DNS record ownership for DHCP clients

Similar Messages

• DNS record ownership and the DnsUpdateProxy group

  I have a 2 x 2003 domain controller that have DNS and DHCP Services installed
  I was thinking of configuring DHCP to use a service account to update DNS records.
  If I set this, do the DHCP Servers need to be members of the DNSUpdateProxy security group for the service account to work?>

  I have to agree with John here. I don't think it's reasonable to just say 'ms told us so'. We need a
  technical before and answer is given. I have multiple DHCP servers and I use a security account on them to register the records and never use the
  DNSUpdateProxy Group and I have no problems. My thinking is this:
  Assume we are using Integrated Secure Zones in AD:
  Scenario 1:
  Windows DHCP server i registering records on behalf of clients
  Not a member of DNSUpdateProxy Group and not using dedicated account
  Records will have owner as dhcpserver$  and only that account can update
  This is a problem if that DHCP server fails
  Also, non Windows DHCP server with no AD account cannot update
  Scenario 2:
  Windows DHCP server i registering records on behalf of clients
  Member of DNSUpdateProxy Group and not using dedicated account
  Records will have owner as SYSTEM  and authenticated users can updated meaning any user or client on that domain
  No problem if that DHCP server fails as any other authorized DHCP server can update
  Non Windows DHCP servers can updated if they have a domain machine account
  Scenario 3:
  Windows DHCP server i registering records on behalf of clients
  Using a dedicated account
  Records added with owner same as this dedicated account
  Another DHCP server that also uses this same account can updated the records
  A non windows DHCP server that can use this account can also update the records
  Now, can someone from MS please clarify the technical reason they say that in Scenario 3, you must add the DHCP servers to the
  DNSUpdateProxy group ?
  http://technet.microsoft.com/en-us/library/cc780538(v=ws.10).aspx
  I guess this link didn't help?
  DNS Record Ownership and the DnsUpdateProxy Group
  "... to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates
  with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."
  http://technet.microsoft.com/en-us/library/dd334715(WS.10).aspx
  Just to add:
  Why is the DnsUpdateProxy group needed in conjunction with credentials?
  The technical reason is twofold:
  DnsUpdateProxy:
   Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.
  DHCP Credentials:
   Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.
  Otherwise, the default process is outlined below, and this applies to non-Microsoft operating systems, too, but please note that non-Microsoft operating systems can't use Kerberos to authenticate to dynbamically update into a Secure Only zone, however
  you can configure Windows DHCP to do that for you.
  1. By default, Windows 2000 and newer statically configured machines will
  register their own A record (hostname) and PTR (reverse entry) into DNS.
  2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
  the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
  (reverse entry) record.
  3. If Windows 2008/Vista, or newer, the DHCP server always registers and updates client information in DNS.
     Note: "This is a modified configuration supported for DHCP servers
           running Windows Server 2008 and DHCP clients. In this mode,
           the DHCP server always performs updates of the client's FQDN,
           leased IP address information, and both its host (A) and
           pointer (PTR) resource records, regardless of whether the
           client has requested to perform its own updates."
           Quoted from, and more info on this, see:
  http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
  4. The entity that registers the record in DNS, owns the record.
     Note "With secure dynamic update, only the computers and users you specify
          in an ACL can create or modify dnsNode objects within the zone.
          By default, the ACL gives Create permission to all members of the
          Authenticated User group, the group of all authenticated computers
          and users in an Active Directory forest. This means that any
          authenticated user or computer can create a new object in the zone.
          Also by default, the creator owns the new object and is given full control of it."
          Quoted from, and more info on this:
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  More on this discussed in:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6f5b82cf-48df-495e-b628-6b1a9a0876ba/regular-domain-user-uses-rsat-to-create-dns-records?forum=winserverNIS
  If that doesn't help, I highly suggest to contact Microsoft Support to get a definitive response. If you do, I would be highly curious what they say if it's any different than what I found out from the product group (mentioned earlier in this thread).
  And of course, if you can update what you find out, it will surely benefit others reading this thread that have the same question!
  Thank you!
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Why doesn't my airport express router issue proper DNS server address to DHCP clients?

