|
Home > Archive > 70-216 > October 2002 > dhcp question?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| cm2gj 2002-10-13, 12:24 am |
| Your network consists of three DHCP servers and three DNS servers. The TCP/IP configuration for your Windows 2000 Professional and NT Workstation clients is provided by the DHCP servers. All three DHCP servers are configured so that they have scopes for all the computers in the network, and always register and update client computer information on the DNS servers.
You configure the DNS zones on all DNS servers to only allow secure updates. After you complete the configuration, you notice the client computer information in the DNS zones is no longer updated correctly after IP changes. What should you do?
1- Configure a shorter time to live (TTL) interval resource record for the three DNS servers than the lease time used by the DHCP servers
2- Configure the four DHCP servers to enable updates for DNS client computers that do not support dynamic updates
3- Add the computer accounts of the three DHCP servers to the DnsUpdateProxy global security group.
4- Configure the DHCP client computers to NOT release the DHCP lease at shut down or log off
answer and explanation please!
 | |
| Slinky 2002-10-13, 12:42 am |
| Answer 3. When a DCHP server updates DNS, it becomes the owner of that record and is the only one that can make changes to it. So lets say that you have 2 similiar DHCP servers called DCHP1 and DHCP2. Client1 gets an address from DHCP1 and the server updates DNS because you told it to automatically update client's records. You now take DHCP1 down for maintenance and the client needs to renew its address through DHCP2. DHCP2 tries to update the clients record but is unable to because DHCP1 owns it. The DNS Update Proxy group basically allows those computers to update records without regards to ownership. | |
|
| quote:
Originally posted by Slinky
Answer 3. When a DCHP server updates DNS, it becomes the owner of that record and is the only one that can make changes to it. So lets say that you have 2 similiar DHCP servers called DCHP1 and DHCP2. Client1 gets an address from DHCP1 and the server updates DNS because you told it to automatically update client's records. You now take DHCP1 down for maintenance and the client needs to renew its address through DHCP2. DHCP2 tries to update the clients record but is unable to because DHCP1 owns it. The DNS Update Proxy group basically allows those computers to update records without regards to ownership.
excelent explanation.
now i understand. | |
|
| quote:
Originally posted by Slinky
Answer 3. When a DCHP server updates DNS, it becomes the owner of that record and is the only one that can make changes to it. So lets say that you have 2 similiar DHCP servers called DCHP1 and DHCP2. Client1 gets an address from DHCP1 and the server updates DNS because you told it to automatically update client's records. You now take DHCP1 down for maintenance and the client needs to renew its address through DHCP2. DHCP2 tries to update the clients record but is unable to because DHCP1 owns it. The DNS Update Proxy group basically allows those computers to update records without regards to ownership.
if the dhcp1 register the record on dns for client X and the client x run ipconfig/ registerdns...... is the client able to update their registration? or only the dhcp1 can make that? | |
| jocampo 2002-10-13, 8:14 am |
| Saludos Alex....
voy a meter la "cuchara" y a tratar de ayudarte porque preciso ayer, termine de estudiar DNS, y asi repaso y quizas te ayudo.
Tu pregunta me cayo como anillo al dedo, pues la explican muy bien en el libro de Syngres 70-216. La clave esta en lo siguiente:
Los clientes antiguos, como NT4. no pueden registrar automaticamente sus records en servidores W2k DNS, por lo que el DHCP Server W2K se ancarga de hacerlo por ellos si los haces "clientes DHCP". Ahora bien, los clientes W2K registran el Host Record (A) unicamente si estos estan configurados para obtener el IP de forma dinamica.
El DNS Update Proxy lo que hace es colocar al DHCP en un grupo en donde ninguna seguridad es puesta sobre el record (en el DNS server), o sea, el DHCP no etiqueta el record con el nombre del autor o propietario (pepe, maria, juan, etc). Al no tener los records propietarios, cualquiera puede luego RECLAMAR AUTORIA en ellos.
Para que sirve esto? ok...digamos que los clientes viejos de Nt los migras a W2k y los vuelves DHCP clients. Como ahora van a poder registrar ellos mismos el Host Record, van a tener conflictos, ya que antes el DHCP Server era quien hacia todo el trabajo (recuerda que los NT viejos no pueden registrar automatico, dependen del DHCP Server). Entonces se van a presentar conflictos de ownership. Si por el contrario el DCHP hubiese estado en el Update Proxy Group, NADIE RECLAMARIA AUTORIA SOBRE LOS RECORDS, y ningun conflicto se generaria.
Ahora...imaginate si el DHCP Server(que ya lo has colocado en el Update Proxy Group) esta en el mismo Domain Controller, sabes que podria pasar? por que es tan peligroso? pues porque al estar el record del DC registrado en la base de datos DNS SIN ETIQUETA DE PROPIEDAD, cualquiera....cualquiera podria reclamar su propiedad en la red, y entonces un hacker hacerse pasar por DC; tan solo tiene que fingir un IP y saber el A record.
ipconfig /registerdns renueva en la base de datos DNS todos los records, por lo que entiendo que tu aseveracion es correcta, pero no en el estricto orden en el que lo dices. Es decir..si el cliente X que dices es W2k Pro, el comando lo que hara sera renovar el Host record en el DNS Server, pues recuerda que el PTR record NO ES DEL CLIENTE, LE PERTENCE AL DHCP Server. Luego el registro del IP lo seguira haciendo el DHCP Server. Si por el contario, el cliente es NT4 (no estoy seguro que el comando tenga ese switch en NT4) el ipconfig /registerdns entiendo que no hara nada, pues sigue siendo el DHCP Server el encargado de actualizar ambos records....el A y el PTR
Oye? de que libro estudiaste tu? | |
|
| quote:
Originally posted by jocampo
Oye? de que libro estudiaste tu?
I take all the MOC courses from Microsoft on Certified Technical Education Centers, use Exam Essentials, Trascenders, Microsoft Training Kits, the Forum, Some free test on passitNow.com, Troytec 70216, MOC, etc etc...... and experience.... i never need to add anything to the DNSupdateproxy group on the real life......
Gracias por la explicacion!  |
|
|
|
|