But normally, the client should be able to register it's own records in the DNS, why do you need to force the DHCP to register on behalf of the client computer ?
And what is the issue you had with the aging / scavenging in domain A ?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi everyone! It's a pleasure to write one more time, after many years.
We have come across a problem regarding DCHP & DNS Dynamic Update. I'm postig here, because we think the solution relies on Active Directory Group Nesting.
Here is the thing: Our Forest has 3 domains: A, B, C. Every Domain has a two-way trust relationship with the others. Domain A has DHCP A, Domain B has DHCP B and Domain C has DHCP C.
After solving some problems with DNS Aging and Scavenging in Domain A (our principal Site), we need DHCP B and C to have the requiered permissions to make Dynamic Updates in DNSs zones of Domain A. So we created a service account DomainB\dhcp_service and DomainC\dhcp_service & configured DNS Dynamic update to happen always from the DHCP Server, not the client. So we need the service accounts DomainC\dhcp_service and DomainB\dhcp_service to be members of DomainA\DnsUpdateProxy, but this group has a scope of Global.
I can't find the nesting strategy to have those users as member of this group. Not with Global Scope. Is it possible to change-it to Universal and then to Domain Local to be able to add users from another domain? I don't know if theese built-in things are made to be changeable. I don't want to have problems running further active directory updates or extensions or functional levels...
Maybe there are another way to solve this and we are trying to solve this in a dirty or wrong way. But i cannot think of another way...
Any help will be appreciated.
Regards,
A.
But normally, the client should be able to register it's own records in the DNS, why do you need to force the DHCP to register on behalf of the client computer ?
And what is the issue you had with the aging / scavenging in domain A ?
So we need the service accounts DomainC\dhcp_service and DomainB\dhcp_service to be members of DomainA\DnsUpdateProxy
Isn't the solution to use the same account on all DHCP servers? Then there are no permissions issues.
Hi @Pierre Audonnet - MSFT . No is not. Here is why:
If we configure DHCP B, to make dynamic updates as DomainA\dhcp_service, then we need to make DomainA\dhcp_service member of DomainB\DnsUpdateProxy in orden to update DomainB DNSs Zones. And this is the same problem. DomainB\DnsUpdateProxy is a Global Group and cannot have user accounts from other domains.
So... we need to solve the same problem again, but from DomainB perspective.
Regards,
A.
Hi @Andres Soncini ,
I don't a have an environment to confirm this but changing the scope of the group shouldn't impact the DNS update process, and as the group already exists in the domain, future updates are unlikely to be impacted, but as always, you can't 100% sure.
To confirm this, if you look at the permissions of a record that has been added by the DHCP service account, the account is probably the owner of the record and the DNSUpdateProxy group should also have been assigned permissions on the record. As the permissions are assigned based on the group SID, changing the group scope should not impact the permissions assigned.
Another option if you don't want to change the group scope, is change the delegated permissions on the DNS zones and add a domain local group that has permissions to add\delete and update DNS records and add the DHCP service accounts to that group. The only down side to this approach is that the group will have permissions to update all the records in the domain, including DC records.
Gary.
Hi @GaryReynolds-8098. Thanks for your answer. I think that one downside to this approach is also that i have multiple reverse zones in DNSs. So thoose manual delegated permissions needs to be maintained there too. I know that changing the group scope does not alter ACEs in ACLs, but i am not sure if doing this can lead to some error when upgrading functional levels, extending schemma or some other AD Operations. Hence the question.