Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 8, 2019 4:51 PM
I have a question regarding DNS ACL permissions.
First off, I have followed the suggestions in Ace’s blog (among others) regarding AD integrated DNS zones with Secure Only updates. I have a win 2012 and 2016 DNS/DHCP server environment.
- DHCP credentials have been configured on each DHCP server
- Added all DHCP servers to the “DnsUpdateProxy” security group
- Secured the DCs that are running DHCP with command - dnscmd /config /OpenAclOnProxyUpdates 0
- Configured scavenging – which is working well with the set lease durations
DNS A Records were originally owned by the computer account. Since making the changes above, any new records are owned by the DHCPupdate account configured on each DHCP server – which is a plain AD user account.
My question is, what permissions should the DNS host A records have with this configuration?
The new DNS records owned by the DHCPupdate account only give the account read/write permissions – not Full Control.
Inheritance is enabled on the Records but some Forward lookup Zone permissions aren’t applied to the Host A records below:
- System
- Everyone
- Domain admins
- Should the System account have permissions on the DNS A records?
- Should the account configured on the DHCP servers for Dynamic Update Registration (the current owner) have Full Control or just Read/Write permissions on the DNS A Records?
Any help here would be appreciated.
All replies (9)
Tuesday, April 9, 2019 9:42 AM
Hello YardFlex,
Thank you for posting in this forum.
In fact, I really don't know how to answer you.
The configuration you have made is correct. These permission settings are generated by default after these configurations are completed.
It is not recommended to modify it because these behaviors are by design.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 9, 2019 12:45 PM
Thanks for your reply.
I ask because any new computers that obtain a DHCP lease and are registered into DNS by the DHCPupdate account give Full Control to this account as well as to the System account. The Everyone group is given Read access.
Only DNS records that existed before I made the DHCP/DNS configuration changes give the DHCPUpdate account Read/Write (not Full control) and do not include the System or Everyone permissions.
Wil these old DNS records get replaced/updated or would I need to delete all DHCP leases and DNS records to get the permissions to be uniform for all?
Thanks,
Yard
Wednesday, April 10, 2019 3:07 AM
Hello Yard,
You don't need to do anything.
You have enabled dynamic update and aging/scavenging on the DNS server. If the DHCP server and the DNS server do not go wrong, then they will coordinate work, automatically update the records and delete stale records.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 12, 2019 9:17 AM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 12, 2019 5:38 PM
Thanks again for your assistance.
The DNS A records that were existing prior to the DHCP/DNS config changes are still owned by the computer account and continue to be updated. I assumed the existing DNS records would be updated to have the DHCPUser account as the owner not the computer account or be scavenged and new A records created with the account as the owner?
I also find that PTR records are not being registered in sites where the DHCP servers are not DCs. These DNS servers are also Read Only. Only sites where DHCP servers are also DCs are the PTR records registered. Any idea why these are not registering?
Do I need to Secure the DHCP servers that are not DCs with command below as well as DCs?
dnscmd /config /OpenAclOnProxyUpdates 0
Thanks again,
Yard
Monday, April 15, 2019 9:53 AM
Hello YardFlex,
I suggest you look at these two articles. The official documentation explains some features in more detail and is easy to understand.
How to configure DNS dynamic updates in Windows Server 2003
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, April 18, 2019 12:26 PM
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 24, 2019 6:41 AM
Hi Yard,
Was your issue resolved?
If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Leon
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, May 16, 2019 7:51 PM
I found that the Read Only DNS servers had primary reverse zones configured. After I re-created them as Secondary zones, they pulled the zone information from the master servers successfully.
With regards to the DNS A record ownership, I figure that instead of deleting all DHCP leases and corresponding DNS A records to get them to recreate with the correct ownership/permissions, I will let them eventually get updated in time as the scavenging period is 2 days.
I still do not know what the permissions vary for brand new computers vs existing computers even after being updated with the DHCP account as the register-er and owner.