I have a situation where we have to use unauthenticated DDNS and from time
to time, someone will inadvertently name a device the same name as a server.
The short version of the story is that the server record ends up getting
deleted and I'd like to prevent that from happening.

If it s, the server record is manually created by an administrator.
DHCP is also being used to create DDNS records.

Seems to me the best solution would be to prevent any device from being able
to create the record with a matching name in the first place. I'm thinking
along the lines of the DNS server would reject the change/addition since
there is alrady a manually created record with the same name. That would
prevent round robin from kicking in and serving up both IP addresses. It
might even prevent the rename of said device from removing the manually
created record. Is this possible?

Failing the ability to do that, I'd at least like to prevent it (dynamic
part of DDNS) from deleting the manually created record. Can I do this with
the security settings on the DNS record? Or is there some other way to
"lock" a record so it can't be updated dynamically?

Using w2k3 for dns and w2k for dhcp.

Thanks!

I believe there is a way to deny the security privilege to update host
records, but I don't think it can be isolated to a single record. I don't
think this would in your situation.

However, there is a workaround that you can use. Create an A record with
the IP address of your server, but use a different name for the A record
that will not be duplicated by accident (something like server7341X).

Then, create a CNAME with the name that you want for your server and point
it to this new A record. Since you can't create an A record if a CNAME
already exists with the same name, then that record will not be overwritten.

I hope this s.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Jay" <nospam@no.where> wrote in message
news:eltfHemNHHA.2468@TK2MSFTNGP06.phx.gbl...
>I have a situation where we have to use unauthenticated DDNS and from time
>to time, someone will inadvertently name a device the same name as a
>server. The short version of the story is that the server record ends up
>getting deleted and I'd like to prevent that from happening.
>
> If it s, the server record is manually created by an administrator.
> DHCP is also being used to create DDNS records.
>
> Seems to me the best solution would be to prevent any device from being
> able to create the record with a matching name in the first place. I'm
> thinking along the lines of the DNS server would reject the
> change/addition since there is alrady a manually created record with the
> same name. That would prevent round robin from kicking in and serving up
> both IP addresses. It might even prevent the rename of said device from
> removing the manually created record. Is this possible?
>
> Failing the ability to do that, I'd at least like to prevent it (dynamic
> part of DDNS) from deleting the manually created record. Can I do this
> with the security settings on the DNS record? Or is there some other way
> to "lock" a record so it can't be updated dynamically?
>
> Using w2k3 for dns and w2k for dhcp.
>
> Thanks!
>

Actually, I found that you can expressly deny security on a single record.
View the properties of the record. On the security tab, remove write
permission from authenticated users and domain computers. Test it using
ipconfig /registerdns on a client computer.

--
Greg Lindsay [MSFT]

Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

"Greg Lindsay" <greglin@microsoft.com> wrote in message
news:%23NM%230ApNHHA.4992@TK2MSFTNGP04.phx.gbl...
>I believe there is a way to deny the security privilege to update host
>records, but I don't think it can be isolated to a single record. I don't
>think this would in your situation.
>
> However, there is a workaround that you can use. Create an A record with
> the IP address of your server, but use a different name for the A record
> that will not be duplicated by accident (something like server7341X).
>
> Then, create a CNAME with the name that you want for your server and point
> it to this new A record. Since you can't create an A record if a CNAME
> already exists with the same name, then that record will not be
> overwritten.
>
> I hope this s.
>
> --
> Greg Lindsay [MSFT]
>
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
>
> "Jay" <nospam@no.where> wrote in message
> news:eltfHemNHHA.2468@TK2MSFTNGP06.phx.gbl...
>>I have a situation where we have to use unauthenticated DDNS and from time
>>to time, someone will inadvertently name a device the same name as a
>>server. The short version of the story is that the server record ends up
>>getting deleted and I'd like to prevent that from happening.
>>
>> If it s, the server record is manually created by an administrator.
>> DHCP is also being used to create DDNS records.
>>
>> Seems to me the best solution would be to prevent any device from being
>> able to create the record with a matching name in the first place. I'm
>> thinking along the lines of the DNS server would reject the
>> change/addition since there is alrady a manually created record with the
>> same name. That would prevent round robin from kicking in and serving up
>> both IP addresses. It might even prevent the rename of said device from
>> removing the manually created record. Is this possible?
>>
>> Failing the ability to do that, I'd at least like to prevent it (dynamic
>> part of DDNS) from deleting the manually created record. Can I do this
>> with the security settings on the DNS record? Or is there some other way
>> to "lock" a record so it can't be updated dynamically?
>>
>> Using w2k3 for dns and w2k for dhcp.
>>
>> Thanks!
>>
>