Overwrite existing secure dns update with third part DHCP servers, is it possible?

[Ulrik]

Hi

Windows 2003 DNS
Cisco CNR DHCP

Is it possible for a third part DCHP product to use the DNSproxyUpdate group
to register/overwrite existing (secure) dynamic dns records?
Or is this only a Microsoft Windows (2000/2003) DHCP feature?

Can third part DHCP products like Ciscos CNR only update basic (unsecure dns
records)?

Best regards
Ulrik

 

[sharad]

Is there provision in the Router, to enter credentials
for writing scure records? (a username and password
having appropriate rights, is required for secure updates.)

Sharad

 

[Ulrik]

The DHCP server and the DNS is located on the same DC server.

/Ulrik

 

[Ulrik]

No, there are no opportunitys to enter credetials.

The DHCP server and the DNS is located on the same DC server.

/Ulrik

 

[sharad]

If the DHCP is miscrosoft.. then you can do that..
or if a DHCP server has a feature of using credentials
to do secure update, then also it should work.
If this feature is not there then you will have to
do unsecure updates.. set the zones to allow non secure
and secure updates..

Or set all cleints to register dynamic updates.

Sharad

 

[Ulrik]

We have configured the DNA server to allow non secure and secure updates.
And it works fine if the (a) record does not exist, but if the name already
exist (as a non secure or a secure dns record) a new a-record is created as
name-1.
My guess is that the DCHP server puts the '-1' after the name!?
(In the non secure record it schould overwrite the record, but it does not.)

/Ulrik

 

[sharad]

In win 2003 DNS, there is a problem for removing stale records.. and
scavenging works sometimes, sometimes doesn't.. May be because of the same..
DHCP is not able to remove
the old record.... am not sure.. but may be.
as for the scavenging.. there is no any real solution given by microsoft
yet.. looks like it will be there in SP1.

However, let's see if someone knows this issue and will post an appropriate
answer.

Sharad

 

[Roger Abell]

My guess is that you are correct, it is the DHCP server that
adds the -1 to the name.
Have you looked at the permissions on the records that do
not allow overwrite ??
You are misinterpreting the use of the DNSproxyUpdate group.
When used, this allows DHCP to register the record, but also
allows a later machine to claim ownership/permissions over
that record. Without this group being used DHCP will retain
control.
It may simply be that your DHCP tests for existence, and if that
precondiiton that it does not exist is not met, instead of attempting
to remove it it adds the -1. This might be a configuration option
in your DHCP. If your DHCP is running in the same system account
as would MS DHCP (you did not state if this is on W2k or W2k3,
there is a chance that things would get as far as DNS attempting to
negotiate a security context with the DHCP (where things would
probably fail) and if this did succeed then DNS would use the
creds for the LDAP update of the record, which would then work.

 

[Shane Brasher]

Hello All,

Additional information on the Update Proxy group:

317590 HOW TO: Configure DNS Dynamic Update in Windows 2000
http://support.microsoft.com/?id=317590

816592 HOW TO: Configure DNS Dynamic Update in Windows 2003
http://support.microsoft.com/?id=816592


Shane Brasher
MCSE (2003,2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking