Главная страница Случайная страница
КАТЕГОРИИ:
АвтомобилиАстрономияБиологияГеографияДом и садДругие языкиДругоеИнформатикаИсторияКультураЛитератураЛогикаМатематикаМедицинаМеталлургияМеханикаОбразованиеОхрана трудаПедагогикаПолитикаПравоПсихологияРелигияРиторикаСоциологияСпортСтроительствоТехнологияТуризмФизикаФилософияФинансыХимияЧерчениеЭкологияЭкономикаЭлектроника
Using DHCP server to perform name registration for clients
|
|
An alternative to allowing dynamic update registration through the firewall is to run a Dynamic Host Configuration Protocol (DHCP) server in the perimeter network and configure it to be able to perform registration of host (A) and pointer (PTR) resource records on behalf of client computers. If the DHCP role is combined with the RODC, it further reduces the number of servers that have to be allowed to pass DNS traffic through the firewall because it is assumed that the RODC is able to communicate directly with some subset of writeable domain controllers in its domain that reside in the internal network.
When you use this approach, we recommend that you:
· Configure the DHCP Server service to perform DNS updates with a specific service account. This ensures that records are registered in a manner that prevents their update in a way that is not secure.
Note
Do not add this service account to the DNSUpdateProxy group. For more information about the DNSUpdateProxy group, see article 816592 in the Microsoft Knowledge Base(https://go.microsoft.com/fwlink/? LinkID=133266).
· Create a scope that contains only reservations for the specific media access control (MAC) addresses of the servers in the perimeter network. This reduces the risk of an arbitrary client computer being placed on the perimeter network and registering its records in DNS.
· If the first DHCP server in the domain is to be installed on an RODC, it is important that you manually create the DHCP-Admin-related groups before this role is installed. RODCs are not allowed to create groups in their local Active Directory database. The DHCP groups that you must create in advance include the following:
· DHCP Administrators (Domain Local)
· DHCP Users (Domain Local)
For more information about using a DHCP server to perform name registration for client computers, see the following:
· DHCP Server Security (Part 1) (https://go.microsoft.com/fwlink/? LinkId=133263)
· DHCP Server Security (Part 2) (https://go.microsoft.com/fwlink/? LinkId=133264)
· Article 816592 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/? LinkId=133266)