| Author | Messages | |
bwatson
Posts:0
 | | 11/17/2009 5:37 PM |
| Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
primarily run Windows, we do have a large install base of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave
it the same hostname as one of our servers, and DHCP assigned it an IP
address and overwrote the static entry we had originally created for the
server.
What are my options for preventing this from happening in the future? I
realize in a full Windows environment, secure updates would be the best
bet, but what solution would you recommend in an environment that also
includes a large Linux install base?
Thanks,
Ben
| | | |
| deji
Posts:262
| | 11/17/2009 6:00 PM |
| Looks like the DNSUpdateProxy option bit you  This is one of the common ooops-factors associated with using this option. I prefer to let Windows clients handle their own IP registration/updates in a Windows DNS infra that supports dynamic update.
If you have a rather large non-Windows infra supported by Windows DNS, I THINK using a dedicated account for DNSProxyupdate may be a good option in your case. Otherwise, just manually register IPs for those non-Windows DNS clients.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN [bwatson@appsig.com]
Sent: Tuesday, November 17, 2009 9:35 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
| | | |
| bwatson
Posts:0
| | 11/17/2009 6:08 PM |
| Yeah, we definitely do have a pretty sizable non-Windows install base.
It would create an incredible workload to manually register those IPs.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Tuesday, November 17, 2009 10:00 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Looks like the DNSUpdateProxy option bit you This is one of the
common ooops-factors associated with using this option. I prefer to let
Windows clients handle their own IP registration/updates in a Windows
DNS infra that supports dynamic update.
If you have a rather large non-Windows infra supported by Windows DNS, I
THINK using a dedicated account for DNSProxyupdate may be a good option
in your case. Otherwise, just manually register IPs for those
non-Windows DNS clients.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
[bwatson@appsig.com]
Sent: Tuesday, November 17, 2009 9:35 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
primarily run Windows, we do have a large install base of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave
it the same hostname as one of our servers, and DHCP assigned it an IP
address and overwrote the static entry we had originally created for the
server.
What are my options for preventing this from happening in the future? I
realize in a full Windows environment, secure updates would be the best
bet, but what solution would you recommend in an environment that also
includes a large Linux install base?
Thanks,
Ben
| | | |
| andrew
Posts:77
| | 11/17/2009 6:51 PM |
| So the real reason that the 5h1t hit the fan today was that the newly-built
Linux box was given the same name as an existing Windows server.
This causes me to wonder about the naming convention in your organisation,
because if it's possible that two servers with different OSs get the same
name, then the policy isn't adequate for your environment.
So, two suggestions:
1. Design a better naming convention policy that everyone abides by. I hate
to teach my grandmother to suck eggs, but this is a great article about best
practices for naming computers
http://labmice.techtarget.com/articles/computernaming.htm
2. Keep a database / spreadsheet of existing computer names, which the
policy states must be updated when a new machine is created.
This will prevent this from happening in future. A pain to implement and
hard to get buy-in from lazy developers, but worth it for the peace of mind.
Enjoy!
Andrew
2009/11/17 WATSON, BEN <bwatson@appsig.com>
> Yeah, we definitely do have a pretty sizable non-Windows install base.
> It would create an incredible workload to manually register those IPs.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> Sent: Tuesday, November 17, 2009 10:00 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
>
> Looks like the DNSUpdateProxy option bit you This is one of the
> common ooops-factors associated with using this option. I prefer to let
> Windows clients handle their own IP registration/updates in a Windows
> DNS infra that supports dynamic update.
>
> If you have a rather large non-Windows infra supported by Windows DNS, I
> THINK using a dedicated account for DNSProxyupdate may be a good option
> in your case. Otherwise, just manually register IPs for those
> non-Windows DNS clients.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name/> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
> [bwatson@appsig.com]
> Sent: Tuesday, November 17, 2009 9:35 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] DNS Static overwritten by DHCP
>
> Hello everyone,
>
> Our company is currently running a Windows Server 2003 R2 domain with
> ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
> primarily run Windows, we do have a large install base of various Linux
> machines that engineers use for development.
>
> Today we had an issue in which an engineer built up a Linux host, gave
> it the same hostname as one of our servers, and DHCP assigned it an IP
> address and overwrote the static entry we had originally created for the
> server.
>
> What are my options for preventing this from happening in the future? I
> realize in a full Windows environment, secure updates would be the best
> bet, but what solution would you recommend in an environment that also
> includes a large Linux install base?
>
> Thanks,
> Ben
>
>
>
| | | |
| kbatkbslpcom
Posts:194
| | 11/17/2009 7:25 PM |
| LOL - reminds me of a time years ago when someone decided to name their
Windows machine "localhost" - and joined it to the domain...and then did
a dynamic DNS registration.
This really, REALLY annoyed (read, BROKE) the unix systems - as they
"expected" localhost to resolve to 127.0.0.1 - and it made many things
stop working (they were configured to resolve DNS first, the FILES).
We ended up adding a static DNS entry in every zone called LOCALHOST at
IP address 127.0.0.1 - which solved that particular problem.
One other option to consider would be to create a second zone for the
non-windows machines to register in - then the ADI zone for Windows can
allow secure updates. Then you suffix search order consideration (which
to list first).
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Tuesday, November 17, 2009 1:49 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
So the real reason that the 5h1t hit the fan today was that the
newly-built Linux box was given the same name as an existing Windows
server.
This causes me to wonder about the naming convention in your
organisation, because if it's possible that two servers with different
OSs get the same name, then the policy isn't adequate for your
environment.
So, two suggestions:
1. Design a better naming convention policy that everyone abides
by. I hate to teach my grandmother to suck eggs, but this is a great
article about best practices for naming computers
http://labmice.techtarget.com/articles/computernaming.htm
2. Keep a database / spreadsheet of existing computer names,
which the policy states must be updated when a new machine is created.
This will prevent this from happening in future. A pain to
implement and hard to get buy-in from lazy developers, but worth it for
the peace of mind.
Enjoy!
Andrew
2009/11/17 WATSON, BEN <bwatson@appsig.com>
Yeah, we definitely do have a pretty sizable non-Windows
install base.
It would create an incredible workload to manually
register those IPs.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of
Akomolafe, Deji
Sent: Tuesday, November 17, 2009 10:00 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Looks like the DNSUpdateProxy option bit you This is
one of the
common ooops-factors associated with using this option.
I prefer to let
Windows clients handle their own IP registration/updates
in a Windows
DNS infra that supports dynamic update.
If you have a rather large non-Windows infra supported
by Windows DNS, I
THINK using a dedicated account for DNSProxyupdate may
be a good option
in your case. Otherwise, just manually register IPs for
those
non-Windows DNS clients.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know
IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were
worried about
Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of
WATSON, BEN
[bwatson@appsig.com]
Sent: Tuesday, November 17, 2009 9:35 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003
R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2
server. While we
primarily run Windows, we do have a large install base
of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a
Linux host, gave
it the same hostname as one of our servers, and DHCP
assigned it an IP
address and overwrote the static entry we had originally
created for the
server.
What are my options for preventing this from happening
in the future? I
realize in a full Windows environment, secure updates
would be the best
bet, but what solution would you recommend in an
environment that also
includes a large Linux install base?
Thanks,
Ben
| | | |
| Thomas Vuylsteke
Posts:207
| | 11/17/2009 8:04 PM |
| If you have your "linux" machines have their records registered by the Windows based DHCP server, I suppose you (can) have secure updates on. Next to that there are some things to consider:
· The usage of the DNSupdateproxy group is somewhat deprecated and not secure at all
· If the DHCP service is running on a DC: use the "dns credentials" option on the IPV4 Advanced tab of your DHCP service configuration --> make sure the user is a regular domain user
o The point is, if it runs under local system on a DC, or as a domain admin user, it can "overwrite" all records, whether they are static, or registered by a server itself or ...
· If the DHCP service is running on a server: you can still decide to use the "dns credentials" option, I actually prefer this. Avoids having the "computer account" of the DHCP server having permissions on records.
A great article on all that: http://technet.microsoft.com/en-us/library/cc787034(WS.10).aspx
If you could give some more details about your setup, I think a clean answer could be provided. Does your DHCP runs on a DC? Does your DHCP server is member of the "dnsupdateproxy" group. Is the Alternate credentials DNS setting used on your DHCP setting. What permissions does this user have? ...
Kind regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brown, Ken F.
Sent: dinsdag 17 november 2009 20:24
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
LOL - reminds me of a time years ago when someone decided to name their Windows machine "localhost" - and joined it to the domain...and then did a dynamic DNS registration.
This really, REALLY annoyed (read, BROKE) the unix systems - as they "expected" localhost to resolve to 127.0.0.1 - and it made many things stop working (they were configured to resolve DNS first, the FILES).
We ended up adding a static DNS entry in every zone called LOCALHOST at IP address 127.0.0.1 - which solved that particular problem.
One other option to consider would be to create a second zone for the non-windows machines to register in - then the ADI zone for Windows can allow secure updates. Then you suffix search order consideration (which to list first).
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Tuesday, November 17, 2009 1:49 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
So the real reason that the 5h1t hit the fan today was that the newly-built Linux box was given the same name as an existing Windows server.
This causes me to wonder about the naming convention in your organisation, because if it's possible that two servers with different OSs get the same name, then the policy isn't adequate for your environment.
So, two suggestions:
1. Design a better naming convention policy that everyone abides by. I hate to teach my grandmother to suck eggs, but this is a great article about best practices for naming computers http://labmice.techtarget.com/articles/computernaming.htm
2. Keep a database / spreadsheet of existing computer names, which the policy states must be updated when a new machine is created.
This will prevent this from happening in future. A pain to implement and hard to get buy-in from lazy developers, but worth it for the peace of mind.
Enjoy!
Andrew
2009/11/17 WATSON, BEN <bwatson@appsig.com<mailto:bwatson@appsig.com>>
Yeah, we definitely do have a pretty sizable non-Windows install base.
It would create an incredible workload to manually register those IPs.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
Sent: Tuesday, November 17, 2009 10:00 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Looks like the DNSUpdateProxy option bit you This is one of the
common ooops-factors associated with using this option. I prefer to let
Windows clients handle their own IP registration/updates in a Windows
DNS infra that supports dynamic update.
If you have a rather large non-Windows infra supported by Windows DNS, I
THINK using a dedicated account for DNSProxyupdate may be a good option
in your case. Otherwise, just manually register IPs for those
non-Windows DNS clients.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name><http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
[bwatson@appsig.com<mailto:bwatson@appsig.com>]
Sent: Tuesday, November 17, 2009 9:35 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
primarily run Windows, we do have a large install base of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave
it the same hostname as one of our servers, and DHCP assigned it an IP
address and overwrote the static entry we had originally created for the
server.
What are my options for preventing this from happening in the future? I
realize in a full Windows environment, secure updates would be the best
bet, but what solution would you recommend in an environment that also
includes a large Linux install base?
Thanks,
Ben
| | | |
| bwatson
Posts:0
| | 11/17/2009 9:06 PM |
| Hi Thomas (and everyone else that has responded),
Thanks to everyone for your advice. I'm taking all of it and evaluating the best solution to avoid this in the future.
Yeah, just to be more clear, we are using Active Directory Integrated DNS. And we use nothing but the DCs for DNS as primary DNS servers. We do NOT use our DCs for DHCP, but a separate Domain servers that handles DHCP. The DHCP server does belong to the DNSUpdateProxy group.
Hopefully that provides you the information you were looking for. If you need anything additional, I'd be more than happy to provide it.
Thanks,
~Ben
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: Tuesday, November 17, 2009 12:04 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
If you have your "linux" machines have their records registered by the Windows based DHCP server, I suppose you (can) have secure updates on. Next to that there are some things to consider:
· The usage of the DNSupdateproxy group is somewhat deprecated and not secure at all
· If the DHCP service is running on a DC: use the "dns credentials" option on the IPV4 Advanced tab of your DHCP service configuration à make sure the user is a regular domain user
o The point is, if it runs under local system on a DC, or as a domain admin user, it can "overwrite" all records, whether they are static, or registered by a server itself or ...
· If the DHCP service is running on a server: you can still decide to use the "dns credentials" option, I actually prefer this. Avoids having the "computer account" of the DHCP server having permissions on records.
A great article on all that: http://technet.microsoft.com/en-us/library/cc787034(WS.10).aspx
If you could give some more details about your setup, I think a clean answer could be provided. Does your DHCP runs on a DC? Does your DHCP server is member of the "dnsupdateproxy" group. Is the Alternate credentials DNS setting used on your DHCP setting. What permissions does this user have? ...
Kind regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brown, Ken F.
Sent: dinsdag 17 november 2009 20:24
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
LOL - reminds me of a time years ago when someone decided to name their Windows machine "localhost" - and joined it to the domain...and then did a dynamic DNS registration.
This really, REALLY annoyed (read, BROKE) the unix systems - as they "expected" localhost to resolve to 127.0.0.1 - and it made many things stop working (they were configured to resolve DNS first, the FILES).
We ended up adding a static DNS entry in every zone called LOCALHOST at IP address 127.0.0.1 - which solved that particular problem.
One other option to consider would be to create a second zone for the non-windows machines to register in - then the ADI zone for Windows can allow secure updates. Then you suffix search order consideration (which to list first).
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Tuesday, November 17, 2009 1:49 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
So the real reason that the 5h1t hit the fan today was that the newly-built Linux box was given the same name as an existing Windows server.
This causes me to wonder about the naming convention in your organisation, because if it's possible that two servers with different OSs get the same name, then the policy isn't adequate for your environment.
So, two suggestions:
1. Design a better naming convention policy that everyone abides by. I hate to teach my grandmother to suck eggs, but this is a great article about best practices for naming computers http://labmice.techtarget.com/articles/computernaming.htm
2. Keep a database / spreadsheet of existing computer names, which the policy states must be updated when a new machine is created.
This will prevent this from happening in future. A pain to implement and hard to get buy-in from lazy developers, but worth it for the peace of mind.
Enjoy!
Andrew
2009/11/17 WATSON, BEN <bwatson@appsig.com>
Yeah, we definitely do have a pretty sizable non-Windows install base.
It would create an incredible workload to manually register those IPs.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Tuesday, November 17, 2009 10:00 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Looks like the DNSUpdateProxy option bit you This is one of the
common ooops-factors associated with using this option. I prefer to let
Windows clients handle their own IP registration/updates in a Windows
DNS infra that supports dynamic update.
If you have a rather large non-Windows infra supported by Windows DNS, I
THINK using a dedicated account for DNSProxyupdate may be a good option
in your case. Otherwise, just manually register IPs for those
non-Windows DNS clients.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
[bwatson@appsig.com]
Sent: Tuesday, November 17, 2009 9:35 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
primarily run Windows, we do have a large install base of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave
it the same hostname as one of our servers, and DHCP assigned it an IP
address and overwrote the static entry we had originally created for the
server.
What are my options for preventing this from happening in the future? I
realize in a full Windows environment, secure updates would be the best
bet, but what solution would you recommend in an environment that also
includes a large Linux install base?
Thanks,
Ben
| | | |
| robertsingers
Posts:571
| | 11/17/2009 10:43 PM |
| >From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
#####################################################################################
This message has been scanned for viruses and is believed to be clean.
#####################################################################################
----------------------------------------------------------------------------------------
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
----------------------------------------------------------------------------------------
| | | |
| Thomas Vuylsteke
Posts:207
| | 11/18/2009 9:15 PM |
| exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
<http://www.realdolmen.com/>
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [ricksheikh@gmail.com]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don’t have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| robertsingers
Posts:571
| | 11/18/2009 11:17 PM |
| You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
<http://www.realdolmen.com/>
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [ricksheikh@gmail.com]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
#####################################################################################
This message has been scanned for viruses and is believed to be clean.
