You shouldn't make the DHCP server a member of the DNSUPDATEPROXY group in
Windows Server 2003 because of a new feature available. In Windows Server
2003, the DHCP server can operate under the context of a dedicated user
account to update the DNS database. You configure this account within the
DHCP management console.
Description of How DHCP Integrates Dynamic DNS
http://support.microsoft.com/?kbid=191290
Q1) In DHCP If I have the box ticked "Always Dynamically Update A & PTR
Records", surely the A record will fail to register as it will not be the
owner of the A record, the XP client is. Is this correct?
In this modified-from-default scenario, the DHCP server should update both
records successfully on behalf of the client since it is a member of the
DNSUPDATEPROXY group. Why don't you test it?
Q2) If I also have Discard A & PTR record when lease is deleted", will the
DHCP Server have authorization to remove the A record as once again it
belongs to the xp client?
When the DHCP server is a member of DnsUpdateProxy group, the PTR record
that it updated for the client has no security, which allows Authenticated
Users to write to (update) the record. The good part of this from an
engineering perspective is prevents any records the DHCP server updated on
behalf of clients from being locked if the DHCP server was to fail or if the
clients were updated from an older OS to Windows 2000 or above. This also
allows other DHCP servers, or the upgraded clients, to update their records.
I think most people misconstrue the bad part about this from a security
perspective are detailed under KB 816592.
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Similar Threads
Linear Mode
