Microsoft Secure DNS and Authenticated Users group interdependencies "Daniel Shlyam" <danielsh[ at ]avanade.com> 5/15/2007 4:34:50 PM Hi all, This is pretty long and winded post, but please bear with me. I would really appreciate anyone who considers themselves DNS experts to take a good look at this post. If I can get a concise answer or suggesting it would be GREATLY appreciated. I noticed a peculiarity while testing DNS in the lab. This looks like everything is working essentially as designed, but it's just VERY different from what I would expect. Check [1] for the actual steps performed. What I'm seeing is that on AD integrated DNS running on w2k3 R2 SP1 (DNS.EXE v5.2.3790.1830), if I have Secure Updates Only enabled on the zone, I can only update the records if Authenticated Users group has write access. The key here is the Authenticate Users group. If I add a computer to DNS-Test group and give this group full control over that computer A record, the dynamic update will not happen. Only if Authenticated Users group has a write access will the record update. Another peculiarity is the importance of READ permission on Authenticated Users group. If the a record is set with default permissions and Authenticated Users has elevated permissions set [2], after the client's successfully updates the record, the client is added to the ACE with WRITE permissions and Authenticated Users permissions get reset. While I don't see anything strange with adding client to the ACE so it can modify the record, changing of explicitly assigned permissions automatically by the system is interesting at least. If Authenticated Users has WRITE permissions but not READ permissions the record will be updated, but not permission changes described here will occur. What is VERY peculiar in this example is that it seems that when Authenticated Users group has READ and WRITE permissions on a record, DNS server removes and recreates the record (or at least fully resets the permissions to default) and adds PC to record's ACE, essentially fully resetting the records as if it was just created. If, however, READ permissions are removed from Authenticated Users and only WRITE is set, the record will be dynamically updated by the PC but no reset of permissions will occur. Also I have I have mentioned above, PC's membership in any group with WRITE (or higher, or any) permissions on the record other that Authenticated Users will NOT allow dynamic update at all. I am looking for an article or any information on how exactly this was meant to work, specifically the Authenticated Users group dependency to be able to dynamically update records. Also if someone could try this in their lab and let me know the results, I would appreciate it. Perhaps this can be found somewhere at MSDN, but I was unsuccessful in locating the description on how this should work. [1] To replicate this scenario I did the following: 1. Set DNS to AD integrated and Secure Updates Only 2. Dynamically register DNS record for a PC. (ipconfig /register DNS) 3. Modify security setting for A record for the dynamically registered record from step 2. (Remove PC's ACE from the record) 4. Change IP on the record to something different and verify that PC is no longer able to modify its record. (Run ipconfig /register DNS from the PC) 5. Add PC to any group (DNS-Test) and give this group Full Control permissions on the PC's A record. 6. Run ipconfig /register DNS from the PC and verify that PC still cannot update its record. (If this works differently for you, it means that my lab is bad somehow) 7. Modify the record's ACE to give Authenticated Users READ and WRITE access. (Or use DSACL command. You can also add any number of other groups and users to record's permissions just to see them disappear in the next step.) 8. Run ipconfig /register DNS from the PC again and notice the record being fully reset with PC being added to the record ACE. [2] For this to work I used the DSACL command to set the record to the following permissions (CCRCWSWP): CC - Create Child Object RC - Read security information WS - Write to self object WP - Write property For the purposes of demonstrating this effect clicking READ and WRITE checkboxes in GUI will do the same. (The DSACL example command was found on http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03.aspx) Best regards, Daniel Shlyam | Infrastructure Architect Avanade Inc im: danielsh[ at ]avanade.com

