Problem with Secure DDNS

S

Sunny

Hi all,

I have searched all over the web for some clues on this one but I am
getting nowhere. Here is my problem:

I have an AD integrated DNS zone which permits secure dynamic updates
only. Our clients use DHCP but register their own A and PTR records.
We have started to notice that some clients are failing to update and
refresh their own records and then when looking at the permissions on
these records I see instead of <computername>$ with full control on the
ACL we just see an unresolved SID value with full control.

It looks like somehow computer account SIDs are getting changed and
this is causing them to loose their permissions to update their DNS A
and PTR records. I can confirm 100% that these PCs are not being
renamed or removed and rejoined to the domain.

Deleting the A and PTR records fixes the problem as the client is then
able to create fresh records.

Any clues as to why this might be happening would be gratefully
received.

Cheers,
S
 
K

Kevin D. Goodknecht Sr. [MVP]

Sunny said:
Hi all,

I have searched all over the web for some clues on this one but I am
getting nowhere. Here is my problem:

I have an AD integrated DNS zone which permits secure dynamic updates
only. Our clients use DHCP but register their own A and PTR records.
We have started to notice that some clients are failing to update and
refresh their own records and then when looking at the permissions on
these records I see instead of <computername>$ with full control on
the ACL we just see an unresolved SID value with full control.

It looks like somehow computer account SIDs are getting changed and
this is causing them to loose their permissions to update their DNS A
and PTR records. I can confirm 100% that these PCs are not being
renamed or removed and rejoined to the domain.

Deleting the A and PTR records fixes the problem as the client is then
able to create fresh records.

Any clues as to why this might be happening would be gratefully
received.
Click to expand...


Is the Win2k3 DHCP, and was the account configured in DHCP to be used for
DNS updates deleted?
 
S

Sunny

Hi Kevin,

We have Win2K3 DHCP servers with settings on the DNS tab as follows

Enable DNS dynamic updates according to settings below: = Checked
- Dynamically update DNS A and PTR records only if requested by the
DHCP clients = Checked

Discard A and PTR records when lease is deleted.= Checked

On the Advanced Tab the DNS dynamic updates registration credentials
are blank?? This would suggest to me that DHCP is not doing any DNS
updating on behalf of clients?
 
K

Kevin D. Goodknecht Sr. [MVP]

Sunny said:
Hi Kevin,

We have Win2K3 DHCP servers with settings on the DNS tab as follows

Enable DNS dynamic updates according to settings below: = Checked
- Dynamically update DNS A and PTR records only if requested by the
DHCP clients = Checked

Discard A and PTR records when lease is deleted.= Checked

On the Advanced Tab the DNS dynamic updates registration credentials
are blank?? This would suggest to me that DHCP is not doing any DNS
updating on behalf of clients?
Click to expand...

Assign a dedicated user account with a non-expiring password on the DHCP
server.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DDNS Windows clients, W2k, W2k3 and DDNS/DHCP interaction 2
PTR Regististration issue for Non-Windows Devices in W2K3 DNS 3
ddns updates failing. 1
Wrong computer-SID for A-record in DNS 3
DHCP not registering DNS names 1
DNS event id 11160 2
name resolution of RAS clients hostname 1
Clients can update records that has been registerd and are owned by DHCP server, why? 3

Top