Restricting secure ddns to specific hosts

Windows 2003, AD environment, Windows 2003 DNS server.

In our AD environment, all servers and workstations which are authenticated,
add themself to dns in the forward zones via secure ddns, But we do not
want any of them to update the PTR records in the reverse zones.

On the other hand, we have a dns management tool on a specific server which
controls the AD DNS using ddns.

Are there any way to restrict secure ddns update to a few hosts/ip addresses
on a zonebasis, so only our management station can use secure ddns on our
reverse zones, and ddns on the reverse zones from everybody else is
ignored ?


Regards
Bjarne

It should be possible to do that by removing the Authenticated Users
"create" right on the DNS zone.

If the management station updates based on specific credentials, or with
it's computer account you would have to add that back in.

Chris

"Bjarne" <> wrote in message
news:%...
> Windows 2003, AD environment, Windows 2003 DNS server.
>
> In our AD environment, all servers and workstations which are
> authenticated,
> add themself to dns in the forward zones via secure ddns, But we do not
> want any of them to update the PTR records in the reverse zones.
>
> On the other hand, we have a dns management tool on a specific server
> which
> controls the AD DNS using ddns.
>
> Are there any way to restrict secure ddns update to a few hosts/ip
> addresses
> on a zonebasis, so only our management station can use secure ddns on our
> reverse zones, and ddns on the reverse zones from everybody else is
> ignored ?
>
>
> Regards
> Bjarne

"Chris Dent" <> wrote in message
news:062B61BE-0EBF-48CE-B4E2-...
> It should be possible to do that by removing the Authenticated Users
> "create" right on the DNS zone.
>
> If the management station updates based on specific credentials, or with
> it's computer account you would have to add that back in.
>
> Chris

Good thought, Chris.

Or possibly simply disable dynamic updates and manually enter the required
PTR entries.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

If you do opt for the manual method and the what needs to be added is in an
accessible place it can be easily scripted

Chris

"Ace Fekay [Microsoft Certified Trainer]" <>
wrote in message news:...
> "Chris Dent" <> wrote in message
> news:062B61BE-0EBF-48CE-B4E2-...
>> It should be possible to do that by removing the Authenticated Users
>> "create" right on the DNS zone.
>>
>> If the management station updates based on specific credentials, or with
>> it's computer account you would have to add that back in.
>>
>> Chris
>
> Good thought, Chris.
>
> Or possibly simply disable dynamic updates and manually enter the required
> PTR entries.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup/forum to benefit from collaboration
> among responding engineers, as well as to help others benefit from your
> resolution.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>
>

"Chris Dent" <> wrote in message
news:F13B76E5-0E03-4F87-A7FF-...
>
> If you do opt for the manual method and the what needs to be added is in
> an accessible place it can be easily scripted
>
> Chris
>

Good point, such as using dnscmd. :-)

Ace

Chris Dent wrote:

> It should be possible to do that by removing the Authenticated Users
> "create" right on the DNS zone.
>
> If the management station updates based on specific credentials, or with
> it's computer account you would have to add that back in.
>
> Chris
>
> "Bjarne" <> wrote in message
> news:%...
>> Windows 2003, AD environment, Windows 2003 DNS server.
>;snip

hm, I actually allready tried that, without success. According to documents
from technet, the security settings in properties only covers who are
allowed to "manage" the zone and nothing about dynamic updates.

thanks for your thoughts.

Regards,
Bjarne

Ace Fekay [Microsoft Certified Trainer] wrote:

> "Chris Dent" <> wrote in message
> news:062B61BE-0EBF-48CE-B4E2-...
>> It should be possible to do that by removing the Authenticated Users
>> "create" right on the DNS zone.
>>
>> If the management station updates based on specific credentials, or with
>> it's computer account you would have to add that back in.
>>
>> Chris
>
> Good thought, Chris.
>
> Or possibly simply disable dynamic updates and manually enter the required
> PTR entries.
>
>
Yes We have done it this way until now, but the point is that we want to
mange the reverse zone from our management station which uses ddns to
update the dns, but we do not want any workstations/servers to overwrite
the reversezones.

Regards,
Bjarne

That's not true. The clients can only create records if they have permission
(provided only secure updates are permitted), same applies for updating
records (depending on the source of the update).

There is a possibility that it would run into problems if (MS) DHCP were
updating on a clients behalf, and DHCP were running on a Domain Controller.
The update would be performed with the credentials of the DC (unless you
told it otherwise) which would be covered by the Enterprise Domain
Controllers; Full Control right on the zone.

And, of course, if the records already exist the right isn't required, the
system will have explicit rights over the already created record.

It works in my tests anyway When attempting to update a zone which has
the authenticated users right removed I get a message from DNSAPI (in the
event log) stating that the update was refused. Reinstate the right and
registration is permitted once more.

Chris


"Bjarne" <> wrote in message
news:...
> Chris Dent wrote:
>
>> It should be possible to do that by removing the Authenticated Users
>> "create" right on the DNS zone.
>>
>> If the management station updates based on specific credentials, or with
>> it's computer account you would have to add that back in.
>>
>> Chris
>>
>> "Bjarne" <> wrote in message
>> news:%...
>>> Windows 2003, AD environment, Windows 2003 DNS server.
>>;snip
>
> hm, I actually allready tried that, without success. According to
> documents
> from technet, the security settings in properties only covers who are
> allowed to "manage" the zone and nothing about dynamic updates.
>
> thanks for your thoughts.
>
> Regards,
> Bjarne

"Bjarne" <> wrote in message
news:%...
>
> Yes We have done it this way until now, but the point is that we want to
> mange the reverse zone from our management station which uses ddns to
> update the dns, but we do not want any workstations/servers to overwrite
> the reversezones.
>
> Regards,
> Bjarne


Well, workstations and servers won't overwrite anything in the zone, as well
as DHCP (if configured correctly to update existing records), other than
their own records when their IP changes when they acquire a new IP
configuration.

Are you saying that something is overwriting existing records with incorrect
information? What kind of issue are you seeing that something is being
overwritten?

Ace

Chris Dent wrote:

>
> That's not true. The clients can only create records if they have
> permission (provided only secure updates are permitted), same applies for
> updating records (depending on the source of the update).
>
> There is a possibility that it would run into problems if (MS) DHCP were
> updating on a clients behalf, and DHCP were running on a Domain
> Controller. The update would be performed with the credentials of the DC
> (unless you told it otherwise) which would be covered by the Enterprise
> Domain Controllers; Full Control right on the zone.
>
> And, of course, if the records already exist the right isn't required, the
> system will have explicit rights over the already created record.
>
> It works in my tests anyway When attempting to update a zone which has
> the authenticated users right removed I get a message from DNSAPI (in the
> event log) stating that the update was refused. Reinstate the right and
> registration is permitted once more.
>
> Chris
>
>
OK sounds good.
The dhcp servers do not update the dns, but on second thought, the AD
consists of three servers and I only changed the zone permissions on one
dns server. It sounds like I will have to do some more testing. If this
works, that would really be great.

Thanks a lot for your input.

Regards,
Bjarne