Re: Microsoft Secure DNS and Authenticated Users group interdependencies "Daniel Shlyam" <danielsh[ at ]avanade.com> 5/21/2007 3:31:31 PM Hi again, I want to bump this thread. I know there must be DNS gurus on this group... If one exist, please try to read this thread. I really like to understand how MS secure DNS process works and WHY does MS DNS in such an interesting relationship with Authenticated Users group. DSN records do not seem to behave as any other resource, as far as permissioning concern, and it is very interesting, to me at least. ANY feedback on this would be greatly appreciated. Best regards, Daniel Shlyam | Infrastructure Architect Avanade Inc im: danielsh[ at ]avanade.com "Daniel Shlyam" <danielsh[ at ]avanade.com> wrote in message news:27851CE0-BD9C-4BB3-A5B6-49C706094A51[ at ]microsoft.com... [Quoted Text] > Hi all, > > This is pretty long and winded post, but please bear with me. I would > really appreciate anyone who considers themselves DNS experts to take a > good look at this post. If I can get a concise answer or suggesting it > would be GREATLY appreciated. > > I noticed a peculiarity while testing DNS in the lab. This looks like > everything is working essentially as designed, but it's just VERY > different from what I would expect. Check [1] for the actual steps > performed. > > What I'm seeing is that on AD integrated DNS running on w2k3 R2 SP1 > (DNS.EXE v5.2.3790.1830), if I have Secure Updates Only enabled on the > zone, I can only update the records if Authenticated Users group has write > access. The key here is the Authenticate Users group. If I add a computer > to DNS-Test group and give this group full control over that computer A > record, the dynamic update will not happen. Only if Authenticated Users > group has a write access will the record update. > > Another peculiarity is the importance of READ permission on Authenticated > Users group. > > If the a record is set with default permissions and Authenticated Users > has elevated permissions set [2], after the client's successfully updates > the record, the client is added to the ACE with WRITE permissions and > Authenticated Users permissions get reset. While I don't see anything > strange with adding client to the ACE so it can modify the record, > changing of explicitly assigned permissions automatically by the system is > interesting at least. If Authenticated Users has WRITE permissions but not > READ permissions the record will be updated, but not permission changes > described here will occur. > > What is VERY peculiar in this example is that it seems that when > Authenticated Users group has READ and WRITE permissions on a record, DNS > server removes and recreates the record (or at least fully resets the > permissions to default) and adds PC to record's ACE, essentially fully > resetting the records as if it was just created. If, however, READ > permissions are removed from Authenticated Users and only WRITE is set, > the record will be dynamically updated by the PC but no reset of > permissions will occur. > > Also I have I have mentioned above, PC's membership in any group with > WRITE (or higher, or any) permissions on the record other that > Authenticated Users will NOT allow dynamic update at all. > > I am looking for an article or any information on how exactly this was > meant to work, specifically the Authenticated Users group dependency to be > able to dynamically update records. Also if someone could try this in > their lab and let me know the results, I would appreciate it. Perhaps this > can be found somewhere at MSDN, but I was unsuccessful in locating the > description on how this should work. > > [1] > To replicate this scenario I did the following: > 1. Set DNS to AD integrated and Secure Updates Only > 2. Dynamically register DNS record for a PC. (ipconfig /register DNS) > 3. Modify security setting for A record for the dynamically registered > record from step 2. (Remove PC's ACE from the record) > 4. Change IP on the record to something different and verify that PC is no > longer able to modify its record. (Run ipconfig /register DNS from the PC) > 5. Add PC to any group (DNS-Test) and give this group Full Control > permissions on the PC's A record. > 6. Run ipconfig /register DNS from the PC and verify that PC still cannot > update its record. (If this works differently for you, it means that my > lab is bad somehow) > 7. Modify the record's ACE to give Authenticated Users READ and WRITE > access. (Or use DSACL command. You can also add any number of other groups > and users to record's permissions just to see them disappear in the next > step.) > 8. Run ipconfig /register DNS from the PC again and notice the record > being fully reset with PC being added to the record ACE. > > > [2] > For this to work I used the DSACL command to set the record to the > following permissions (CCRCWSWP): > CC - Create Child Object > RC - Read security information > WS - Write to self object > WP - Write property > For the purposes of demonstrating this effect clicking READ and WRITE > checkboxes in GUI will do the same. (The DSACL example command was found > on http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03.aspx) > > Best regards, > > Daniel Shlyam | Infrastructure Architect > Avanade Inc > im: danielsh[ at ]avanade.com >