Hi Group

I run a test network with a 2K3 DC running the typical DNS,DHCP services. I
am trying to configure the DHCP server to handle all client DNS registration
requirements are per this MSKB.

How to configure DNS dynamic updates in Windows Server 2003 Article ID :
816592

The above article and this technet doc

http://technet2.microsoft.com/window....mspx?mfr=true


Both refer to an option 81 for the DHCP server, now I cannot find this option,
under either scope or server options within the DHCP MMC. The options go from
001 to 076 then jump to 249. I have checked all the advanced options ie
vendor and user classes but there is no option 81.

I understand from looking around the MMC that you can add (set prefedined
options) options but I cannot find the info to add such an option, I am sure
I am missing something simple but i am still missing it!!

Any would be fantastic

Regards

S

--
Message posted via http://www.winserverkb.com

Read inline please.

In news:7368d08218055@uwe,
si <u11670@uwe> typed:
> Hi Group
>
> I run a test network with a 2K3 DC running the typical DNS,DHCP
> services. I
> am trying to configure the DHCP server to handle all client DNS
> registration
> requirements are per this MSKB.
>
> How to configure DNS dynamic updates in Windows Server 2003 Article
> ID :
> 816592
>
> The above article and this technet doc
>
> http://technet2.microsoft.com/window....mspx?mfr=true
>
>
> Both refer to an option 81 for the DHCP server, now I cannot find
> this option,
> under either scope or server options within the DHCP MMC. The options
> go from
> 001 to 076 then jump to 249. I have checked all the advanced options
> ie
> vendor and user classes but there is no option 81.
>
> I understand from looking around the MMC that you can add (set
> prefedined
> options) options but I cannot find the info to add such an option, I
> am sure
> I am missing something simple but i am still missing it!!
>
> Any would be fantastic

The DNS tab is option 081.
I suggest you also create a dedicated user account with a strong
non-expiring password for making secure updates. (DHCP server properties
sheet, Advanced tab, credentials button).



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Kevin

Thanks for the reply, for some reason I just couldnt see that.....but it
makes sense now,in the cold light of day, its just with all/most of the other
DHCP server options having little tick boxes in a big list I guess I just
assumed..........:-)

Anyways... I have re read the technet article and your advice and am wanting
to create a dedicated user account for the DHCP server to update DNS records
with, after adding it to the DNSupdateproxy group......have I got that right?

Now when the article refers to a dedicated user account, does it mean just a
normal domain user account with, like you say a non expiring password of
sufficient complexity? if so then I understand

Thanks for the advice again Kevin

Cheers

S

Kevin D. Goodknecht Sr. [MVP] wrote:
>Read inline please.
>
> In news:7368d08218055@uwe,
>si <u11670@uwe> typed:
>> Hi Group
>>
>[quoted text clipped - 27 lines]
>>
>> Any would be fantastic
>
>The DNS tab is option 081.
>I suggest you also create a dedicated user account with a strong
>non-expiring password for making secure updates. (DHCP server properties
>sheet, Advanced tab, credentials button).
>

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200706/1

Read inline please.

In news:7372538be7523@uwe,
si via WinServerKB.com <u11670@uwe> typed:
> Kevin
>
> Thanks for the reply, for some reason I just couldnt see that.....but
> it makes sense now,in the cold light of day, its just with all/most
> of the other DHCP server options having little tick boxes in a big
> list I guess I just assumed..........:-)
>
> Anyways... I have re read the technet article and your advice and am
> wanting to create a dedicated user account for the DHCP server to
> update DNS records with, after adding it to the DNSupdateproxy
> group......have I got that right?
Do not add the Account to the DNSupdateproxy group, this account does not
need any special group memberships or priviledges. It is used only to
Authenticate.

>
> Now when the article refers to a dedicated user account, does it mean
> just a normal domain user account with, like you say a non expiring
> password of sufficient complexity? if so then I understand

Correct, the non-expiring password is not a requirement, but since this
account is not used by any user, if the password expires in the future,
updates will stop until the password is changed, but you won't be notified
of the expiring password. Make the password as strong as possible to prevent
someone from hyjacking the account. Phrases with uppercase and lowercase
letters, numbers and spaces at least 15 characters long make the best
passwords. This basic rule gives you at least 10 to the 27th power password
combinations.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

Hi

Again thanks, I meant add the dhcp server to the DNSupdateproxy group, not
the user account. Is this incorrect? I understand it is required so DNS
records created by the server are updatable (ie ownership can change) by an
appropriate client/other DHCP server, request.

This is a test environment for learning purposes.An environment where
multiple DHCP servers is used is reasonable to expect, I understand for these
other servers to be able to update other DHCP server created DNS records the
above scenario (along with a dedicated user account for authentication) is
required for secure dynamic updates to operate correctly.

I think I am getting there...

Thanks for you advice

Cheers

S






Kevin D. Goodknecht Sr. [MVP] wrote:
>Read inline please.
>
> In news:7372538be7523@uwe,
>si via WinServerKB.com <u11670@uwe> typed:
>> Kevin
>>
>[quoted text clipped - 7 lines]
>> update DNS records with, after adding it to the DNSupdateproxy
>> group......have I got that right?
>Do not add the Account to the DNSupdateproxy group, this account does not
>need any special group memberships or priviledges. It is used only to
>Authenticate.
>
>> Now when the article refers to a dedicated user account, does it mean
>> just a normal domain user account with, like you say a non expiring
>> password of sufficient complexity? if so then I understand
>
>Correct, the non-expiring password is not a requirement, but since this
>account is not used by any user, if the password expires in the future,
>updates will stop until the password is changed, but you won't be notified
>of the expiring password. Make the password as strong as possible to prevent
>someone from hyjacking the account. Phrases with uppercase and lowercase
>letters, numbers and spaces at least 15 characters long make the best
>passwords. This basic rule gives you at least 10 to the 27th power password
>combinations.
>

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200706/1

Kevin

I have confirgured the DHCP as discussed, with it responsible for registering
and updating all clients in DNS. I have made the server part of the
DNSupdateproxy group and created a dedicated user account to authenticate for
secure updates to work.

Now when a client obtains a DHCP lease, the server DOES register its Host
and PTR records but the owner of said records is SYSTEM. I was expecting the
user account I created for authentication to be the owner, is this incorrect?

Otherwise how do i verify this configuration works?

Thanks for any assistance you can offer, you been a great so far

Regards

S

si wrote:
>Hi
>
>Again thanks, I meant add the dhcp server to the DNSupdateproxy group, not
>the user account. Is this incorrect? I understand it is required so DNS
>records created by the server are updatable (ie ownership can change) by an
>appropriate client/other DHCP server, request.
>
>This is a test environment for learning purposes.An environment where
>multiple DHCP servers is used is reasonable to expect, I understand for these
>other servers to be able to update other DHCP server created DNS records the
>above scenario (along with a dedicated user account for authentication) is
>required for secure dynamic updates to operate correctly.
>
>I think I am getting there...
>
>Thanks for you advice
>
>Cheers
>
>S
>
>>Read inline please.
>>
>[quoted text clipped - 19 lines]
>>passwords. This basic rule gives you at least 10 to the 27th power password
>>combinations.

--
Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...r-dns/200706/1