#####################################################################################
----------------------------------------------------------------------------------------
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
----------------------------------------------------------------------------------------
| | | |
| Thomas Vuylsteke
Posts:207
| | 11/19/2009 8:22 AM |
| I might have been to harsh in my words. That's why mail sometimes is not as good as the spoken word. I do help my customers using naming conventions. Having a standardized environment lowers incidents of course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
<http://www.realdolmen.com/>
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [ricksheikh@gmail.com]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| andrew
Posts:77
| | 11/19/2009 10:22 AM |
| To address the question: Why does the DHCP server overwrite the DNS record
for the existing Windows server with the DNS record for the newly-created
Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic
updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from
overwriting the existing DNS record, but then DHCP also won't update the DNS
records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet /
database is a viable solution to this problem. In the case of 'rogue' host
names, which presumably means deliberately and maliciously naming a host the
same as an existing server, this could be classified in your policy as
denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com>
> I might have been to harsh in my words. That’s why mail sometimes is not
> as good as the spoken word. I do help my customers using naming
> conventions. Having a standardized environment lowers incidents of course
> and helps people understand the environment.
>
>
>
> But to be honest, that’s not the point of the discussion/question. Why does
> the DHCP overwrite the record?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Robert Singers
> *Sent:* donderdag 19 november 2009 0:15
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> You would be foolish to think that proper policy and procedures exist only
> to ease operations. If you adopt that approach you will deserve every and
> all incidents that happen within your perimeter.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Thomas Vuylsteke
> *Sent:* Thursday, 19 November 2009 10:11 a.m.
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> exactly Rick,
>
>
>
> However, I also agree with the others stating you should have proper naming
> conventions and so on. However that's just to easse the operations. Suppose
> is a "rogue" user naming it's client on purpose after a server, naming
> conventions won't protect you there.
>
>
>
> Id like to know why the DHCP is acting as it did. However I'm out of
> thoughts.
>
>
>
> Kind regards,
>
>
> *Thomas Vuylsteke*
> *System Engineer Server Technology*
> thomas.vuylsteke@realdolmen.com
>
> Direct +32 (0)2 362 55 55
> <http://www.realdolmen.com/>
>
>
>
> This e-mail message and any attachment are intended for the sole use of the
> recipient(s) named above and may contain information which is confidential
> and/or protected by intellectual property rights. Any use of the information
> contained herein (including, but not limited to, total or partial
> reproduction, communication or distribution in any form) by other persons
> than the designated recipient(s) is prohibited. If you have received this
> e-mail in error, please notify the sender either by telephone (+32 2 362 55
> 55) or by e-mail and delete the material from any computer. Please note that
> neither RealDolmen nor the sender accept any responsibility for viruses and
> it is your responsibility to scan or otherwise check this email and any
> attachments. RealDolmen is nor responsible for the correct and complete
> transfer of the contents of the sent e-mail, neither for the receipt o
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [
> activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [
> ricksheikh@gmail.com]
> *Sent:* Tuesday, November 17, 2009 23:52
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> I am afraid I have to ask why did the DHCP overwrite the existing static
> entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by
> the responders here) ?
>
> On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <
> Robert.Singers@dbh.govt.nz> wrote:
>
> From my perspective you don’t have a technology issue you have a policy and
> process issue. Nothing wakes up developers like a public flogging for
> breaching policies.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, 18 November 2009 6:36 a.m.
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> Hello everyone,
>
>
>
> Our company is currently running a Windows Server 2003 R2 domain with ADI
> DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily
> run Windows, we do have a large install base of various Linux machines that
> engineers use for development.
>
>
>
> Today we had an issue in which an engineer built up a Linux host, gave it
> the same hostname as one of our servers, and DHCP assigned it an IP address
> and overwrote the static entry we had originally created for the server.
>
>
>
> What are my options for preventing this from happening in the future? I
> realize in a full Windows environment, secure updates would be the best bet,
> but what solution would you recommend in an environment that also includes a
> large Linux install base?
>
>
>
> Thanks,
>
> Ben
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
> **
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
> **
> *
> ------------------------------
> *
>
> *Please Note:** **
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
| | | |
| Thomas Vuylsteke
Posts:207
| | 11/19/2009 10:37 AM |
| Andrew,
Agreed on the DHCP option, however the DHCP service should only "overwrite" records it has permission onto. Typical this are records which were registered by himself.
Kind regards,
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: donderdag 19 november 2009 11:21
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
To address the question: Why does the DHCP server overwrite the DNS record for the existing Windows server with the DNS record for the newly-created Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from overwriting the existing DNS record, but then DHCP also won't update the DNS records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet / database is a viable solution to this problem. In the case of 'rogue' host names, which presumably means deliberately and maliciously naming a host the same as an existing server, this could be classified in your policy as denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>>
I might have been to harsh in my words. That's why mail sometimes is not as good as the spoken word. I do help my customers using naming conventions. Having a standardized environment lowers incidents of course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh [ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| RickSheikh
Posts:373
| | 11/19/2009 3:44 PM |
| I was too of the opinion that static records are not candidates to be
overwritten on behalf of DHCP even with the discussed setting is on, which I
think is there by default. IMHO, turning this setting off (DNS Dynamic
Updates) off would be equivalent to managing DNS manually for every single
machine on your network and as such should be not solution for this problem.
I can't disagree with anything suggested here around policy/procedures for
naming conventions, I am just after the technical explanation of particular
incident....
On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <
Thomas.Vuylsteke@realdolmen.com> wrote:
> Andrew,
>
>
>
> Agreed on the DHCP option, however the DHCP service should only “overwrite”
> records it has permission onto. Typical this are records which were
> registered by himself.
>
>
>
> Kind regards,
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Andrew Levicki
> *Sent:* donderdag 19 november 2009 11:21
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> To address the question: Why does the DHCP server overwrite the DNS record
> for the existing Windows server with the DNS record for the newly-created
> Linux host?
>
>
>
> Because it has been configured to do so in the DHCP server properties:
>
> DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic
> updates according to the settings below". (Please see attached image).
>
>
>
> You could deselect this feature, Ben, and it would prevent DHCP from
> overwriting the existing DNS record, but then DHCP also won't update the DNS
> records when IP addresses change, causing more work in the long-run.
>
>
>
> I still think a naming convention policy and a hostname spreadsheet /
> database is a viable solution to this problem. In the case of 'rogue' host
> names, which presumably means deliberately and maliciously naming a host the
> same as an existing server, this could be classified in your policy as
> denial of service and therefore gross misconduct.
>
>
>
> Kind regards,
>
>
>
> Andrew
>
>
>
> 2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com>
>
> I might have been to harsh in my words. That’s why mail sometimes is not as
> good as the spoken word. I do help my customers using naming conventions.
> Having a standardized environment lowers incidents of course and helps
> people understand the environment.
>
>
>
> But to be honest, that’s not the point of the discussion/question. Why does
> the DHCP overwrite the record?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Robert Singers
> *Sent:* donderdag 19 november 2009 0:15
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> You would be foolish to think that proper policy and procedures exist only
> to ease operations. If you adopt that approach you will deserve every and
> all incidents that happen within your perimeter.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Thomas Vuylsteke
> *Sent:* Thursday, 19 November 2009 10:11 a.m.
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> exactly Rick,
>
>
>
> However, I also agree with the others stating you should have proper naming
> conventions and so on. However that's just to easse the operations. Suppose
> is a "rogue" user naming it's client on purpose after a server, naming
> conventions won't protect you there.
>
>
>
> Id like to know why the DHCP is acting as it did. However I'm out of
> thoughts.
>
>
>
> Kind regards,
>
>
> *Thomas Vuylsteke*
> *System Engineer Server Technology*
> thomas.vuylsteke@realdolmen.com
>
> Direct +32 (0)2 362 55 55
>
>
>
> This e-mail message and any attachment are intended for the sole use of the
> recipient(s) named above and may contain information which is confidential
> and/or protected by intellectual property rights. Any use of the information
> contained herein (including, but not limited to, total or partial
> reproduction, communication or distribution in any form) by other persons
> than the designated recipient(s) is prohibited. If you have received this
> e-mail in error, please notify the sender either by telephone (+32 2 362 55
> 55) or by e-mail and delete the material from any computer. Please note that
> neither RealDolmen nor the sender accept any responsibility for viruses and
> it is your responsibility to scan or otherwise check this email and any
> attachments. RealDolmen is nor responsible for the correct and complete
> transfer of the contents of the sent e-mail, neither for the receipt o
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [
> activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [
> ricksheikh@gmail.com]
> *Sent:* Tuesday, November 17, 2009 23:52
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> I am afraid I have to ask why did the DHCP overwrite the existing static
> entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by
> the responders here) ?
>
> On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <
> Robert.Singers@dbh.govt.nz> wrote:
>
> From my perspective you don’t have a technology issue you have a policy and
> process issue. Nothing wakes up developers like a public flogging for
> breaching policies.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, 18 November 2009 6:36 a.m.
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> Hello everyone,
>
>
>
> Our company is currently running a Windows Server 2003 R2 domain with ADI
> DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily
> run Windows, we do have a large install base of various Linux machines that
> engineers use for development.
>
>
>
> Today we had an issue in which an engineer built up a Linux host, gave it
> the same hostname as one of our servers, and DHCP assigned it an IP address
> and overwrote the static entry we had originally created for the server.
>
>
>
> What are my options for preventing this from happening in the future? I
> realize in a full Windows environment, secure updates would be the best bet,
> but what solution would you recommend in an environment that also includes a
> large Linux install base?
>
>
>
> Thanks,
>
> Ben
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:** **
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
>
| | | |
| GuidoG
Posts:113
| | 11/20/2009 12:18 AM |
| I'm a bit surprised that with all the discussion on this thread the object-level security wasn't discussed too much - even when using the DHCP in an ADI DDNS zone configured to only allow secure updates, the DHCP server should not be allowed to overwrite _correctly configured_ static records.
The problem is often the _correctly configured_ part - a static record is first of all one that won't be deleted after X amount of days via the DNS scavenging. I.e. one where the time stamp is not evaluated during the scavenging process. As soon as this criteria is met, the record is considered _static_.
This however is not enough to protect the object from being overwritten by other machines (or users), which are granted the proper write permissions on the object. And here is the culprit: when you created a "static" DNS record in Windows 2000 (or with any Win2000 DNS UI), the default right allow any _authenticated user_ to overwrite the record. You had to manually remove those permission for any statically created DNS record. This logic was changed in Win 2003 - along with the UI: you now have an option to explicitly "allow any authenticated user" to update the record. So unlike in Win2000, the static records are actually "protected" by default from being overwritten since Win2003.
I suspect that Ben's server record that was overwritten was an older record created with the Win2000 UI, which will thus still have had the 'old' default of allowing "authenticated users" to overwrite the record. This would obviously include the DHCP server.
Alternatively, the DNSUpdateProxy account that may (and should) have been configured on the DHCP servers to allow updating the records, could have been added to the Domain Admins group (hopefully not), or some other group that grant permissions to overwrite any record (potentially to some group that was delegated the necessary rights in the zone). This is obviously not how you'd want to configure that account. It should be a simple domain user - nothing else.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Donnerstag, 19. November 2009 16:44
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I was too of the opinion that static records are not candidates to be overwritten on behalf of DHCP even with the discussed setting is on, which I think is there by default. IMHO, turning this setting off (DNS Dynamic Updates) off would be equivalent to managing DNS manually for every single machine on your network and as such should be not solution for this problem. I can't disagree with anything suggested here around policy/procedures for naming conventions, I am just after the technical explanation of particular incident....
On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>> wrote:
Andrew,
Agreed on the DHCP option, however the DHCP service should only "overwrite" records it has permission onto. Typical this are records which were registered by himself.
Kind regards,
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Levicki
Sent: donderdag 19 november 2009 11:21
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
To address the question: Why does the DHCP server overwrite the DNS record for the existing Windows server with the DNS record for the newly-created Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from overwriting the existing DNS record, but then DHCP also won't update the DNS records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet / database is a viable solution to this problem. In the case of 'rogue' host names, which presumably means deliberately and maliciously naming a host the same as an existing server, this could be classified in your policy as denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>>
I might have been to harsh in my words. That's why mail sometimes is not as good as the spoken word. I do help my customers using naming conventions. Having a standardized environment lowers incidents of course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh [ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| Thomas Vuylsteke
Posts:207
| | 11/20/2009 10:12 AM |
| Guido,
This is what I was hoping for! Very interesting detailed answer.
And now wait for some feedback from Ben.
Kind regards,
Thomas
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: vrijdag 20 november 2009 1:18
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
I'm a bit surprised that with all the discussion on this thread the object-level security wasn't discussed too much - even when using the DHCP in an ADI DDNS zone configured to only allow secure updates, the DHCP server should not be allowed to overwrite _correctly configured_ static records.
The problem is often the _correctly configured_ part - a static record is first of all one that won't be deleted after X amount of days via the DNS scavenging. I.e. one where the time stamp is not evaluated during the scavenging process. As soon as this criteria is met, the record is considered _static_.
This however is not enough to protect the object from being overwritten by other machines (or users), which are granted the proper write permissions on the object. And here is the culprit: when you created a "static" DNS record in Windows 2000 (or with any Win2000 DNS UI), the default right allow any _authenticated user_ to overwrite the record. You had to manually remove those permission for any statically created DNS record. This logic was changed in Win 2003 - along with the UI: you now have an option to explicitly "allow any authenticated user" to update the record. So unlike in Win2000, the static records are actually "protected" by default from being overwritten since Win2003.
I suspect that Ben's server record that was overwritten was an older record created with the Win2000 UI, which will thus still have had the 'old' default of allowing "authenticated users" to overwrite the record. This would obviously include the DHCP server.
Alternatively, the DNSUpdateProxy account that may (and should) have been configured on the DHCP servers to allow updating the records, could have been added to the Domain Admins group (hopefully not), or some other group that grant permissions to overwrite any record (potentially to some group that was delegated the necessary rights in the zone). This is obviously not how you'd want to configure that account. It should be a simple domain user - nothing else.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Donnerstag, 19. November 2009 16:44
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I was too of the opinion that static records are not candidates to be overwritten on behalf of DHCP even with the discussed setting is on, which I think is there by default. IMHO, turning this setting off (DNS Dynamic Updates) off would be equivalent to managing DNS manually for every single machine on your network and as such should be not solution for this problem. I can't disagree with anything suggested here around policy/procedures for naming conventions, I am just after the technical explanation of particular incident....
On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>> wrote:
Andrew,
Agreed on the DHCP option, however the DHCP service should only "overwrite" records it has permission onto. Typical this are records which were registered by himself.
Kind regards,
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Levicki
Sent: donderdag 19 november 2009 11:21
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
To address the question: Why does the DHCP server overwrite the DNS record for the existing Windows server with the DNS record for the newly-created Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from overwriting the existing DNS record, but then DHCP also won't update the DNS records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet / database is a viable solution to this problem. In the case of 'rogue' host names, which presumably means deliberately and maliciously naming a host the same as an existing server, this could be classified in your policy as denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>>
I might have been to harsh in my words. That's why mail sometimes is not as good as the spoken word. I do help my customers using naming conventions. Having a standardized environment lowers incidents of course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh [ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| RickSheikh
Posts:373
| | 11/20/2009 4:08 PM |
| Thanks Guido, I was unaware of this behavior in W2K DNS where the ACL on the
static records is different. Lets hope we hear back from Ben on this.
On Fri, Nov 20, 2009 at 4:10 AM, Thomas Vuylsteke <
Thomas.Vuylsteke@realdolmen.com> wrote:
> Guido,
>
>
>
> This is what I was hoping for! Very interesting detailed answer.
>
> And now wait for some feedback from Ben.
>
>
>
> Kind regards,
>
> Thomas
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Grillenmeier, Guido
> *Sent:* vrijdag 20 november 2009 1:18
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> I’m a bit surprised that with all the discussion on this thread the
> object-level security wasn’t discussed too much – even when using the DHCP
> in an ADI DDNS zone configured to only allow secure updates, the DHCP server
> should not be allowed to overwrite _*correctly configured*_ static
> records.
>
>
>
> The problem is often the _*correctly configured*_ part – a static record
> is first of all one that won’t be deleted after X amount of days via the DNS
> scavenging. I.e. one where the time stamp is not evaluated during the
> scavenging process. As soon as this criteria is met, the record is
> considered _*static*_.
>
> This however is not enough to protect the object from being overwritten by
> other machines (or users), which are granted the proper write permissions on
> the object. And here is the culprit: when you created a “static” DNS record
> in Windows 2000 (or with any Win2000 DNS UI), the default right allow any _
> *authenticated user*_ to overwrite the record. You had to manually remove
> those permission for any statically created DNS record. This logic was
> changed in Win 2003 – along with the UI: you now have an option to
> explicitly “allow any authenticated user” to update the record. So unlike in
> Win2000, the static records are actually “protected” by default from being
> overwritten since Win2003.
>
>
>
> I suspect that Ben’s server record that was overwritten was an older record
> created with the Win2000 UI, which will thus still have had the ‘old’
> default of allowing “authenticated users” to overwrite the record. This
> would obviously include the DHCP server.
>
>
>
> Alternatively, the DNSUpdateProxy account that may (and should) have been
> configured on the DHCP servers to allow updating the records, could have
> been added to the Domain Admins group (hopefully not), or some other group
> that grant permissions to overwrite any record (potentially to some group
> that was delegated the necessary rights in the zone). This is obviously not
> how you’d want to configure that account. It should be a simple domain user
> – nothing else.
>
>
>
> /Guido
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rick Sheikh
> *Sent:* Donnerstag, 19. November 2009 16:44
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> I was too of the opinion that static records are not candidates to be
> overwritten on behalf of DHCP even with the discussed setting is on, which I
> think is there by default. IMHO, turning this setting off (DNS Dynamic
> Updates) off would be equivalent to managing DNS manually for every single
> machine on your network and as such should be not solution for this problem.
> I can't disagree with anything suggested here around policy/procedures for
> naming conventions, I am just after the technical explanation of particular
> incident....
>
> On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <
> Thomas.Vuylsteke@realdolmen.com> wrote:
>
> Andrew,
>
>
>
> Agreed on the DHCP option, however the DHCP service should only “overwrite”
> records it has permission onto. Typical this are records which were
> registered by himself.
>
>
>
> Kind regards,
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Andrew Levicki
> *Sent:* donderdag 19 november 2009 11:21
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> *Sensitivity:* Confidential
>
>
>
> To address the question: Why does the DHCP server overwrite the DNS record
> for the existing Windows server with the DNS record for the newly-created
> Linux host?
>
>
>
> Because it has been configured to do so in the DHCP server properties:
>
> DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic
> updates according to the settings below". (Please see attached image).
>
>
>
> You could deselect this feature, Ben, and it would prevent DHCP from
> overwriting the existing DNS record, but then DHCP also won't update the DNS
> records when IP addresses change, causing more work in the long-run.
>
>
>
> I still think a naming convention policy and a hostname spreadsheet /
> database is a viable solution to this problem. In the case of 'rogue' host
> names, which presumably means deliberately and maliciously naming a host the
> same as an existing server, this could be classified in your policy as
> denial of service and therefore gross misconduct.
>
>
>
> Kind regards,
>
>
>
> Andrew
>
>
>
> 2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com>
>
> I might have been to harsh in my words. That’s why mail sometimes is not as
> good as the spoken word. I do help my customers using naming conventions.
> Having a standardized environment lowers incidents of course and helps
> people understand the environment.
>
>
>
> But to be honest, that’s not the point of the discussion/question. Why does
> the DHCP overwrite the record?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Robert Singers
> *Sent:* donderdag 19 november 2009 0:15
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> You would be foolish to think that proper policy and procedures exist only
> to ease operations. If you adopt that approach you will deserve every and
> all incidents that happen within your perimeter.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Thomas Vuylsteke
> *Sent:* Thursday, 19 November 2009 10:11 a.m.
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> exactly Rick,
>
>
>
> However, I also agree with the others stating you should have proper naming
> conventions and so on. However that's just to easse the operations. Suppose
> is a "rogue" user naming it's client on purpose after a server, naming
> conventions won't protect you there.
>
>
>
> Id like to know why the DHCP is acting as it did. However I'm out of
> thoughts.
>
>
>
> Kind regards,
>
>
> *Thomas Vuylsteke*
> *System Engineer Server Technology*
> thomas.vuylsteke@realdolmen.com
>
> Direct +32 (0)2 362 55 55
>
>
>
> This e-mail message and any attachment are intended for the sole use of the
> recipient(s) named above and may contain information which is confidential
> and/or protected by intellectual property rights. Any use of the information
> contained herein (including, but not limited to, total or partial
> reproduction, communication or distribution in any form) by other persons
> than the designated recipient(s) is prohibited. If you have received this
> e-mail in error, please notify the sender either by telephone (+32 2 362 55
> 55) or by e-mail and delete the material from any computer. Please note that
> neither RealDolmen nor the sender accept any responsibility for viruses and
> it is your responsibility to scan or otherwise check this email and any
> attachments. RealDolmen is nor responsible for the correct and complete
> transfer of the contents of the sent e-mail, neither for the receipt o
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [
> activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [
> ricksheikh@gmail.com]
> *Sent:* Tuesday, November 17, 2009 23:52
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> I am afraid I have to ask why did the DHCP overwrite the existing static
> entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by
> the responders here) ?
>
> On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <
> Robert.Singers@dbh.govt.nz> wrote:
>
> From my perspective you don’t have a technology issue you have a policy and
> process issue. Nothing wakes up developers like a public flogging for
> breaching policies.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, 18 November 2009 6:36 a.m.
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> Hello everyone,
>
>
>
> Our company is currently running a Windows Server 2003 R2 domain with ADI
> DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily
> run Windows, we do have a large install base of various Linux machines that
> engineers use for development.
>
>
>
> Today we had an issue in which an engineer built up a Linux host, gave it
> the same hostname as one of our servers, and DHCP assigned it an IP address
> and overwrote the static entry we had originally created for the server.
>
>
>
> What are my options for preventing this from happening in the future? I
> realize in a full Windows environment, secure updates would be the best bet,
> but what solution would you recommend in an environment that also includes a
> large Linux install base?
>
>
>
> Thanks,
>
> Ben
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
>
>
>
| | | |
| bwatson
Posts:0
| | 11/20/2009 6:08 PM |
| Thank you so much Guido! THAT was the answer I was hoping to get
somewhere along the line. While I appreciate the company policy style
suggestions that were coming in, I was more interested in a technical
solution to my problem. I'm not in a position to enforce or create
company policy, and they are difficult to enact at my level. So it was
a far more effective use of my time and energy to look into solutions
that I CAN control.
Guido, I believe you hit the nail on the head in regards to the static
entry being "old" and created when DNS was running in a Windows 2000
domain. Do you have any sort of suggestion on how to quickly run
through and remove those ACLs on just the static entries so this doesn't
happen in the future? Most of my work scripting out ACL changes revolve
around file shares, so hitting DNS entries (and specifically static
entries) is not something I'm familiar with doing.
I would imagine that I have a number of servers still in production
using static entries created back in the Windows 2000 days of our
domain.
Thank you so much again!
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, November 19, 2009 4:18 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
I'm a bit surprised that with all the discussion on this thread the
object-level security wasn't discussed too much - even when using the
DHCP in an ADI DDNS zone configured to only allow secure updates, the
DHCP server should not be allowed to overwrite _correctly configured_
static records.
The problem is often the _correctly configured_ part - a static record
is first of all one that won't be deleted after X amount of days via the
DNS scavenging. I.e. one where the time stamp is not evaluated during
the scavenging process. As soon as this criteria is met, the record is
considered _static_.
