Overwrite existing secure dns update with third part DHCP servers, is it possible?

U

Ulrik

Hi

Windows 2003 DNS
Cisco CNR DHCP

Is it possible for a third part DCHP product to use the DNSproxyUpdate group
to register/overwrite existing (secure) dynamic dns records?
Or is this only a Microsoft Windows (2000/2003) DHCP feature?

Can third part DHCP products like Ciscos CNR only update basic (unsecure dns
records)?

Best regards
Ulrik
 
S

sharad

Is there provision in the Router, to enter credentials
for writing scure records? (a username and password
having appropriate rights, is required for secure updates.)

Sharad
 
U

Ulrik

No, there are no opportunitys to enter credetials.

The DHCP server and the DNS is located on the same DC server.

/Ulrik
 
S

sharad

If the DHCP is miscrosoft.. then you can do that..
or if a DHCP server has a feature of using credentials
to do secure update, then also it should work.
If this feature is not there then you will have to
do unsecure updates.. set the zones to allow non secure
and secure updates..

Or set all cleints to register dynamic updates.

Sharad
 
U

Ulrik

We have configured the DNA server to allow non secure and secure updates.
And it works fine if the (a) record does not exist, but if the name already
exist (as a non secure or a secure dns record) a new a-record is created as
name-1.
My guess is that the DCHP server puts the '-1' after the name!?
(In the non secure record it schould overwrite the record, but it does not.)

/Ulrik
 
S

sharad

In win 2003 DNS, there is a problem for removing stale records.. and
scavenging works sometimes, sometimes doesn't.. May be because of the same..
DHCP is not able to remove
the old record.... am not sure.. but may be.
as for the scavenging.. there is no any real solution given by microsoft
yet.. looks like it will be there in SP1.

However, let's see if someone knows this issue and will post an appropriate
answer.

Sharad
 
R

Roger Abell

My guess is that you are correct, it is the DHCP server that
adds the -1 to the name.
Have you looked at the permissions on the records that do
not allow overwrite ??
You are misinterpreting the use of the DNSproxyUpdate group.
When used, this allows DHCP to register the record, but also
allows a later machine to claim ownership/permissions over
that record. Without this group being used DHCP will retain
control.
It may simply be that your DHCP tests for existence, and if that
precondiiton that it does not exist is not met, instead of attempting
to remove it it adds the -1. This might be a configuration option
in your DHCP. If your DHCP is running in the same system account
as would MS DHCP (you did not state if this is on W2k or W2k3,
there is a chance that things would get as far as DNS attempting to
negotiate a security context with the DHCP (where things would
probably fail) and if this did succeed then DNS would use the
creds for the LDAP update of the record, which would then work.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Clients can update records that has been registerd and are owned by DHCP server, why? 3
Windows DHCP and DDNS behavior 2
DHCP Security breach 3
Problems getting standalone DHCP server to update DNS 1
PTR Regististration issue for Non-Windows Devices in W2K3 DNS 3
DNS & DHCP on multiple Win2003 Servers 3
DNS Dynamic Update Doesn't 1
DNS and DHCP in different domains 1

Top