Security permissions for DHCP registration credentials

[Library Sysadmin]

Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers for
domain. AD Integrated DNS set up, with Secure dynamic updates. DHCP
configuration is set up to always dynamically update DNS A and PTR records,
even for those clients that do not request it. We do this because we have
WinCE thin clients that do not update DNS on their own.

I've read through previous questions regarding DNSUpdateProxy group as well
as the KB article 816592.

If I've read the KB article correctly, in our situation we need to add the
two servers (Computer objects) as members of the DNSUpdateProxy group, which
I have done. However, this creates some form of security issue for which we
also need to create a user whose credentials can be entered in DHCP setup for
use when dynamically updating DNS. I have created a user and updated DHCP to
use this user's name/password/domain credentials.

However, dynamic DNS updates are still not occurring for our WinCE clients.
DHCP logs only show an entry with code 31 - DNS Update failed.

I see no mention in the KB article as to the Security permissions needed for
this user. Is this user also supposed to be a member of the DNSUpdateProxy
group?
What other groups (Domain Users, Domain Admins, DHCP Administrators, DHCP
Users, DnsAdmins) What security permissions are needed by this user (Read,
Write, Modify, Full Control) over what?

TIA
Rick

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:5A89FD97-0309-4E00-9916-D14F256D3938@microsoft.com,
Library Sysadmin <LibrarySysadmin@discussions.microsoft.com> typed:
> Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers
> for domain. AD Integrated DNS set up, with Secure dynamic updates.
> DHCP configuration is set up to always dynamically update DNS A and
> PTR records, even for those clients that do not request it. We do
> this because we have WinCE thin clients that do not update DNS on
> their own.
>
> I've read through previous questions regarding DNSUpdateProxy group
> as well as the KB article 816592.
>
> If I've read the KB article correctly, in our situation we need to
> add the two servers (Computer objects) as members of the
> DNSUpdateProxy group, which I have done. However, this creates some
> form of security issue for which we also need to create a user whose
> credentials can be entered in DHCP setup for use when dynamically
> updating DNS. I have created a user and updated DHCP to use this
> user's name/password/domain credentials.
>
> However, dynamic DNS updates are still not occurring for our WinCE
> clients. DHCP logs only show an entry with code 31 - DNS Update
> failed.
>
> I see no mention in the KB article as to the Security permissions
> needed for this user. Is this user also supposed to be a member of
> the DNSUpdateProxy group?
> What other groups (Domain Users, Domain Admins, DHCP Administrators,
> DHCP Users, DnsAdmins) What security permissions are needed by this
> user (Read, Write, Modify, Full Control) over what?

You probably need to create a new dedicated user account with a non-expiring
password, and assign those user credentials on the Advanced tab of all DHCP
servers.
This account need not have any special privileges or group memberships, but
you should give it a long Complex password phrase, with numbers, spaces and
upper and lower case letters, since it does not expire. Something in the 15
to 18 character range should be good.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[Library Sysadmin]

Kevin,

Thanks for the response.
As stated in the original post, however, I added a dedicated user and set up
DHCP to use this new user's credentials. However, dynamic DNS updates are
not occurring.

Rick

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Read inline please.
>
> In news:5A89FD97-0309-4E00-9916-D14F256D3938@microsoft.com,
> Library Sysadmin <LibrarySysadmin@discussions.microsoft.com> typed:
> > Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers
> > for domain. AD Integrated DNS set up, with Secure dynamic updates.
> > DHCP configuration is set up to always dynamically update DNS A and
> > PTR records, even for those clients that do not request it. We do
> > this because we have WinCE thin clients that do not update DNS on
> > their own.
> >
> > I've read through previous questions regarding DNSUpdateProxy group
> > as well as the KB article 816592.
> >
> > If I've read the KB article correctly, in our situation we need to
> > add the two servers (Computer objects) as members of the
> > DNSUpdateProxy group, which I have done. However, this creates some
> > form of security issue for which we also need to create a user whose
> > credentials can be entered in DHCP setup for use when dynamically
> > updating DNS. I have created a user and updated DHCP to use this
> > user's name/password/domain credentials.
> >
> > However, dynamic DNS updates are still not occurring for our WinCE
> > clients. DHCP logs only show an entry with code 31 - DNS Update
> > failed.
> >
> > I see no mention in the KB article as to the Security permissions
> > needed for this user. Is this user also supposed to be a member of
> > the DNSUpdateProxy group?
> > What other groups (Domain Users, Domain Admins, DHCP Administrators,
> > DHCP Users, DnsAdmins) What security permissions are needed by this
> > user (Read, Write, Modify, Full Control) over what?
>
> You probably need to create a new dedicated user account with a non-expiring
> password, and assign those user credentials on the Advanced tab of all DHCP
> servers.
> This account need not have any special privileges or group memberships, but
> you should give it a long Complex password phrase, with numbers, spaces and
> upper and lower case letters, since it does not expire. Something in the 15
> to 18 character range should be good.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
>
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> http://message.wftx.us/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

