDF -> EndTime
  3.Quan -> Quan
  4.Volume -> Volume
  5.Auc -> Auc
  6.No -> No
  UDF u2013 Execution type u2013 All values of Queue
  public void getLastTimeValue(String[] inputEndTime, ResultList result, Container container) throws StreamTransformationException{
  result.addValue(inputEndTime[inputEndTime.length-1]);
  B. At receiver use again FCC to convert XML to CSV.
  FYI. If you want to optimize more, you can use
  1.globalContainer concept OR
  2.u201CAttributes and Methodsu201D, declare are String. Store the EndTime using one UDF and write another UDF to retrieve it.
  Regards,
  Raghu_Vamsee

• DNS records changes and email setups?

  Hi
  Will changing my clients DNS records to point to the 3 x ns1.worldsecuresystems.com servers effect their email setups? Basically I need to point their domain to the BC web site but we do not want to effect/change ANY email setting/address etc. Could some please let me know what we need to to the DNS records to achieve this?
  Thanks

  You just need to change a record at the domain registra to one of the following, depending on which Data Centre your site is on:
  United States data center - 54.236.190.114 or 54.236.189.64 or 54.236.189.61
  European Union data center - 54.246.209.120 or 54.246.209.119 or 54.246.209.93
  Australia data center - 54.252.148.183 or 54.252.148.191 or 54.252.148.134

• How can i change the below fixed app line's and the app groups's background colour?!

  I Now upgraded my iPhone4S to iOS7, and I hate this colour (betwen pink and "magenta"), but i don't know, i don't find, how can i change ír?!

  With iOS 7, Apple has began to emulate the aesthetics of the country in which its' devices are manufactured.
  Beijing's watercube is eerily reminiscent of the new home screen on my iPhone.

• What are the right DNS records to host more than one site on OSX Server (ML). My conf in Server.app looks right but one of my sites lands on the default server. Any suggestion?

  I started using OSX Server on Mountain Lion a few days ago and it looks promising.
  I do however measure my ignorance in DNS matters...
  I defined two websites in addition to the the Default Server, so I have three names to deal with.
  For argument's sake
  - www.main.com is the default site
  - www.sitea.com is the first site
  - www.siteb.com is the second site
  I define a virtual host for www.sitea.com and another for www.siteb.com
  The resulting apache conf is what I would expect, I am pretty sure it is correct.
  So I modified my DNS entries (they were A records) to point to my new OSX Server.
  My result is:
  - www.main.com shows the default site
  - www.sitea.com shows the first site
  - www.siteb.com shows...the default site
  Any ideas?
  Cheers

  Thanks MrHoffman!
  My problem ended up being a name but not in the DNS!...In Apache.
  Your information allowed me to rule out possibilities and zoom in to the culprit faster.
  I just report here the conclusion hoping it can help someone else.
  When I installed OSX Server last week, I had in mind to principally run siteb.
  During the initial install, this is what I must have entered and then forgot about it.
  Then I defined my virtual hosts sitea and siteb and realised my machine was called siteb and changed its name to main to avaid a name collision. At which time I remember OSX Server telling me that changing the name could have consequences...But it apparently went ok, and it did except for one little thing.
  The consequence was this:
  in the main configuration file /Library/Server/Web/Config/apache2/http_server_app.conf the ServerName directive had remained siteb (instead of main). I manually updated it with TextEdit (could do vi from bash, its the same) and replaced siteb with main.
  There is a way to detect it.
  In Server.app, there is a "logs" panel, which displays all sorts of logs for everything including the websites.
  Each website's logs are presented as "access" and "error" logs. The information was there, but I could not see it because the viewing window in remarkably small for so much information in raw text...
  web logs are actually written to only two files in /var/log/apache2 (error.log and access.log)
  I openned two bash windows and run tail -f on error.log in one and tail -f access.log in the other.
  When I started the web service, apache threw a warning stating from mod_ssl saying that the certificate did not match the serve name...I the certificate was what I expected, I checked http_server_app.conf and found the ServerName directive that was not changed when I renamed my server...
  Easily fixed when its found, but it can take a while to find.
  BTW, I was using A DNS records for and it works, but I find your method of using CNAME records documents the administrator's intent better than with A records; I started to do the same. (A records a useful though, they can run a domain across multiple machines)
  Cheers mate!