  I have an Airport express router (version 7.6.4).  It was configured to connect to internet via a cable modem, acting as a router with NAT. This means it obtians WAN address from cable modem, and in LAN it assumes IP address 10.0.1.1 as a gateway, and issue IP address to my 4-5 wireless clients (MBA, iPads, PCs) vi DHCP.
  However I recently encounter an issue, that the router no longer issues DNS server address obtained from Cable Modem(206.x.x.x) but instead tell every DHCP client to use router ip address (10.0.1.1) as DNS server. I was pretty sure before Dec 2013 it is issueing (206.x.x.x) to all DHCP clients.
  Apparently now the Airport express is acting as a DNS server or as a DNS cache. This works sporadically and very often result in long DNS look up or DNS look up failure.
  Is this a bug or is it supposed to do so?  Any configuration can turn it off so Airport express will issue Cable modem obtained DNS server to DHCP clients?
  My network otherwise works fine. for some of the Clients (e.g. one MBA) I configured DNS for it mannually and it's internet is working very smoothly.

  But this will be a problem for my ipad and iphone that uses wifi.
  These devices either allow full DHCP. If you need to mannually enter DNS server, you will need to turn entire IP configuration to mannual and that will be a problem for me.

• Looking for best practices when creating DNS reverse zones for DHCP

  Hello,
  We are migrating from ISC DHCP to Microsoft DHCP. We would like the DHCP server to automatically update DNS A and PTR records for computers when they get an IP. The question is, what is the best practice for creating the reverse look up zones in DNS? Here
  is an example:
  10.0.1.0/23
  This would give out IPs from 10.0.1.1-10.0.2.254. So with this in mind, do we then create the following reverse DNS zones?:
  1.0.10.in-addr.arpa AND 2.0.10.in-addr.arpa
  OR do we only create:
  0.10.in-addr.arpa And both 10.0.1 and 10.0.2 addresses will get stuffed into those zones.
  Or is there an even better way that I haven't thought about? Thanks in advance.

  Hi,
  Base on your description, creating two reverse DNS zones 1.0.10.in-addr.arpa and 2.0.10.in-addr.arpa, or creating one reverse DNS zone 0.10.in-addr.arpa, both methods are all right.
  Best Regards,
  Tina

• DNS permission denied for vpn clients?

  I have an x-serve setup to allow a client access remotely to a local network via VPN. I'm currently having an issue with the DNS server however, which is not allowing me to do lookups when connected via the VPN:
  client 10.0.0.130#59551: view com.apple.ServerAdmin.DNS.public: error sending response: permission denied
  The DNS server resolves perfectly fine for physical machines on the local network.

  Have you added the range of VPN-assigned addresses to the list of clients the DNS server will respond to?
  Server Admin -> (server) -> DNS -> Settings -> Accept recursive queries from the following networks
  This will have to include the VPN client address range in order for the DNS server to respond to their queries.

• Iptables rule needed for DHCP client?

  For a long time I've had a rule in my iptables ruleset which explicitly allows replies from DHCP servers:
  -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
  Now I'm wondering if I actually need this. I don't filter any outgoing packets and I do have the usual "accept related and established packets" rule before this one. DHCP is really odd and exposes some edge-cases in network setup. In this case, there will be times when I don't have an IP (fresh start for an interface), or when I ask to renew a lease from one DHCP server but get a reply from a totally different one (yeah, our network is weird). I wonder if netfilter is smart enough to see those replies as "established" or "related". Does anybody know for sure? Do you use DHCP and iptables, without such a rule?

  I took the time to test various DHCP scenarios and found that indeed, it doesn't look like I need this rule. I originally started using it because I did need such a rule with ipfw on OS X - it would block the replies since it didn't know how to deal well with situations where you have to transmit with a 0.0.0.0 source IP.

• How to configure dhcp client identifier

  Hi Everybody,
  The DHCP client ID is an id that is unique for DHCP clients at least in the same subnet. Usually the client uses MAC-address as Client-Identifier in the DHCPDISCOVER message. The Client-Identifier may be different other than MAC-Address, For example a FQDN name, as per the RFC 2132 Ref, (code 61).+_
  Usaually, we use the following to bind the ip address based on MAC-address
  pntadm -r SUNWfiles -p /var/dhcp -A 10.42.32.86 -i '0:3:ba:a5:a9:93' -a 10.42.32.80
  At server side, I am using the following for specifying the FQDN name.
  pntadm -r SUNWfiles -p /var/dhcp -A 10.42.32.86 -i 'one.atr.com' -a 10.42.32.80
  and at client side, I am inserting the following entry in the /etc/default/dhcpagent file
  CLIENT_ID='one.atr.com'
  But this is not working. What I am doing wrong.
  +1. At the server side, then how to assign the ip addresses to the clients , if the Client-Identifier is FQDN name in the DHCPDISCOVER message other than MAC-Address.+
  +2. How to configure the client-identifier as FQDN name at client side.+
  Please help me,
  Thanks Inadvance,
  Mummaneni.