This however is not enough to protect the object from being overwritten
by other machines (or users), which are granted the proper write
permissions on the object. And here is the culprit: when you created a
"static" DNS record in Windows 2000 (or with any Win2000 DNS UI), the
default right allow any _authenticated user_ to overwrite the record.
You had to manually remove those permission for any statically created
DNS record. This logic was changed in Win 2003 - along with the UI: you
now have an option to explicitly "allow any authenticated user" to
update the record. So unlike in Win2000, the static records are actually
"protected" by default from being overwritten since Win2003.
I suspect that Ben's server record that was overwritten was an older
record created with the Win2000 UI, which will thus still have had the
'old' default of allowing "authenticated users" to overwrite the record.
This would obviously include the DHCP server.
Alternatively, the DNSUpdateProxy account that may (and should) have
been configured on the DHCP servers to allow updating the records, could
have been added to the Domain Admins group (hopefully not), or some
other group that grant permissions to overwrite any record (potentially
to some group that was delegated the necessary rights in the zone). This
is obviously not how you'd want to configure that account. It should be
a simple domain user - nothing else.
/Guido
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Donnerstag, 19. November 2009 16:44
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I was too of the opinion that static records are not candidates to be
overwritten on behalf of DHCP even with the discussed setting is on,
which I think is there by default. IMHO, turning this setting off (DNS
Dynamic Updates) off would be equivalent to managing DNS manually for
every single machine on your network and as such should be not solution
for this problem. I can't disagree with anything suggested here around
policy/procedures for naming conventions, I am just after the technical
explanation of particular incident....
On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke
<Thomas.Vuylsteke@realdolmen.com> wrote:
Andrew,
Agreed on the DHCP option, however the DHCP service should only
"overwrite" records it has permission onto. Typical this are records
which were registered by himself.
Kind regards,
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: donderdag 19 november 2009 11:21
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
To address the question: Why does the DHCP server overwrite the DNS
record for the existing Windows server with the DNS record for the
newly-created Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic
updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from
overwriting the existing DNS record, but then DHCP also won't update the
DNS records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet /
database is a viable solution to this problem. In the case of 'rogue'
host names, which presumably means deliberately and maliciously naming a
host the same as an existing server, this could be classified in your
policy as denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com>
I might have been to harsh in my words. That's why mail sometimes is not
as good as the spoken word. I do help my customers using naming
conventions. Having a standardized environment lowers incidents of
course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why
does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist
only to ease operations. If you adopt that approach you will deserve
every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Thomas
Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper
naming conventions and so on. However that's just to easse the
operations. Suppose is a "rogue" user naming it's client on purpose
after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of
thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com <mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
This e-mail message and any attachment are intended for the sole use of
the recipient(s) named above and may contain information which is
confidential and/or protected by intellectual property rights. Any use
of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any
form) by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender
either by telephone (+32 2 362 55 55) or by e-mail and delete the
material from any computer. Please note that neither RealDolmen nor the
sender accept any responsibility for viruses and it is your
responsibility to scan or otherwise check this email and any
attachments. RealDolmen is nor responsible for the correct and complete
transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
[ricksheikh@gmail.com]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static
entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed
by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers
<Robert.Singers@dbh.govt.nz> wrote:
>From my perspective you don't have a technology issue you have a policy
and process issue. Nothing wakes up developers like a public flogging
for breaching policies.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with
ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we
primarily run Windows, we do have a large install base of various Linux
machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave
it the same hostname as one of our servers, and DHCP assigned it an IP
address and overwrote the static entry we had originally created for the
server.
What are my options for preventing this from happening in the future? I
realize in a full Windows environment, secure updates would be the best
bet, but what solution would you recommend in an environment that also
includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. If you are not the
intended recipient of this message, privilege and confidentiality is not
waived or lost, and you are not entitled to use, disclose or copy it in
any way. Opinions expressed in this message are not necessarily those
of the Department of Building and Housing. The Department does not
accept any liability for any technical opinions offered. While we use
standard virus protection software, we do not accept responsibility for
viruses or anything similar in this email or its attachments, nor do we
accept responsibility for changes made to this email or to its
attachments after it leaves our system. If you have received this email
in error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. If you are not the
intended recipient of this message, privilege and confidentiality is not
waived or lost, and you are not entitled to use, disclose or copy it in
any way. Opinions expressed in this message are not necessarily those
of the Department of Building and Housing. The Department does not
accept any liability for any technical opinions offered. While we use
standard virus protection software, we do not accept responsibility for
viruses or anything similar in this email or its attachments, nor do we
accept responsibility for changes made to this email or to its
attachments after it leaves our system. If you have received this email
in error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
| | | |
| GuidoG
Posts:113
| | 11/21/2009 12:33 PM |
| Yes, you'll likely have a few other "unprotected" static records, for which the same thing could happen again any time.
And even if you do implement a solid naming convention in your company that ensures that you don't generate duplicate names for servers, you still have to take the measures to protect existing records due to either human error (and stupidity) or a purposely malicious act.
It doesn't take much for any user to create a new machine (physical or virtual), name it equal to an existing one that has an unprotected DNS record, put it on the network to get an IP address via DHCP and have your DHCP server overwrite the existing "unprotected" static record...
Win 2000 DHCP were even "smart enough" to overwrite their own host-record, if you named a client with the same name as the DHCP server. Not sure if that was fixed with an SP and I've also not tested it with 2003 or 2008, but in any case I still recommend to statically and safely register the DHCP server records to avoid such errors.
As for checking the permissions of the DNS records - this is a bit tricky and maybe others have some good ideas on how to do this more efficiently, but in the end your ADI DNS records are AD objects of type "dnsNode" - so you can check their ACLs by querying their security in the correct "dnsZone" container. In Win2000 days this used to be located in
CN=MicrosoftDNS,CN=System,DC=<your domain>
But I hope by now you've moved your DNS zones into the appropriate App partitions, such as
CN=MicrosoftDNS,DC=DomainDnsZones,DC=<your domain>
You can use a combination of DSQUERY and DSACLS, or use joe's ADFIND tool, which also allows you to filter for the Authenticated Users in those ACLs directly...
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of WATSON, BEN
Sent: Freitag, 20. November 2009 19:04
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Thank you so much Guido! THAT was the answer I was hoping to get somewhere along the line. While I appreciate the company policy style suggestions that were coming in, I was more interested in a technical solution to my problem. I'm not in a position to enforce or create company policy, and they are difficult to enact at my level. So it was a far more effective use of my time and energy to look into solutions that I CAN control.
Guido, I believe you hit the nail on the head in regards to the static entry being "old" and created when DNS was running in a Windows 2000 domain. Do you have any sort of suggestion on how to quickly run through and remove those ACLs on just the static entries so this doesn't happen in the future? Most of my work scripting out ACL changes revolve around file shares, so hitting DNS entries (and specifically static entries) is not something I'm familiar with doing.
I would imagine that I have a number of servers still in production using static entries created back in the Windows 2000 days of our domain.
Thank you so much again!
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Grillenmeier, Guido
Sent: Thursday, November 19, 2009 4:18 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
I'm a bit surprised that with all the discussion on this thread the object-level security wasn't discussed too much - even when using the DHCP in an ADI DDNS zone configured to only allow secure updates, the DHCP server should not be allowed to overwrite _correctly configured_ static records.
The problem is often the _correctly configured_ part - a static record is first of all one that won't be deleted after X amount of days via the DNS scavenging. I.e. one where the time stamp is not evaluated during the scavenging process. As soon as this criteria is met, the record is considered _static_.
This however is not enough to protect the object from being overwritten by other machines (or users), which are granted the proper write permissions on the object. And here is the culprit: when you created a "static" DNS record in Windows 2000 (or with any Win2000 DNS UI), the default right allow any _authenticated user_ to overwrite the record. You had to manually remove those permission for any statically created DNS record. This logic was changed in Win 2003 - along with the UI: you now have an option to explicitly "allow any authenticated user" to update the record. So unlike in Win2000, the static records are actually "protected" by default from being overwritten since Win2003.