• Server 2008R2 with AD DNS Panel not showing any records only shows the zone name

  Hi All new to the Form.  We have had this new domain controller running dns for a few years now and recently I went to edit some DNS records and found them missing in the DNS console the zone names are there but nothing is under the zones just one record
  for the server under our AD domain. If i do a nslookup to this server it still displays the records as it should. It is also setup to forward the zones to a secondary server which is only pulling info from this Master 2008R2 server. Any ideas where i can try
  and recover the records for my Zones.
  Thanks

  Hi,
  According to your description, there are several possible reasons resulting in the DNS records disappearing.
  1. If the aging and scavenging was configured in the DNS server, scavenging can cause records to disappear. Even Windows-based computers that have statically assigned servers register their records every 24 hours. Verify if the
  No-refresh and Refresh intervals are too low. For example, if these values are both less than 24 hours, then we will lose DNS records. To view the settings, right-click the zone in the DC, click
  Properties, click Aging.
  2. Is there a DHCP server in your environment? DNS Dynamic Update Protocol updates to existing records fail can also cause them to be deleted by the scavenging process as aged records.
  Also, event logs are helpful to isolating the issues. Is there any event logs in your computer?
  For more details about DNS records disappearing, please refer to the link below,
  DNS Records Disappearing and DNS Auditing
  http://msmvps.com/blogs/acefekay/archive/2010/12/09/dns-records-disappearing-and-dns-auditing.aspx
  Using AD Recycle Bin to restore deleted DNS zones and their contents in Windows Server 2008 R2
  http://blogs.technet.com/b/askds/archive/2010/08/12/using-ad-recycle-bin-to-restore-deleted-dns-zones-and-their-contents-in-windows-server-2008-r2.aspx
  Best Regards,
  Tina

• Communication between the DNS/DHCP Manager and OES Server

  No communication between the DNS/DHCP Manager Console and OES server (status,start,stop)
  The screenshot shows the tab "DHCP (OES Linux)" in the DNS / DHCP Manager console
  in the bottom of the image it shows the state of the DHCP servers.
  allDHCP.JPG
  The dhcp service is started on all these servers
  You can see that the status is known only for four servers.
  The button "start/stop DHCP service" works fine on this servers and
  the dhcp service can be canceled and also restarted
  But the status of the "dhcp service" is not recognized for all the other DHCP servers
  and so we can not start or stop dhcp service on these servers.
  All servers were installed at different times (last three years) with OES11 and
  are upgraded to OES11SP2 with all patches.
  The server keto (DHCP_keto) is a new installation OES11SP2 few days ago.
  All OES servers were set up identically from me. LDAP, LUM, DMS, DHCP works fine.
  Which service on the OES server is responsible for
  communication (status indicator) between the DNS/DHCP Manager and the OES serve?
  How the status query is performed by the DNS/DHCP Manager?
  How can I test the communication to the server on the client (console)?
  Which configurationfiles I should be compare on the server?
  Thanks in advance
  Gernot

  gernot,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Security issue with the SGA and multiple installation group.

