Your instructor will demonstrate how to configure DNS dynamic update credentials, including:
Configuring DHCP server to use the account
*****************************illegal for non~trainer use ******************************
Introduction The Windows Server 2003 DNS Server service supports Dynamic DNS
updates, which allow client systems to add DNS records directly into the database. Dynamic DNS servers can receive malicious or unauthorized updates from an attacker by means of a client that supports the Dynamic DNS (DDNS) protocol if the server is configured to accept unsecured updates. At a minimum, an attacker can add bogus entries to the DNS database; at worst, the attacker can overwrite or delete legitimate entries in the DNS database.
DNS domain names that are registered by the Dynamic Host Configuration Protocol (DHCP) server are not secure if the DHCP server is a member of the DnsUpdateProxy group. Because objects that are created by the members of the DnsUpdateProxy group are not secure, you cannot use this group effectively in an Active Directory-integrated zone that allows only secure dynamic updates unless you take additional steps to allow records that are created by members of the group to be secured.
To protect against nonsecure records or to allow members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you can create a dedicated user account and configure DHCP servers to perform DNS dynamic updates with the user account credentials (user name, password, and domain). The credentials of one dedicated user account can be used by multiple DHCP servers. A dedicated user account is a user account whose sole purpose is to supply DHCP servers with credentials for DNS dynamic update registrations.
When you create a dedicated user account and configure DHCP servers with the account credentials, each DHCP server supplies these credentials when it registers names on behalf of DHCP clients by using DNS dynamic update. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides.
Need to configure DNS dynamic update credentials
Procedure: Creating a user account
Procedure: Configuring DHCP server to use the account
Note The dedicated user account can also be located in another forest if the forest that the account resides in has a forest trust established with the forest that contains the primary DNS server for the zone to be updated.
To create a dedicated user account, perform the following steps on the DNS server:
1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand the domain, right-click the Users container, click New, and then click User.
3. In the New Object - User dialog box, enter the information from the following table.
Full Name Specify a name
User Logon Name Specify a logon name
4. Click Next.
5. Specify a password, such as @6abra8aCRA&u!eCab-A.
6. Clear the User must change password at next logon option, select the Password never expires option, click Next, and then click Finish.
To configure a DHCP server to use the dedicated user account, perform the following steps:
1. Click Start, point to Administrative Tools, and then click DHCP.
2. Right-click the server name and then click Properties.
3. In the server properties dialog box, click the Advanced tab, and then click Credentials.
4. On the DNS Dynamic Update Credentials page, enter the information from the following table.
User Name Domain Password Confirm Password
Specify a user name Specify a domain name Specify a password Specify a password
5. Click OK twice, and then close DHCP.
Important When you install the DHCP service on a domain controller, configure the DHCP server with the credentials of the dedicated user account to prevent the server from inheriting (and possibly misusing), the power of the domain controller. When installed on a domain controller, the DHCP service inherits the security permissions of the domain controller and has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone. (This authority also applies to records that were securely registered by other computers in the domain, including domain controllers.)
Was this article helpful?
There will come a day in your business (if it hasn't already arrived) when you realise that you only have two hands and 24 hours in a day. What I mean is you can't do everything that your business needs yourself. If you try to do everything yourself your business will at best grind to a halt, and at worst, GO UNDER. Take a look RIGHT NOW at the successful marketers around you - the millionaires, the gurus and the market leaders.