I suspect that Ben's server record that was overwritten was an older record created with the Win2000 UI, which will thus still have had the 'old' default of allowing "authenticated users" to overwrite the record. This would obviously include the DHCP server.
Alternatively, the DNSUpdateProxy account that may (and should) have been configured on the DHCP servers to allow updating the records, could have been added to the Domain Admins group (hopefully not), or some other group that grant permissions to overwrite any record (potentially to some group that was delegated the necessary rights in the zone). This is obviously not how you'd want to configure that account. It should be a simple domain user - nothing else.
/Guido
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Donnerstag, 19. November 2009 16:44
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I was too of the opinion that static records are not candidates to be overwritten on behalf of DHCP even with the discussed setting is on, which I think is there by default. IMHO, turning this setting off (DNS Dynamic Updates) off would be equivalent to managing DNS manually for every single machine on your network and as such should be not solution for this problem. I can't disagree with anything suggested here around policy/procedures for naming conventions, I am just after the technical explanation of particular incident....
On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>> wrote:
Andrew,
Agreed on the DHCP option, however the DHCP service should only "overwrite" records it has permission onto. Typical this are records which were registered by himself.
Kind regards,
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Levicki
Sent: donderdag 19 november 2009 11:21
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
To address the question: Why does the DHCP server overwrite the DNS record for the existing Windows server with the DNS record for the newly-created Linux host?
Because it has been configured to do so in the DHCP server properties:
DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic updates according to the settings below". (Please see attached image).
You could deselect this feature, Ben, and it would prevent DHCP from overwriting the existing DNS record, but then DHCP also won't update the DNS records when IP addresses change, causing more work in the long-run.
I still think a naming convention policy and a hostname spreadsheet / database is a viable solution to this problem. In the case of 'rogue' host names, which presumably means deliberately and maliciously naming a host the same as an existing server, this could be classified in your policy as denial of service and therefore gross misconduct.
Kind regards,
Andrew
2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com<mailto:Thomas.Vuylsteke@realdolmen.com>>
I might have been to harsh in my words. That's why mail sometimes is not as good as the spoken word. I do help my customers using naming conventions. Having a standardized environment lowers incidents of course and helps people understand the environment.
But to be honest, that's not the point of the discussion/question. Why does the DHCP overwrite the record?
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Robert Singers
Sent: donderdag 19 november 2009 0:15
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
You would be foolish to think that proper policy and procedures exist only to ease operations. If you adopt that approach you will deserve every and all incidents that happen within your perimeter.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Thomas Vuylsteke
Sent: Thursday, 19 November 2009 10:11 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] DNS Static overwritten by DHCP
Sensitivity: Confidential
exactly Rick,
However, I also agree with the others stating you should have proper naming conventions and so on. However that's just to easse the operations. Suppose is a "rogue" user naming it's client on purpose after a server, naming conventions won't protect you there.
Id like to know why the DHCP is acting as it did. However I'm out of thoughts.
Kind regards,
Thomas Vuylsteke
System Engineer Server Technology
thomas.vuylsteke@realdolmen.com<mailto:thomas.vuylsteke@realdolmen.com>
Direct +32 (0)2 362 55 55
This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 362 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt o
________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Rick Sheikh [ricksheikh@gmail.com<mailto:ricksheikh@gmail.com>]
Sent: Tuesday, November 17, 2009 23:52
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] DNS Static overwritten by DHCP
I am afraid I have to ask why did the DHCP overwrite the existing static entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by the responders here) ?
On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <Robert.Singers@dbh.govt.nz<mailto:Robert.Singers@dbh.govt.nz>> wrote:
>From my perspective you don't have a technology issue you have a policy and process issue. Nothing wakes up developers like a public flogging for breaching policies.
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of WATSON, BEN
Sent: Wednesday, 18 November 2009 6:36 a.m.
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: [ActiveDir] DNS Static overwritten by DHCP
Hello everyone,
Our company is currently running a Windows Server 2003 R2 domain with ADI DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily run Windows, we do have a large install base of various Linux machines that engineers use for development.
Today we had an issue in which an engineer built up a Linux host, gave it the same hostname as one of our servers, and DHCP assigned it an IP address and overwrote the static entry we had originally created for the server.
What are my options for preventing this from happening in the future? I realize in a full Windows environment, secure updates would be the best bet, but what solution would you recommend in an environment that also includes a large Linux install base?
Thanks,
Ben
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
This message has been scanned for viruses and is believed to be clean.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. If you are not the intended recipient of this message, privilege and confidentiality is not waived or lost, and you are not entitled to use, disclose or copy it in any way. Opinions expressed in this message are not necessarily those of the Department of Building and Housing. The Department does not accept any liability for any technical opinions offered. While we use standard virus protection software, we do not accept responsibility for viruses or anything similar in this email or its attachments, nor do we accept responsibility for changes made to this email or to its attachments after it leaves our system. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| RickSheikh
Posts:373
| | 11/24/2009 7:34 PM |
| Do see this as well
http://blogs.technet.com/networking/archive/2008/05/21/export-dns-records-to-excel-to-read-time-stamps-and-static-records.aspx
On Sat, Nov 21, 2009 at 6:31 AM, Grillenmeier, Guido <
guido.grillenmeier@hp.com> wrote:
> Yes, you’ll likely have a few other „unprotected“ static records, for
> which the same thing could happen again any time.
>
>
>
> And even if you do implement a solid naming convention in your company that
> ensures that you don’t generate duplicate names for servers, you still have
> to take the measures to protect existing records due to either human error
> (and stupidity) or a purposely malicious act.
>
> It doesn’t take much for any user to create a new machine (physical or
> virtual), name it equal to an existing one that has an unprotected DNS
> record, put it on the network to get an IP address via DHCP and have your
> DHCP server overwrite the existing “unprotected” static record…
>
> Win 2000 DHCP were even “smart enough” to overwrite their own host-record,
> if you named a client with the same name as the DHCP server. Not sure if
> that was fixed with an SP and I’ve also not tested it with 2003 or 2008, but
> in any case I still recommend to statically and safely register the DHCP
> server records to avoid such errors.
>
>
>
> As for checking the permissions of the DNS records – this is a bit tricky
> and maybe others have some good ideas on how to do this more efficiently,
> but in the end your ADI DNS records are AD objects of type “dnsNode” – so
> you can check their ACLs by querying their security in the correct “dnsZone”
> container. In Win2000 days this used to be located in
>
> CN=MicrosoftDNS,CN=System,DC=<your domain>
>
>
>
> But I hope by now you’ve moved your DNS zones into the appropriate App
> partitions, such as
>
> CN=MicrosoftDNS,DC=DomainDnsZones,DC=<your domain>
>
>
>
> You can use a combination of DSQUERY and DSACLS, or use joe’s ADFIND tool,
> which also allows you to filter for the Authenticated Users in those ACLs
> directly…
>
>
>
> /Guido
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Freitag, 20. November 2009 19:04
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> Thank you so much Guido! *THAT* was the answer I was hoping to get
> somewhere along the line. While I appreciate the company policy style
> suggestions that were coming in, I was more interested in a technical
> solution to my problem. I’m not in a position to enforce or create company
> policy, and they are difficult to enact at my level. So it was a far more
> effective use of my time and energy to look into solutions that I CAN
> control.
>
>
>
> Guido, I believe you hit the nail on the head in regards to the static
> entry being “old” and created when DNS was running in a Windows 2000
> domain. Do you have any sort of suggestion on how to quickly run through
> and remove those ACLs on just the static entries so this doesn’t happen in
> the future? Most of my work scripting out ACL changes revolve around file
> shares, so hitting DNS entries (and specifically static entries) is not
> something I’m familiar with doing.
>
>
>
> I would imagine that I have a number of servers still in production using
> static entries created back in the Windows 2000 days of our domain.
>
>
>
> Thank you so much again!
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Grillenmeier, Guido
> *Sent:* Thursday, November 19, 2009 4:18 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> I’m a bit surprised that with all the discussion on this thread the
> object-level security wasn’t discussed too much – even when using the DHCP
> in an ADI DDNS zone configured to only allow secure updates, the DHCP server
> should not be allowed to overwrite _*correctly configured*_ static
> records.