  Hi,
  Documentation ARE WRONG:
  http://download.oracle.com/docs/cd/E11882_01/rac.112/e10743/preparing.htm#TDPRC131
  # useradd -u 1100 –g oinstall -G dba -d /home/oracle -r oracle
  http://download.oracle.com/docs/cd/E11882_01/install.112/e10816/typinstl.htm#CWSOL156
  # useradd -u 1100 -g oinstall -G dba oracle
  The "-g" and "-G" must be exchange!
  In an advanced installation with multiple Oracle users call them ( ora1, ..., orai, ..., oran )
  with multiple OSdba group defined users call them ( dba1, ..., dbai, ..., dban)
  Associate each oracle user to a dba group with the same number and the install group as oracle told it.
  User ora1 group dba1
  User orai group dbai
  User oran group dban
  Now make the software installationS with the group OSinstall ( install) as written in the documentation, in 3 Oracle_home
  Call the oracle_home1, oracle_home2, oracle_home3
  Now check semaphores, Sharedmemory and files!
  ipcs -msa
  IPC status from <running system> as of Thu Apr 29 12:14:06 CEST 2010
  T ID KEY MODE OWNER GROUP CREATOR CGROUP NATTCH SEGSZ CPID LPID ATIME DTIME CTIME
  Shared Memory:
  m 16777246 0x6525858 rw-rw-- oracle2 install oracle2 install 36 5368725504 3479 4298 12:10:01 12:10:31 16:30:45
  T ID KEY MODE OWNER GROUP CREATOR CGROUP NSEMS OTIME CTIME
  Semaphores:
  s 50331701 0xb7892c1a ra-ra-- oracle2 install oracle2 install 202 16:30:47 16:30:45
  s 50331700 0xb7892c19 ra-ra-- oracle2 install oracle2 install 202 no-entry 16:30:45
  s 50331699 0xb7892c18 ra-ra-- oracle2 install oracle2 install 202 12:13:48 16:30:45
  ls -l $OSD/oradata/*/*/* | sed s/oracle/oracle2/
  -rw-r----- 1 oracle2 install 11600384 Apr 14 18:30 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wcsdcfh_.chg
  -rw-r----- 1 oracle2 install 11600384 Apr 15 15:08 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wf7787k_.chg
  -rw-r----- 1 oracle2 install 11600384 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/changetracking/o1_mf_5wg8jggf_.chg
  -rw-r----- 1 oracle2 install 16695296 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/controlfile/o1_mf_5wg4j9go_.ctl
  -rw-r----- 1 oracle2 install 524296192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mntr_.dbf
  -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_aud__dol_5wg4mp3v_.dbf
  -rw-r----- 1 oracle2 install 209723392 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_example_5wg4ml5z_.dbf
  -rw-r----- 1 oracle2 install 419438592 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_stat_dba_5wg4mmhg_.dbf
  -rw-r----- 1 oracle2 install 2097160192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4kf8n_.dbf
  -rw-r----- 1 oracle2 install 2097160192 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sys_undo_5wg4lss2_.dbf
  -rw-r----- 1 oracle2 install 1363156992 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_sysaux_5wg4k1xf_.dbf
  -rw-r----- 1 oracle2 install 1048584192 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_system_5wg4jp26_.dbf
  -rw-r----- 1 oracle2 install 209723392 Apr 28 22:01 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp0_5wg4l302_.tmp
  -rw-r----- 1 oracle2 install 209723392 Apr 15 16:06 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_temp1_5wg4lsod_.tmp
  -rw-r----- 1 oracle2 install 104865792 Apr 29 03:05 /app1/oracle/admin/ora11g/oradata/ORA11G/datafile/o1_mf_users_5wg4l33f_.dbf
  -rw-r----- 1 oracle2 install 104858112 Apr 29 13:05 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_1_5wg4jb44_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 28 21:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_2_5wg4jdn6_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 28 22:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_3_5wg4jgw8_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 29 03:00 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_4_5wg4jk64_.log
  -rw-r----- 1 oracle2 install 104858112 Apr 29 13:01 /app1/oracle/admin/ora11g/oradata/ORA11G/onlinelog/o1_mf_5_5wg4jmcd_.log
  ls -l $OH/bin/oracle | sed s/oracle/oracle2/
  -rwsr-s--x 1 oracle2 install 256263032 Apr 14 13:54 /app1/oracle/product/11.2.0_64/db_1/bin/oracle*
  That the evidence the documentation provide you a wrong way to do it!
  François LANGE

  The right document syntax for this is:
  UNIX: Do I Need To Use The "oinstall" Group? (Doc ID 463052.1)
  FRançois

• Security Group Creation in Specific OU and Create Network Share For the Security Group

  Hi,
  We would really want to create a PowerShell script that creates a specific Security Group within a selected Organisation Unit.
  Brief Scenario;
  We have created several Organisation Units. Each Organisation Unit contains another Organisation Unit called users. 
  +OU=Netherlands
  ++OU=Company A
  +++OU=users
  ++OU=Company B
  +++OU=users
  And so forth.
  If we run the PowerShell script it should create a list of all the Companies in container Netherlands. After the list is created it creates an output like 1. Company A; 2. Company B. (Forearch ..)
  The script asks for user input where to create the Security Group. If user selects option 2, a security group Called "Company B" is being created. All the users located in the Organisation Unit users within Company B are joined to that group. (Sets
  option 2 as a value like Security Group = "$Company B", create Security Group "Universal, Global (option), and get all users from container users and join them)
  Then without user interaction a share is being created. Granting Domain Administrators full access and the Security Group which has just been created.
  Is somebody able to help me with this kind of script?
  Thank you in advance,
  With kind regards,
  Danny Locorotondo

  Already gathered some information. Have this as a result. Now I need to figure out how to put the results into a list, so the user can select the group. As far as now I am stuck.
  Import-Module ActiveDirectory
  Function SelectCollectionRelease 
      [CmdletBinding()]
      Param
          [Parameter(Mandatory=$true,
                     Position=0,
                     HelpMessage='Enter the Release of the Collection. By example: Alfa,Beta or Charlie')]
          $CollectionRelease
      IF(!$CollectionRelease)
          write-host "`n You did not select a proper Collection Release" -foregroundcolor "red"
  SelectCollectionRelease 
      Elseif($CollectionRelease)
      [string] $OUPath = "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local"
  if (!([adsi]::Exists("LDAP://$OUPath"))) 
  write-host "`n Collection Release does not exists" -foregroundcolor "red"
  SelectCollectionRelease 
  else
  write-host "`n Collection Release exists." -foregroundcolor "green"
  write-host "`n Selected $OUPath ..." -foregroundcolor "yellow"
  Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} | Format-List -Property Name
      Else
          //$SecurityGroup = Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} -and (ObjectClass -eq "user")
  SelectCollectionRelease 

• DNS records are not 100% correct

  For a while now we've been noticing that some DNS records are not correct. The records are pointing to incorrect IP addresses. One by one I open the record, update the IP, then replicate across all domain controllers.
  What would cause the hostname of one machine to point to another IP address?

  I believe what you're seeing is from DHCP-DNS registration. You may have duplicates, or incorrect data for records that can't be updated by DHCP service or the DHCP client due to permissions on the record. You may also not have scavenging in place.
  In summary:
  Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
  Set DHCP to update everything, whether the clients can or cannot.
  Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
  Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it.
  They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
  On Windows 2008 R2 or newer, DISABLE Name Protection.
  If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
  dnscmd /config /OpenAclOnProxyUpdates 0
  Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
  For specifics and step by steps, and good discussions on what's going on in the background and what to expect:
  DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  
  Good summary
  How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
  Another good Summary:
  Thread: "DNS problem" December 18, 2013
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/37b8b6b3-6cb1-496c-8492-09ded13bab18/dns-problem?forum=winserverNIS
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Log DNS record Creation / deletion events on DC's security event viwer

  hi,
  I have configured the DNS record creation and deletion auditing as per below microsoft blog
  http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx    on one of my DC.
  All setting are done correctly and events for DNS creation and deletion is generated in security event logs. BUT THESE EVENTS ARE ONLY GENERATED ON ONE DC. We have 3 other DC, i checked the security events on other 2 DC but there is no event logs. Only one
  DC has that events.
  Is there any way so that whenever DNS record is created / deleted the events SHOULD CREATED ON ALL DCs. This will save time else i have to check on all DCs security events.
  Please suggest

  Greetings!
  It is by design. When you want to create a record in on of the DNS servers, you open the DNS console and connect to a server. Record creation/deletion is a single server process, and after that it is replicated to all the DNS servers using Zone Transfers
  or AD Integrated Zones. Since this is a single server process the audit is generated in the server's event viewer itself.
  So he best thing you can do is to collect all the events regarding "DNS Auditing" from your DNS servers and store them in a server. More information on:
  Configure Computers to Forward and Collect Events
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• DNS Records Confused

  Hi everyone,
  I have did the transtion from Exchange 2007 to Exchange 2013.
  My Exchange 2007 URLS were with mail.mydomain.com and hostname of the exchange 2007 server was  mail.
  I came up with Exchange 2013 with hostname mail1
  mail  : 192.168.1.10 (Exchange 2007)
  mail1 : 192.168.1.15 (Exchange 2013)(all virtual directories i set to mail.mydomain.com)
  After decommisioning Exchange 2007 i changed exchange 2013 server to the old ip of Exchange 2007
  mail1 192.168.1.10
  I created 
  A record mail pointing to 192.168.1.10(mail.mydomain.com)? is it right
  Now i have two records mail and mail1 pointing to same ip 192.168.1.10
  Autodiscover record pointing to 192.168.1.10(autodiscover.mydomain.com)? is it right
  should my MX record be pointing to mail or mail1
  Should i create an SRV recoard?
  Please do guide me ,i am able to open Exchang admin center and owa web pages but i am not able to login.
  For outlook or active sync, what should be the incoming and outgoing mail server(mail.mydomain.com or mail1.mydomain.com)
  I want to use mail as used earlier with exchange 2007

  The mail part of mail.mydomain.com for purposes of finding your mail server is not referring to the name of the server as in server1.mydomain.com so the name of your server is not important. 
  But your certificate should match whatever that is.  So for example my mailserver uses webmail.mydomain.org on the certificate so this is what the internal and external DNS records are pointed to even though the server has a name completely
  unrelated to that.  Also, my internal domain is mydomain.local so I created a separate DNS zone internally for webmail.mydomain.org and put the A record (with the internal IP) for my exchange server in there. 
  So from internally when you look for webmail.mydomain.org you find the internal IP address of the exchange server and when externally looking for the same thing, webmail.mydomain.org you find the external IP address of the exchange server.
  Since you have put the new server at the old server IP you should not have to change DNS records externally and if you have DNS configured internally you should not have to change those either. 
  You do not need srv or mx records internally.  An mx record would be an external record to help people find your mail server on the internet but as I said, since you put the new server at the same IP, presumably you already have external
  DNS and firewall settings to allow access.
  What you need to do is set the virtual directory addresses and the Service Connection Point for the new server. 
  First verify your DNS by pinging mail.mydomain.com both internally and externally. 
  Internally it should resolve to 192.168.1.10.  Externally it should resolve to whatever public IP provides external access through your firewall to the server sitting at that internal IP.
  Set the SCP for the new server using EMS (this assumes that your internal ping results above worked correctly):
  Set-ClientAccessServer -Identity mail1 -AutoDiscoverServiceInternalURI https://mail.yourdomain.com/autodiscover/autodiscover.xml
  You said you already did this part below but you can verify or do it again.
  Configure virtual directories for mail1. 
  Go to ECP and navigate to Servers >> Virtual Directories
  Select mail1 then click the wrench
  Add mail1 at the top and then enter mail.yourdomain.com
  Back in the Servers >> Virtual Directories section of ECP click on the virtual directories one at a time and then click the edit pencil and copy and paste to make the internal URL match the external one. 
  Do this for OWA, ECP, ActiveSync, EWS and OAB.  Skip autodiscover and powershell!
  Once all of this is done your OWA would be accessed at
  https://mail.mydomain.com/owa and your ecp would be accessed at
  https://mail.mydomain.com/ecp from both inside and outside your organization.

• DNS Records Questions - TXT Files

  Hello everyone,   I would like to preface this post with, this is my first time dealing with DNS records.  However, the instructions seem a little confusing, so i would like your professional feedback.  
  Currently using Godaddy for hosting.  Ill start with the instructions, then my set up, my result and my questions. 
  Instructions:
  You will be adding two separate TXT entries to your DNS record - note - be sure that you do not add any carriage returns when copying the key, below:
  First Entry (This is called the DKIM policy record):
  Name:  _domainkeyTXT:   "t=y; o=~;"If your domain is 'foo.com', then the 'name' entry will look like this when it is displayed as: "_domainkey.foo.com" 
  Second Entry: (This is called the 'selector record' and includes a public crypto key):
  Name: key1._domainkeyTXT: "k=rsa\; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKQrQeUnNX/CQBIXWqeHc8lKl+EwhGKzPuDRbDjnN2Xzl8N4Fc2oQ6R+opnEM6U4x4p
  3NggEyNg8Mp2W6oUYpAECAwEAAQ=="
  If your domain is 'foo.com', then the 'name' entry for this will look like this when it is displayed: "key1._domainkey.foo.com"
  That's it!
  You can send a test message to a yahoo email address, then select Actions->View Full Headers in Yahoo
  when you view the email.  If you have configured DKIM correctly, the header information for the email will include a line similar to:
  Authentication-Results: mta1084.mail.mud.yahoo.com  from=mypinpointe.com; domainkeys=pass (ok)
  Fisrt Entrey
  Hostname: @
  TXT Value: _domainkey.mydomain.com:   t=y; o=~;
  TTL: 1/2 hour
  Second Entry:
  Hostname: @
  TXT Value: key1._domainkey.mydomain.com: k=rsa; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKQrQeUnNX/CQBIXWqeHc8lKl+EwhGKzPuDRbDjnN2Xzl8N4Fc2oQ6R+opnEM6U4x4p3NggEyNg8Mp2W6oUYpAECAwEAAQ==
  TTL: 1/2 hour
  Results
  1. a really long string of code, but when you search for it here is the result  Doesnt say domainkeys=pass (ok): 
        Authentication-Results: mta1466.mail.gq1.yahoo.com  from=giglinxusa.com; domainkeys=neutral (no sig);  from=crapemyrtle.mypinpointe.com; dkim=pass (ok)
  Questions
  1. Should the TXT value include "", like they have it in the instructions?
  2. In the first entry, should there be so many spaces after the .com:    t=y
  3. What are carriage returns? (assuming spaces)

  Hello,
  but I don't understand anything else then you will use Godaddy.
  What is the aim of this? Connecting an email domain to your internal network or about web services? Please be more specific in your description what you are trying to achieve.
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.