[Library Sysadmin]

Update on this.

I added the new user to the DNSUpdateProxy global security group. The DHCP
logs now start showing some successful registrations, while some are still
failures.

What I think is going on at this point is that the registration is
successful if there is no existing DNS record. The new DHCP credential user
doesn't have rights to change an existing registration, since it wasn't the
original owner. One note here, though, the successful registrations show up
in AD, but aren't being seen in dnsmgmt.msc.

So, I'm still back to my original question - what security permissions does
this DHCP-credential user have to have? Should it be included in DNS Admins
global Security Group, or any others?

TIA
Rick

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:523BC617-49B4-49BB-81D5-87CF53607382@microsoft.com,
Library Sysadmin <LibrarySysadmin@discussions.microsoft.com> typed:
> Update on this.
>
> I added the new user to the DNSUpdateProxy global security group.
> The DHCP logs now start showing some successful registrations, while
> some are still failures.
>
> What I think is going on at this point is that the registration is
> successful if there is no existing DNS record. The new DHCP
> credential user doesn't have rights to change an existing
> registration, since it wasn't the original owner. One note here,
> though, the successful registrations show up in AD, but aren't being
> seen in dnsmgmt.msc.
>
> So, I'm still back to my original question - what security
> permissions does this DHCP-credential user have to have? Should it
> be included in DNS Admins global Security Group, or any others?

As I said, the user needs no special group memberships, but it cannot update
records it does not own. Neither the server nor the account need to be in
the the DNSUpdateProxy group. there are situations that I have made the user
of the Domain Guests group only and updates worked just fine. It is an
ownership issue you may have to delete existing records and renew the IP
address.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

[eastp]

Read inline please.

As I said, the user needs no special group memberships, but it cannot update
records it does not own. Neither the server nor the account need to be in
the the DNSUpdateProxy group. there are situations that I have made the user
of the Domain Guests group only and updates worked just fine. It is an
ownership issue you may have to delete existing records and renew the IP
address.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Is there an other way than to delete these entries?
I have the same issue and my supervisor doesn't want me to delete them.
I have tried to give my dhcp user account the same rights on the zone as the client has that made the registration.(with the allow inheritable permissions set to yes)
Now my DHCP account is able to update some but not all..

Thx
Regards.
Eastp.

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In news:eastp.2umtri@DoNotSpam.com,
eastp <eastp.2umtri@DoNotSpam.com> typed:

> Is there an other way than to delete these entries?
> I have the same issue and my supervisor doesn't want me to delete
> them.
> I have tried to give my dhcp user account the same rights on the zone
> as the client has that made the registration.(with the allow
> inheritable permissions set to yes)
> Now my DHCP account is able to update some but not all..

Give ownership of the records that are not updating to the account used by
DHCP to update DNS. You can do this on the Win2k3 DC only, right click the
record, choose properties, on the Security tab, click the Advanced button,
select the Owner tab, click the Other Users or Groups button, find and
select the user account used by DHCP, Click OK back to the Owner tab, then
select the user account in the "Change owner to" pane and click Apply, then
OK two times.
You did not need to give this account elevated privileges, but it should not
be able to update records it did not create.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================