secure updates with External NT 4 trusts

[NAN]

Currently, our AD zones are configured to "allow dynamic
updates". We are not using DHCP. We do have Win2K client
PCs that are in an NT 4 domain. They also point to the
Win2k DNS servers. If we change the setting to "secure
updates" will the pc's in the NT 4 domain be able to add
records to the dns server? (there is an external trust
with the nT 4 domain).
Thanks.

 

[Ace Fekay [MVP]]

In

Currently, our AD zones are configured to "allow dynamic
updates". We are not using DHCP. We do have Win2K client
PCs that are in an NT 4 domain. They also point to the
Win2k DNS servers. If we change the setting to "secure
updates" will the pc's in the NT 4 domain be able to add
records to the dns server? (there is an external trust
with the nT 4 domain).
Thanks.

Unfortunately, no. Secure updates is an AD based feature. NT4 doesn't have
the APIs for the secure communication, unless you use DHCP for them.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[NAN]

-----Original Message-----
In NAN <[email protected]> posted their thoughts, then I
offered mine


Unfortunately, no. Secure updates is an AD based feature. NT4 doesn't have
the APIs for the secure communication, unless you use DHCP for them.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.
Just so I am clear, the client PC's must be in a 2000 ad

domain to dynamically update the dns server, correct? If
they are older pc's not using DHCP they can still resolve
names, they just can not update the dns server with their
host records?
Thanks.

 

[Ace Fekay [MVP]]

Sorry, after re-reading your post, W2k clients as long as they have the
corrrecyt Primary DNS Suffix that matches the domain name zone in DNS,
*will* register. I read through it quickly and thought you were talking
about NT4 clients. Sorry

Ace

 

[NAN]

-----Original Message-----
Sorry, after re-reading your post, W2k clients as long as they have the
corrrecyt Primary DNS Suffix that matches the domain name zone in DNS,
*will* register. I read through it quickly and thought you were talking
about NT4 clients. Sorry

Ace





.
Now you have confused me What I am trying to figure

out is - if I enable "secure updates" rather than "allow
dynamic updates" what will happen? Will the NT4, win98,
etc. clients still be able to resolve names? Will their
host records be dynamically updated on the DNS server?
What are the advantages and disadvantages?
Thanks.

 

[Ace Fekay [MVP]]

In

Now you have confused me What I am trying to figure
out is - if I enable "secure updates" rather than "allow
dynamic updates" what will happen? Will the NT4, win98,
etc. clients still be able to resolve names? Will their
host records be dynamically updated on the DNS server?
What are the advantages and disadvantages?
Thanks.

Not trying to confuse you.

1. If you use DHCP, and tell it to force updates for clients that cannot
update themselves, (such as W98 or NT4), then it will register them into DNS
for you, whether secure or not.

2. Yes, ALL operating systems can resolve any name in DNS as long as you
ONLY specify your internal DNS server(s) in their IP properties, and
assuming thru DHCP, Option 006 should ONLY show your internal DNS server(s).
This means NO ISP DNS servers should show in ANY internal client. Use a
forwarder in your DNS to resolve external names.

3. If you do not use DHCP for legacy clients (such as Win98 or NT4), then
NO, they will not register into DNS. But they can resolve internal DNS names
from DNS as long as you follow step 2.

4. W2k and newer clients will register themselves into DNS. If secure
updates, then the W2k clients MUST BE joined to the domain FIRST.

5. The Primary DNS Suffix on a client machine will dictate what zone it will
register into.

Hope that clears it up.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[NAN]

-----Original Message-----
In NAN <[email protected]> posted their thoughts, then I
offered mine

Not trying to confuse you.

1. If you use DHCP, and tell it to force updates for clients that cannot
update themselves, (such as W98 or NT4), then it will register them into DNS
for you, whether secure or not.

2. Yes, ALL operating systems can resolve any name in DNS as long as you
ONLY specify your internal DNS server(s) in their IP properties, and
assuming thru DHCP, Option 006 should ONLY show your internal DNS server(s).
This means NO ISP DNS servers should show in ANY internal client. Use a
forwarder in your DNS to resolve external names.

3. If you do not use DHCP for legacy clients (such as Win98 or NT4), then
NO, they will not register into DNS. But they can resolve internal DNS names
from DNS as long as you follow step 2.

4. W2k and newer clients will register themselves into DNS. If secure
updates, then the W2k clients MUST BE joined to the domain FIRST.

5. The Primary DNS Suffix on a client machine will dictate what zone it will
register into.

Hope that clears it up.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.
THANK YOU! I THINK I GOT IT NOW

 

[Ace Fekay [MVP]]

In

Awesome!
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory