Microsoft windows 2000 DNS DnsUpdateProxy Group, Controlling Update Access to Zones and Names

Page 27

however, can be changed through the registry.

Controlling Update Access to Zones and Names

Active Directory controls access to the secure DNS zones and names in them through the ACLs. The ACLs can be specified for either an entire zone or modified for some specific names. By default any authenticated user can create the A or PTR RRs in any zone. But once an owner name has been created (regardless of type of record) only users or groups specified in the ACL for that name with write permission are enabled to modify records corresponding to that name. While this approach is desirable in most scenarios, some special situations need to be considered separately.

DnsUpdateProxy Group

As described in the “Mixed Environment” section of this paper a DHCP server may be configured so that it would dynamically register A and PTR records for downlevel clients. In this situation a default configuration of the secure update may cause stale records. The following example explains. If a DHCP server performs a secure dynamic update on a name, the DHCP server becomes the owner of that name, and only that DHCP server can update the name. This can cause problems in a few circumstances. For example, suppose the DHCP server DHCP1 created an object for the name myname.mycompany.com. and then went down, and the backup DHCP server, DHCP2, tried to update the name. It would not be able to update the name because it did not own it. In a similar example, suppose DHCP1 added an object for the name myname.mycompany.com, and then the administrator upgraded the myname.mycompany.com host to Windows 2000. Because the myname.mycompany.com host did not own the name, it would not be able to update its own name.

The solution to this problem is provided by introduction of a new group called “DNS Update Proxy.” Any object created by the members of this group has no security and the first user (that is not a member of the DnsUpdateProxy group) to touch a name becomes its owner. Thus, if every DHCP server registering A records for downlevel clients is a member of the DNS Update Proxy, the problem is eliminated. The DNS Update Proxy group is configurable through the Active Directory manager. At the same time, this solution introduces security holes since any DNS names registered by the computer running the DHCP server are non-secure. An A resource record for the computer is an example of such a record. The security holes may become more significant if a DHCP server (that is, a member of the DnsUpdateProxy group) is installed on a DC. In this case all SRV, A and CNAME records registered by netlogon for that DC are non-secure. To minimize the problem it is not recommended to install a DHCP server on a DC. Another strong argument against running DHCP server on a Domain Controller is, that such DHCP server has full control over all DNS objects stored in the Active Directory, since the DHCP server is running under the computer (in this case, Domain Controller) account.

Windows 2000 White Paper

21

Image 27
Contents Windows 2000 DNS Microsoft Corporation. All rights reserved Contents Designing a DNS Namespace for the Active Directory Summary Page DNS Fundamentals Standards and Additional Reading Name Services in WindowsDraft-skwan-gss-tsig-04.txt GSS Algorithm for Tsig GSS-TSIG History of DNSHierarchy of DNS Domain Names Structure of DNSDNS and Internet Int/net/orgCom Edu Gov Mil Army Microsoft Mit MydomainDistributing the Database Zone Files and Delegation TTLMicrosoft My domain ftp Ntserver Replicating the DNS databaseQuerying the Database NEW Features of the Windows 2000 DNSName Server Resolver Root-server Gov Whitehouse.gov Time to Live for Resource Records Updating the DNS DatabaseActive Directory Storage and Replication Integration Active Directory Service Storage ModelWindows 2000 White Paper Controlling Access to Zones Replication ModelZone Type Conversions Protocol Description Incremental Zone TransferSlave DNS Server Ixfr and DS Integration Dynamic UpdateZone Log File Master DNS ServerDynamic Update of DNS Records Update AlgorithmDhcp Client Mixed EnvironmentClient Reregistration Statically Configured ClientSecure Dynamic Update RAS ClientEstablishing a security context by passing security tokens Secure Dynamic Update Policy Controlling Update Access to Zones and Names DnsUpdateProxy GroupAging and Scavenging DNS Admins GroupAging and Scavenging Parameters DefaultEnableScavenging Scavenging Period DescriptionRecord Life Span Scavenging Algorithm Configuring Scavenging ParametersInteroperability Considerations Unicode Character SupportDomain Locator Finish IP/DNS Compatible Locator DNS Record Registration and Resolver RequirementsLdap.tcp.dc.msdcs.DnsDomainName Kerberos.tcp.dc.msdcs.DnsDomainName IP/DNS DC Locator Algorithm Finish Discovering Site specific DCsCaching Resolver Fully-Qualified Query Name ResolutionUnqualified Single-Label Query Using Global Suffix Search OrderUnqualified Multi-Label Query Using Primary and Per-adapter Domain NamesUnqualified Single-Label Query Scenarios Name Resolution ScenariosNegative Caching Fully-Qualified Query ScenariosMicrosoft Implementation of Negative Caching DNS Server List ManagementAdministrative Tools WMI Support for DNS Server AdministrationDNS Manager Interoperability Issues Using Wins and Winsr RecordsUsing UTF-8 Characters Format DNS Server Performance Receiving Non-RFC Compliant DataUtilization Hardware components Sizing Server Capacity PlanningChoosing Names Internet Access ConsiderationsWindows 2000 White Paper Windows 2000 White Paper Windows 2000 White Paper VPN Com Yyy.com Zzz.com Windows 2000 White Paper Primary Zone YYY corporation ZZZ corporation VPN Firewall Computer Names Characters in NamesPer-Adapter Naming Full computer nameIntegrating ADS with Existing DNS Structure Domain name and sites. Active Directory domain name DNS Migration to Windows 2000 DNSPartitioning, and Replication Choosing your Zones Deploying DNS to Support Active DirectoryWins Referral Using Automatic ConfigurationIxfr Ixfr For More InformationWindows 2000 White Paper