  Sandman,
  Here is an example of a router acting as a DHCP server. Please remember that you have to exclude IP addresses that you don't want to lease out.
  ip dhcp pool example
  import all
  network 192.168.1.0 255.255.255.0
  dns-server 1.2.3.4
  default-router 192.168.1.1
  ip dhcp excluded-address 192.168.1.1 192.168.1.149
  ip dhcp excluded-address 192.168.1.200 192.168.1.254
  HTH,
  Mark

• Exchange 2013 Split DNS, how to get WAN clients to use public Split DNS IP when inter-office link is DOWN?!

  Hello,
  I have an Exchange 2013 deployment and a LAN/WAN setup, we have many small remote WAN linked offices that can resolve to the Exchange Server's internal IP.
  Outlook clients in remote WAN offices work fine as long as the link is UP since the Split Brain DNS for Exchange will resolve the internal clients to the internal IP of the Exchange server, Outlook connects up without issues.
  However, in the event of loosing connection to our remote sites, they will no longer be able to resolve to the internal Exchange IP, but they still have a backup public internet that they can use. So should the inter-office connectivity fail we have it setup
  so clients in remote offices can still browse the internet, etc.
  However, their Outlook fails to connect because it has a cached DNS record for our Split Brain Exchange DNS setup and tries to resolve it to its internal IP, instead of refreshing the cache and grabbing the public IP of the Exchange server since now they
  would be resolving it over the public internet.
  Is there anything I can do with my existing configuration to allow the client to pick up the public IP of the Split DNS setup when our inter-office connection is down and the client is no longer able to use the internal IP they have cached for Exchange?
  I guess I could lower the TTL on the DNS record to something like 1 minute so it does not cache the DNS record / IP for long? Is this the best approach?

  http://public.wsu.edu/~brians/errors/lose.html
  I would suggest that the best approach is to either improve the reliability of the WAN link or to configure DNS to always use the Internet path.  You might want to work with your network guy, perhaps there's a way to have your gateways automatically
  switch to an Internet VPN backup when the WAN link is down or something like that.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• DHCP Client Service Procedure Not Found

  I have a W2008R2 Standard server (DC) holding both DHCP and DNS roles.  When the server was originally built the (migrated from 2003) DHCP did not load properly and per a Microsoft support incident we backed up the existing DHCP and rebuilt it. Everything
  was working fine however the DHCP Client Service does not run.  This was back in 2012 so I don't recall if it the service was started and quit or if we just didn't notice that the Client Service was not running.  It has not been a problem for me
  until now.  I need to run a new backup agent on this server and it requires the DHCP Client Service to be running.  I did notice upon a reboot that the service was "stopping" and will not restart.  It appears as though it does start
  on boot and then immediately stops as I would not have caught the "stopping" status had I not went into the Services mmc right away.  The error that I get when trying to restart is 127:  The specified procedure could not be found.  This
  is the only info logged in the event viewer as well.  The service is configured to start using Network Service credentials and is set to automatic.  The dependencies are:  "depends on" Ancillary Function Driver for Winsock & TCP/IP
  Protocol Driver. The WinHTTP Web Proxy Auto-Discovery Service depends on the Client Service.  I have noticed on two other W2008R2 servers that the dependencies are different: The "depends on" are:  Ancillary Funtion Driver for Winsock,
  NetIO Legacy TDI Support Driver and Network Store Interface Service. The components depending on the Client Service are the same on all servers.  I'm not sure if these differences are due to the fact that this server is running DHCP server and the others
  are not? Or is this difference the reason for my issue?  I'm hesitant to change these parameters without some guidance for fear of trashing my entire box.  I did remove and completely rebuilld/reinstall the DHCP server role last night, hoping that
  may fix the issue, but no luck.  I've run DNS tests & DCDiag with no issues found.  Anyone familiar with this problem?  What to do? Thanks!

