Security permissions for DHCP registration credentials Library Sysadmin 09.07.2007 20:28:03 Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers for domain. AD Integrated DNS set up, with Secure dynamic updates. DHCP configuration is set up to always dynamically update DNS A and PTR records, even for those clients that do not request it. We do this because we have WinCE thin clients that do not update DNS on their own. I've read through previous questions regarding DNSUpdateProxy group as well as the KB article 816592. If I've read the KB article correctly, in our situation we need to add the two servers (Computer objects) as members of the DNSUpdateProxy group, which I have done. However, this creates some form of security issue for which we also need to create a user whose credentials can be entered in DHCP setup for use when dynamically updating DNS. I have created a user and updated DHCP to use this user's name/password/domain credentials. However, dynamic DNS updates are still not occurring for our WinCE clients. DHCP logs only show an entry with code 31 - DNS Update failed. I see no mention in the KB article as to the Security permissions needed for this user. Is this user also supposed to be a member of the DNSUpdateProxy group? What other groups (Domain Users, Domain Admins, DHCP Administrators, DHCP Users, DnsAdmins) What security permissions are needed by this user (Read, Write, Modify, Full Control) over what? TIA Rick

Re: Security permissions for DHCP registration credentials "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 10.07.2007 16:27:06 Read inline please. In news:5A89FD97-0309-4E00-9916-D14F256D3938[ at ]microsoft.com, Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed: [Quoted Text] > Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers > for domain. AD Integrated DNS set up, with Secure dynamic updates. > DHCP configuration is set up to always dynamically update DNS A and > PTR records, even for those clients that do not request it. We do > this because we have WinCE thin clients that do not update DNS on > their own. > > I've read through previous questions regarding DNSUpdateProxy group > as well as the KB article 816592. > > If I've read the KB article correctly, in our situation we need to > add the two servers (Computer objects) as members of the > DNSUpdateProxy group, which I have done. However, this creates some > form of security issue for which we also need to create a user whose > credentials can be entered in DHCP setup for use when dynamically > updating DNS. I have created a user and updated DHCP to use this > user's name/password/domain credentials. > > However, dynamic DNS updates are still not occurring for our WinCE > clients. DHCP logs only show an entry with code 31 - DNS Update > failed. > > I see no mention in the KB article as to the Security permissions > needed for this user. Is this user also supposed to be a member of > the DNSUpdateProxy group? > What other groups (Domain Users, Domain Admins, DHCP Administrators, > DHCP Users, DnsAdmins) What security permissions are needed by this > user (Read, Write, Modify, Full Control) over what? You probably need to create a new dedicated user account with a non-expiring password, and assign those user credentials on the Advanced tab of all DHCP servers. This account need not have any special privileges or group memberships, but you should give it a long Complex password phrase, with numbers, spaces and upper and lower case letters, since it does not expire. Something in the 15 to 18 character range should be good. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: Security permissions for DHCP registration credentials Library Sysadmin 10.07.2007 17:52:06 Kevin, Thanks for the response. As stated in the original post, however, I added a dedicated user and set up DHCP to use this new user's credentials. However, dynamic DNS updates are not occurring. Rick "Kevin D. Goodknecht Sr. [MVP]" wrote: [Quoted Text] > Read inline please. > > In news:5A89FD97-0309-4E00-9916-D14F256D3938[ at ]microsoft.com, > Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed: > > Win2003 R2 x64 servers that serve as DCs, DNS, DHCP and WINS servers > > for domain. AD Integrated DNS set up, with Secure dynamic updates. > > DHCP configuration is set up to always dynamically update DNS A and > > PTR records, even for those clients that do not request it. We do > > this because we have WinCE thin clients that do not update DNS on > > their own. > > > > I've read through previous questions regarding DNSUpdateProxy group > > as well as the KB article 816592. > > > > If I've read the KB article correctly, in our situation we need to > > add the two servers (Computer objects) as members of the > > DNSUpdateProxy group, which I have done. However, this creates some > > form of security issue for which we also need to create a user whose > > credentials can be entered in DHCP setup for use when dynamically > > updating DNS. I have created a user and updated DHCP to use this > > user's name/password/domain credentials. > > > > However, dynamic DNS updates are still not occurring for our WinCE > > clients. DHCP logs only show an entry with code 31 - DNS Update > > failed. > > > > I see no mention in the KB article as to the Security permissions > > needed for this user. Is this user also supposed to be a member of > > the DNSUpdateProxy group? > > What other groups (Domain Users, Domain Admins, DHCP Administrators, > > DHCP Users, DnsAdmins) What security permissions are needed by this > > user (Read, Write, Modify, Full Control) over what? > > You probably need to create a new dedicated user account with a non-expiring > password, and assign those user credentials on the Advanced tab of all DHCP > servers. > This account need not have any special privileges or group memberships, but > you should give it a long Complex password phrase, with numbers, spaces and > upper and lower case letters, since it does not expire. Something in the 15 > to 18 character range should be good. > > > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > =================================== > http://www.lonestaramerica.com/ > http://support.wftx.us/ > http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and more > http://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup: > http://www.oehelp.com/OEBackup/Default.aspx > =================================== > > >

RE: Security permissions for DHCP registration credentials Library Sysadmin 11.07.2007 20:06:04 Update on this. I added the new user to the DNSUpdateProxy global security group. The DHCP logs now start showing some successful registrations, while some are still failures. What I think is going on at this point is that the registration is successful if there is no existing DNS record. The new DHCP credential user doesn't have rights to change an existing registration, since it wasn't the original owner. One note here, though, the successful registrations show up in AD, but aren't being seen in dnsmgmt.msc. So, I'm still back to my original question - what security permissions does this DHCP-credential user have to have? Should it be included in DNS Admins global Security Group, or any others? TIA Rick

Re: Security permissions for DHCP registration credentials "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 12.07.2007 04:55:02 Read inline please. In news:523BC617-49B4-49BB-81D5-87CF53607382[ at ]microsoft.com, Library Sysadmin <LibrarySysadmin[ at ]discussions.microsoft.com> typed: [Quoted Text] > Update on this. > > I added the new user to the DNSUpdateProxy global security group. > The DHCP logs now start showing some successful registrations, while > some are still failures. > > What I think is going on at this point is that the registration is > successful if there is no existing DNS record. The new DHCP > credential user doesn't have rights to change an existing > registration, since it wasn't the original owner. One note here, > though, the successful registrations show up in AD, but aren't being > seen in dnsmgmt.msc. > > So, I'm still back to my original question - what security > permissions does this DHCP-credential user have to have? Should it > be included in DNS Admins global Security Group, or any others? As I said, the user needs no special group memberships, but it cannot update records it does not own. Neither the server nor the account need to be in the the DNSUpdateProxy group. there are situations that I have made the user of the Domain Guests group only and updates worked just fine. It is an ownership issue you may have to delete existing records and renew the IP address. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================