Secure DHCP and DNS updating
in [Windows Servers]
|
From: Adrian Marsh on 17 Mar 2010 13:58 Hi All, In my AD, I know that when a domain workstation connects and obtains a DHCP address, theres some authentication process using certificates that validates the PC, and then updates DNS accordingly. In my setup, when a linux PC does a DHCP Request, its assigned an IP, but DNS isn't updated (I know that the DNS update can be opened up to allow any update, but thats not what I want at present). I'd like to know more about that authentication mechansim. Can I add that into a Linux-based PC? Is that a standardised part of DHCP, or a microsoft specific thing? Thanks, Adrian
From: Phillip Windell on 17 Mar 2010 14:21 I believe it is an MS thing that is merged in with the Secure Channel that a Domain Member has with the Domain Controllers and goes along with the Machine Account (and it's authentication) on the Domain. But I could be wrong I suppose... -- Phillip Windell The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Adrian Marsh" <adrian.marsh(a)removemeubiquisys.com> wrote in message news:Oa15ytfxKHA.4240(a)TK2MSFTNGP06.phx.gbl... > Hi All, > > In my AD, I know that when a domain workstation connects and obtains a > DHCP address, theres some authentication process using certificates that > validates the PC, and then updates DNS accordingly. > > In my setup, when a linux PC does a DHCP Request, its assigned an IP, but > DNS isn't updated (I know that the DNS update can be opened up to allow > any update, but thats not what I want at present). > > I'd like to know more about that authentication mechansim. Can I add that > into a Linux-based PC? Is that a standardised part of DHCP, or a > microsoft specific thing? > > Thanks, > > Adrian
From: DaveMills on 18 Mar 2010 02:28 On Wed, 17 Mar 2010 17:58:26 +0000, Adrian Marsh <adrian.marsh(a)removemeubiquisys.com> wrote: >Hi All, > >In my AD, I know that when a domain workstation connects and obtains a >DHCP address, theres some authentication process using certificates that >validates the PC, and then updates DNS accordingly. I dont think this is quite correct. The DHCP server hands out the IP address. There is no authentification involved. After it has an IP the client PC will then contack the DNS server and register its IP and Name. This "may" require authentification but does not have to. It depends on the DNS zone settings. > >In my setup, when a linux PC does a DHCP Request, its assigned an IP, >but DNS isn't updated (I know that the DNS update can be opened up to >allow any update, but thats not what I want at present). > >I'd like to know more about that authentication mechansim. Can I add >that into a Linux-based PC? Is that a standardised part of DHCP, or a >microsoft specific thing? MS You could look into setting the DHCP server to do the DNS registration for the clients. Open the DHCP conso;e and right click the server, take properties and look at the DNS tab. > >Thanks, > >Adrian -- Dave Mills There are 10 types of people, those that understand binary and those that don't.
From: Jonathan de Boyne Pollard on 19 Mar 2010 10:07 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:Oa15ytfxKHA.4240(a)TK2MSFTNGP06.phx.gbl" type="cite"> <p>(I know that the DNS update can be opened up to allow any update, but thats not what I want at present). <br> Can I add that into a Linux-based PC? Is that a standardised part of DHCP, or a microsoft specific thing? </p> </blockquote> <p>Two companies were behind two Dynamic DNS Update security mechanisms. Both submitted IETF drafts. One company managed to get an RFC within months, the other did not despite repeated draft submissions and widespread deployment in practice. <a href="http://homepage.ntlworld.com./jonathan.deboynepollard/FGA/dns-incompatible-secure-updates.html">The security mechanisms are incompatible</a>.</p> <p>On the gripping hand, having the DHCP server (rather than the DHCP clients) perform the DNS database updates is the better course.</p> </body> </html>
|
Pages: 1 Prev: CAL License Question Next: Adding Windows 7 64 bit Print Driver to Server 2003 32 bit |