  Updates:  There are no events being reported at all in the DHCP Service log.  Things I have tried thus far:  
  All Windows Updates installed
  Uninstall and re-install the DHCP Server
  Reset Winsock
  Made sure permssions are set to Full for both Network Service & Local Service accounts (I tried changing the logon account to Local Service also).   
  I noticed on another (working)  W2008R2 server that the dependencies were different although this server did not hold the role of DHCP Server.  The problematic server only listed Ancillary Function Driver for Winsock & Tcpip.  The working
  server listed Ancillary Function Driver for Winsock, Network Store Interface Service and NetIO Legacy TDI Support Driver.  I then changed the dependencies to match that of the working server.  Verified that all of these were "started" in
  Device Manager.  The DHCP Client Service now fails with Error 1079:  The account specified for this service is different from the account specified for other services running the same process.  (I did find a Microsoft Fixit for this--didn't
  make any difference though).
  I noticed on the other working server that the logon account for DHCP Client Service is actually LocalServiceNetworkRestricted.  I had set it to LocalService.  After making this change, my error now has changed to: Windows could not start the DHCP
  Client service on Local Computer.  Error 1314:  A required privilege is not held by the client.
  I split my DHCP scope and set up a second DHCP server to determine what effect the DHCP Server role had on things. I don't know that I've noticed anything to be honest.  So moving on...  
  I mirrored the permissions in the registry to those of the new (additional) DHCP server for the following key:  HKLM\System\CurrentControlSet\Services\DHCP.  When I compare the permissions I notice that the problematic server is missing some
  entries.  The working server has:  SYSTEM, LOCAL SERVICE, NETWORK SERVICE, Administrator, Users, Network Configuration Operators & Dhcp.  The troubled server does not list Network Configuration Operators or Dhcp.  I was able to add
  the NW Configuration Operators ( a built-in security group), but do not see anything for Dhcp other than user groups for DHCP Admins & Users.  Based on what I see on the working server, I don't think that is the right thing to add.   
  I also noticed that some keys were missing for this reg entry vs. the same key on the second server.  Missing were (all under the HKLM entry above):  RequiredPrivileges (REG_MULTI_SZ) value:  SeChangeNotifyPrivilege SeCreateGlobalPrivilege  ServiceDll
  (REG_EXPAND_SZ) %SystemRoot%\system32\dhcpcore.dll (*I did verify this file does exist) and ServiceSidType (REG_DWORD) value:  1.  I added these reg keys. I also noticed that the troubled server has a subkey titled Enum.  There are 4 values
  listed:  Default (REG_SZ), no value.  0 (REG_SZ) Data value= Root\LEGACY_DHCP\0000, Count (REG_DWORD) Value: 1 and NextInstance (REG_DWORD) Value: 1.  The working server does not have this key. 
  In comparing the reg values on each server, the only significant difference that I've notice other than what is listed above is HKLM\System\CurrentControlSet\Services\Dhcp\Parameters.  On the working server the ServiceDll is dhcpcore.dll.  On the
  server having the issue that value is defined as dhcpcsvc.dll.  I'm suspect that this could be a contributing factor, but have not made the change yet.
  I am still sitting with the error 1314:  A required privilege is not held by the client.
  So this is where I'm at...Any ideas would be appreciated as I'm really trying to avoid having to rebuild this entire server.  Thank you

• Macs show up as "unknown" on my router's DHCP Client Table

  Both of my Macs, an Intel Mac Mini running Snow Leopard and a G4 iMac running Tiger show up as "unknown" in my router's DHCP client table.
  All of my Windows PCs all show up with their computer names.
  Is there a way to get my Macs' computer names to show up in the DHCP client table? The router is a Linksys RTP300.

  Open Network System Preferences, click on the service you are using to connect to the network (airport, ethernet, etc), click on Advanced and go to the TCP/IP tab. There is a field for DHCP client ID. This may pass a name to the router and it may use it. I don't know.
  Another option is the WINS tab. You can set the Netbios name (other than the default) and workgroup (and any WINS servers, if you know their addresses).

• Creating a little GUI with adding DNS record functionality

  Hi all,
  Creating a DNS record (A record) is pretty straight forward in Powershell. I wonder if somebody knows how to create a little GUI with the powershell commands in the background to create DNS records.
  For example something like a HTML form in where u can enter the DNS name, the Zone and the IPv4 address. Click Add and Powershell will add it on the background. I cannot find any good information on this when i google on it.
  Thanks!

  Hi Bennekommer,
  I‘m writing to check if the suggestions were helpful, if you have any questions, please feel free to let me know.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• DHCP Name Protection & DNS Records

  How correlates DHCP Name protection & DNS records for domain PC? We found a lot of old records from PC's in DNS, and I'm just wondering, does DNS (or DHCP) removes records about PC, which were removed from AD (not gracefully, just deleted computer
  account)?