>
>
>
> The problem is often the _*correctly configured*_ part – a static record
> is first of all one that won’t be deleted after X amount of days via the DNS
> scavenging. I.e. one where the time stamp is not evaluated during the
> scavenging process. As soon as this criteria is met, the record is
> considered _*static*_.
>
> This however is not enough to protect the object from being overwritten by
> other machines (or users), which are granted the proper write permissions on
> the object. And here is the culprit: when you created a “static” DNS record
> in Windows 2000 (or with any Win2000 DNS UI), the default right allow any _
> *authenticated user*_ to overwrite the record. You had to manually remove
> those permission for any statically created DNS record. This logic was
> changed in Win 2003 – along with the UI: you now have an option to
> explicitly “allow any authenticated user” to update the record. So unlike in
> Win2000, the static records are actually “protected” by default from being
> overwritten since Win2003.
>
>
>
> I suspect that Ben’s server record that was overwritten was an older record
> created with the Win2000 UI, which will thus still have had the ‘old’
> default of allowing “authenticated users” to overwrite the record. This
> would obviously include the DHCP server.
>
>
>
> Alternatively, the DNSUpdateProxy account that may (and should) have been
> configured on the DHCP servers to allow updating the records, could have
> been added to the Domain Admins group (hopefully not), or some other group
> that grant permissions to overwrite any record (potentially to some group
> that was delegated the necessary rights in the zone). This is obviously not
> how you’d want to configure that account. It should be a simple domain user
> – nothing else.
>
>
>
> /Guido
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Rick Sheikh
> *Sent:* Donnerstag, 19. November 2009 16:44
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> I was too of the opinion that static records are not candidates to be
> overwritten on behalf of DHCP even with the discussed setting is on, which I
> think is there by default. IMHO, turning this setting off (DNS Dynamic
> Updates) off would be equivalent to managing DNS manually for every single
> machine on your network and as such should be not solution for this problem.
> I can't disagree with anything suggested here around policy/procedures for
> naming conventions, I am just after the technical explanation of particular
> incident....
>
> On Thu, Nov 19, 2009 at 4:36 AM, Thomas Vuylsteke <
> Thomas.Vuylsteke@realdolmen.com> wrote:
>
> Andrew,
>
>
>
> Agreed on the DHCP option, however the DHCP service should only “overwrite”
> records it has permission onto. Typical this are records which were
> registered by himself.
>
>
>
> Kind regards,
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Andrew Levicki
> *Sent:* donderdag 19 november 2009 11:21
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> *Sensitivity:* Confidential
>
>
>
> To address the question: Why does the DHCP server overwrite the DNS record
> for the existing Windows server with the DNS record for the newly-created
> Linux host?
>
>
>
> Because it has been configured to do so in the DHCP server properties:
>
> DHCP > right-click server > Properties > DNS tab > "Enable DNS dynamic
> updates according to the settings below". (Please see attached image).
>
>
>
> You could deselect this feature, Ben, and it would prevent DHCP from
> overwriting the existing DNS record, but then DHCP also won't update the DNS
> records when IP addresses change, causing more work in the long-run.
>
>
>
> I still think a naming convention policy and a hostname spreadsheet /
> database is a viable solution to this problem. In the case of 'rogue' host
> names, which presumably means deliberately and maliciously naming a host the
> same as an existing server, this could be classified in your policy as
> denial of service and therefore gross misconduct.
>
>
>
> Kind regards,
>
>
>
> Andrew
>
>
>
> 2009/11/19 Thomas Vuylsteke <Thomas.Vuylsteke@realdolmen.com>
>
> I might have been to harsh in my words. That’s why mail sometimes is not as
> good as the spoken word. I do help my customers using naming conventions.
> Having a standardized environment lowers incidents of course and helps
> people understand the environment.
>
>
>
> But to be honest, that’s not the point of the discussion/question. Why does
> the DHCP overwrite the record?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Robert Singers
> *Sent:* donderdag 19 november 2009 0:15
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> You would be foolish to think that proper policy and procedures exist only
> to ease operations. If you adopt that approach you will deserve every and
> all incidents that happen within your perimeter.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Thomas Vuylsteke
> *Sent:* Thursday, 19 November 2009 10:11 a.m.
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] DNS Static overwritten by DHCP
> *Sensitivity:* Confidential
>
>
>
> exactly Rick,
>
>
>
> However, I also agree with the others stating you should have proper naming
> conventions and so on. However that's just to easse the operations. Suppose
> is a "rogue" user naming it's client on purpose after a server, naming
> conventions won't protect you there.
>
>
>
> Id like to know why the DHCP is acting as it did. However I'm out of
> thoughts.
>
>
>
> Kind regards,
>
>
> *Thomas Vuylsteke*
> *System Engineer Server Technology*
> thomas.vuylsteke@realdolmen.com
>
> Direct +32 (0)2 362 55 55
>
>
>
> This e-mail message and any attachment are intended for the sole use of the
> recipient(s) named above and may contain information which is confidential
> and/or protected by intellectual property rights. Any use of the information
> contained herein (including, but not limited to, total or partial
> reproduction, communication or distribution in any form) by other persons
> than the designated recipient(s) is prohibited. If you have received this
> e-mail in error, please notify the sender either by telephone (+32 2 362 55
> 55) or by e-mail and delete the material from any computer. Please note that
> neither RealDolmen nor the sender accept any responsibility for viruses and
> it is your responsibility to scan or otherwise check this email and any
> attachments. RealDolmen is nor responsible for the correct and complete
> transfer of the contents of the sent e-mail, neither for the receipt o
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [
> activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh [
> ricksheikh@gmail.com]
> *Sent:* Tuesday, November 17, 2009 23:52
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] DNS Static overwritten by DHCP
>
> I am afraid I have to ask why did the DHCP overwrite the existing static
> entry if DNSUpdateProxy group is NOT being used for the DHCP (as assumed by
> the responders here) ?
>
> On Tue, Nov 17, 2009 at 4:43 PM, Robert Singers <
> Robert.Singers@dbh.govt.nz> wrote:
>
> From my perspective you don’t have a technology issue you have a policy and
> process issue. Nothing wakes up developers like a public flogging for
> breaching policies.
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *WATSON, BEN
> *Sent:* Wednesday, 18 November 2009 6:36 a.m.
>
>
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] DNS Static overwritten by DHCP
>
>
>
> Hello everyone,
>
>
>
> Our company is currently running a Windows Server 2003 R2 domain with ADI
> DNS and DHCP handled by a Windows Server 2003 R2 server. While we primarily
> run Windows, we do have a large install base of various Linux machines that
> engineers use for development.
>
>
>
> Today we had an issue in which an engineer built up a Linux host, gave it
> the same hostname as one of our servers, and DHCP assigned it an IP address
> and overwrote the static entry we had originally created for the server.
>
>
>
> What are my options for preventing this from happening in the future? I
> realize in a full Windows environment, secure updates would be the best bet,
> but what solution would you recommend in an environment that also includes a
> large Linux install base?
>
>
>
> Thanks,
>
> Ben
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
> ------------------------------
>
> This message has been scanned for viruses and is believed to be clean.
> ------------------------------
>
>
> *
> ------------------------------
> *
>
> *Please Note:**
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. If you are not the intended
> recipient of this message, privilege and confidentiality is not waived or
> lost, and you are not entitled to use, disclose or copy it in any way.
> Opinions expressed in this message are not necessarily those of the
> Department of Building and Housing. The Department does not accept any
> liability for any technical opinions offered. While we use standard virus
> protection software, we do not accept responsibility for viruses or anything
> similar in this email or its attachments, nor do we accept responsibility
> for changes made to this email or to its attachments after it leaves our
> system. If you have received this email in error, please notify us
> immediately by reply email and delete the original and any attachment(s).
> Thank you. *
> *
> ------------------------------
> *
>
> *
> *
>
>
>
>
>
| | | |
|
|