Clients can update records that has been registerd and are owned by DHCP server, why?

[Ulrik]

Yesterday:
Windows 2003 DNS (dynamic dns, only secure updates allowed)
Windows 2000 DHCP

Today:
Windows 2003 DNS (dynamic dns, unsecure and secure updates are allowed)
Cisco CNR DHCP

Yesterday we had a MS 2000 DHCP server that registered secure dynamic DNS
records for the clients (mostly Windows 2000 clients).

Today we have switched over to use a third part DHCP (political decision),
Cisco CNR, and the clients will register them self (if the client can do
that, if not the DHCP server will register the client).

Before the MS DHCP registered the records with secure updates in dns.
(When looking at a client a-recorde security the DHCP server was added in
the permisson list and had the right to 'write')

The strange thing is that after switching over to Cisco DHCP, clients can
update their records even if the MS DHCP server is the owner (the server is
added in the permisson list and have the right to 'write').
Ques1: How can this happen? The client schould not be able to modify this
record, if I'm not totaly wrong...

Also, the record created when the client make a registration after getting a
ip from Cisco CNR is not a secure update and does not add the client
computer in the permission list (it register with an unsecure dns record).
Ques2: Why does the client not register with a secure record?

Regards
Ulrik

 

[Roger Abell]

Yesterday:
Windows 2003 DNS (dynamic dns, only secure updates allowed)
Windows 2000 DHCP

Today:
Windows 2003 DNS (dynamic dns, unsecure and secure updates are allowed)
Cisco CNR DHCP

Yesterday we had a MS 2000 DHCP server that registered secure dynamic DNS
records for the clients (mostly Windows 2000 clients).

Today we have switched over to use a third part DHCP (political decision),
Cisco CNR, and the clients will register them self (if the client can do
that, if not the DHCP server will register the client).

Before the MS DHCP registered the records with secure updates in dns.
(When looking at a client a-recorde security the DHCP server was added in
the permisson list and had the right to 'write')

The strange thing is that after switching over to Cisco DHCP, clients can
update their records even if the MS DHCP server is the owner (the server is
added in the permisson list and have the right to 'write').
Ques1: How can this happen? The client schould not be able to modify this
record, if I'm not totaly wrong...

Also, the record created when the client make a registration after getting a
ip from Cisco CNR is not a secure update and does not add the client
computer in the permission list (it register with an unsecure dns record).
Ques2: Why does the client not register with a secure record?

Regards
Ulrik

Ques1:
This can happen if the machine running the prior MS
DHCP (and listed in the perms on the records) is in the
DnsProxyUpdate group. That is what this group is
defined to allow to happen.
Ques2:
Good question. Maybe things have changed, but I had
thought Windows machines attempt secured updates and
then unsecured if the first tried fails.

 

[Ulrik]

How can you tell if a dynamic update is unsecure or secure?
Is the awnser: When looking at a client record on properties, security the
client is added in the permisson list and has the right to 'write'.
(At the records that I'm looking at the owner it is system, but the client
is added as discribed above.)

Thank you all for the awnsers

/Ulrik

 

[Roger Abell]

Seeing the client machine in the security settings lets you know
either that the client did the initial record or that DHCP did and
the client later claimed it in a refresh.

Seeing the record without the client info does not tell you that hte
DNS update message with handled using a secured update. Since
we are talking about things stored in AD, we are talking about
things with security setting - no matter how they get there. If DNS
has accepted an unsecured update and carried it out on an zone that
is AD integrated you will see security but not the client in it.

You can track the behavior with perfmon, watching the DNS counters
for dynamic updates and for security dynamic updates