Problem with Secure DDNS

  • Thread starter Thread starter Sunny
  • Start date Start date
S

Sunny

Hi all,

I have searched all over the web for some clues on this one but I am
getting nowhere. Here is my problem:

I have an AD integrated DNS zone which permits secure dynamic updates
only. Our clients use DHCP but register their own A and PTR records.
We have started to notice that some clients are failing to update and
refresh their own records and then when looking at the permissions on
these records I see instead of <computername>$ with full control on the
ACL we just see an unresolved SID value with full control.

It looks like somehow computer account SIDs are getting changed and
this is causing them to loose their permissions to update their DNS A
and PTR records. I can confirm 100% that these PCs are not being
renamed or removed and rejoined to the domain.

Deleting the A and PTR records fixes the problem as the client is then
able to create fresh records.

Any clues as to why this might be happening would be gratefully
received.

Cheers,
S
 
Sunny said:
Hi all,

I have searched all over the web for some clues on this one but I am
getting nowhere. Here is my problem:

I have an AD integrated DNS zone which permits secure dynamic updates
only. Our clients use DHCP but register their own A and PTR records.
We have started to notice that some clients are failing to update and
refresh their own records and then when looking at the permissions on
these records I see instead of <computername>$ with full control on
the ACL we just see an unresolved SID value with full control.

It looks like somehow computer account SIDs are getting changed and
this is causing them to loose their permissions to update their DNS A
and PTR records. I can confirm 100% that these PCs are not being
renamed or removed and rejoined to the domain.

Deleting the A and PTR records fixes the problem as the client is then
able to create fresh records.

Any clues as to why this might be happening would be gratefully
received.
Click to expand...


Is the Win2k3 DHCP, and was the account configured in DHCP to be used for
DNS updates deleted?
 
Hi Kevin,

We have Win2K3 DHCP servers with settings on the DNS tab as follows

Enable DNS dynamic updates according to settings below: = Checked
- Dynamically update DNS A and PTR records only if requested by the
DHCP clients = Checked

Discard A and PTR records when lease is deleted.= Checked

On the Advanced Tab the DNS dynamic updates registration credentials
are blank?? This would suggest to me that DHCP is not doing any DNS
updating on behalf of clients?
 
Sunny said:
Hi Kevin,

We have Win2K3 DHCP servers with settings on the DNS tab as follows

Enable DNS dynamic updates according to settings below: = Checked
- Dynamically update DNS A and PTR records only if requested by the
DHCP clients = Checked

Discard A and PTR records when lease is deleted.= Checked

On the Advanced Tab the DNS dynamic updates registration credentials
are blank?? This would suggest to me that DHCP is not doing any DNS
updating on behalf of clients?
Click to expand...

Assign a dedicated user account with a non-expiring password on the DHCP
server.
 
Back
Top