  Hi,
  If you want the DHCP server to register the DNS records for the DHCP clients, you need to configure the DNS configuration and options settings on DHCP server. In addition, it seems that Windows DHCP clients cannot update their records with the DNS server themselves,
  but DHCP server can be configured to perform updates for both Windows DHCP clients and non-Windows DHCP clients. The links below may be helpful to you:
  [Forum FAQ] DNS Dynamic Update Troubleshooting Guide
  DHCP and DNS
  Best regards,
  Susie

• How many DNS record need to create in Internal & external DNS server for exchange?

  Hi friends,
  I recently installed Exchange Server 2010 in my organization for testing purpose and I've register a pubic ip too for exchange server on godaddy.com. How many
  internal & External DNS records reqired to configure on external & Internal dns server so my all feature like Auto-discover, Activ -sync,& webmail start working perfectly.
  It's my first time configuring exchange for a organization.
  Thanks & Regards,
  Pradeep Chaugule

  Hi,
  Just as what ManU Philip said, you need to create
  Autodiscovery.domaincom and mail.domain.com for external dns server.
  Generally, you configure your Exchange Servers as DNS clients of your internal DNS server.
  Refer from:
  http://technet.microsoft.com/en-us/library/aa996996(v=exchg.65).aspx
  Best Regards.

• Propagating changes to DNS servers to DHCP clients

  I have a routed network with 8 subnets all served by a 3550 running a DHCP server.  I have 8 dhcp pools set up, one for each subnet.  Currently there are about 100 dhcp clients with leases across those subnets.   I had to change the DNS server list for each of the dhcp pools.  How do I ensure that the new DNS server info gets to all clients?   Will the clients get updated DNS info by virtue of the changes I made to the dhcp pools, or do Ineed to wait until the leases are renewed for the changes to propagate?  If so, short of having each client release/renew, is there a way to force the change?  I know that I can start/stop the dhcp server which I believe will clear all bindings which then in turn will force all clients to get a new lease.  Is there any other way to propagate the DNS change?

  It should change automatically when you modify the parameters. No need to stop/start dhcp for that.
  As as an alternative, it will certainly be updated when the clients are rebooted.
  Best is to change it after office hours, systems will be updated when the users start their PC's in the morning.
  regards,
  Leo

• DNS records to be created for Lync deployment (Internal and External)

  Hi There,
  If I want the Lync server environment to work Internal as well from External in all the aspects. (auto-discover, meetings, AV conferencing,web conferencing, voice integration, mobility etc), please answer to the below questions and also their purpose please.
  I'm not sure whether the answer varies for 2010 and 2013 version.
  1. What are the Internal and External(public) DNS records to be created for the reverse proxy(assume i'm using TMG servers), and their purpose?
  2. What are the Internal and External(public) DNS records to be created for Lync Edge server, and their purpose?

  I'll try to answer as well.
  1) For the reverse proxy, you'll need to publish the following:
  External:
  lyncdiscover.sipdomain.com (You'll need this record for every sip domain you have).  This is for client autodiscover.
  external web services FQDN (You'll need one of these per pool, you get to choose the name).  This is for address book downloads, web conferencing, etc.
  Meet.sipdomain.com (You can choose the name here, and have one per sip domain or one for the whole org).  This is for web conferencing.
  Dialin.sipdomain.com (You'll just need one here, it doesn't have to be dialin).  This is for changing your conferencing/phone pin, resetting conference info, and general conferencing info.
  For Lync 2013 only, you may want the Office Web Application server pool name as well for PowerPoint sharing.  Lync 2010 doesn't use this.  
  Internal:
  The external web services FQDN.  You'll need this available internally through the reverse proxy so you can redirect requests on port 443 to port 4443.  This will be used for mobile devices on WiFi.
  2) For the Edge server:
  Externally:
  sip.sipdomain.com (you'll need one per sip domain) this is an autodiscover/multi use FQDN and should point to your access edge IP.
  webedge.sipdomain.com (edge web conferencing, you can pick any name you like).
  avedge.sipdomain.com (av edge, you can pick any name you like).
  accessedge.sipdomain.com (you'll need a name for the access edge role, however you can just use sip.sipdomain.com and save a name in your certificate request).
  Internally:
  edgepool.sipdomain.com (you can pick any name you want, it's just the name assigned to the internal edge interface.
  If you choose to have a single ip for the external edge, you can get away with just an access edge name and/or sip.sipdomain.com
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.