Filter
Top Products
however, can be changed through the registry.
Controlling Update Access to Zones and Names
Active Directory controls access to the secure DNS zones and names in them
through the ACLs. The ACLs can be specified for either an entire zone or modified
for some specific names. By default any authenticated user can create the A or
PTR RRs in any zone. But once an owner name has been created (regardless of
type of record) only users or groups specified in the ACL for that name with write
permission are enabled to modify records corresponding to that name. While this
approach is desirable in most scenarios, some special situations need to be
considered separately.
DnsUpdateProxy Group
As described in the “Mixed Environment” section of this paper a DHCP server may
be configured so that it would dynamically register A and PTR records for downlevel
clients. In this situation a default configuration of the secure update may cause stale
records. The following example explains. If a DHCP server performs a secure
dynamic update on a name, the DHCP server becomes the owner of that name, and
only that DHCP server can update the name. This can cause problems in a few
circumstances. For example, suppose the DHCP server DHCP1 created an object
for the name myname.mycompany.com. and then went down, and the backup
DHCP server, DHCP2, tried to update the name. It would not be able to update the
name because it did not own it. In a similar example, suppose DHCP1 added an
object for the name myname.mycompany.com, and then the administrator upgraded
the myname.mycompany.com host to Windows 2000. Because the
myname.mycompany.com host did not own the name, it would not be able to
update its own name.
The solution to this problem is provided by introduction of a new group called “DNS
Update Proxy.” Any object created by the members of this group has no security
and the first user (that is not a member of the DnsUpdateProxy group) to touch a
name becomes its owner. Thus, if every DHCP server registering A records for
downlevel clients is a member of the DNS Update Proxy, the problem is eliminated.
The DNS Update Proxy group is configurable through the Active Directory manager.
At the same time, this solution introduces security holes since any DNS names
registered by the computer running the DHCP server are non-secure. An A resource
record for the computer is an example of such a record. The security holes may
become more significant if a DHCP server (that is, a member of the
DnsUpdateProxy group) is installed on a DC. In this case all SRV, A and CNAME
records registered by netlogon for that DC are non-secure. To minimize the problem
it is not recommended to install a DHCP server on a DC. Another strong argument
against running DHCP server on a Domain Controller is, that such DHCP server
has full control over all DNS objects stored in the Active Directory, since the DHCP
server is running under the computer (in this case, Domain Controller) account.
Windows 2000 White Paper
21