Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Change DNS zone to "secure only" dynamic update

Posted on 2014-03-17
4
Medium Priority
?
546 Views
Last Modified: 2014-03-24
Hi All

I have a forward look up AD integrated zone (main one for my organization) which is currently set to "Non secure and secure" dynamic updates in DNS (Server 2008 R2). We have enabled "Name protection" in DHCP to prevent rouge devices taking over important server names but this requires DNS to be set to Secure only dynamic updates.

My question is can this be done without any distruptions? Will the existing records in DNS still be there? Will DHCP still be able to update DNS for domain computers? I can manually add the non domain ones to DNS. Can someone confirm that my intended change will not get rid of the exisitng records and cause more headaches. Thanks
0
Comment
Question by:nassr101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 750 total points
ID: 39936942
Nothing will be impacted at all

This is what needs to be done in case of AD integrated Zones

Also ensure that your DNS-DHCP integration is set perfectly according to below EE articles
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28379478.html
http://www.experts-
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28361151.html
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28376098.html

Please check my comments in above articles

Mahesh
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39937169
My question is can this be done without any distruptions?
There shouldn't be any disruption if you're not deleting records that already exist.

Will the existing records in DNS still be there?
Yes, only manual deletion or the DNS scavenging task does any deletions from the DNS zone.

Will DHCP still be able to update DNS for domain computers?
Yes, but only if the DHCP server has permissions to update those records.
You need to remember (in AD2008) that when you enable AD-integration on DNS zones then the default is set to "enable secure updates." You also need to remember that the permissions on DNS records in AD integrated zones are like any other AD object. If the user or system has permissions to update a record then it will. If the user/system does not have any permissions then the record cannot be updated.

I can manually add the non domain ones to DNS. Can someone confirm that my intended change will not get rid of the exisitng records and cause more headaches. Thanks

Some useful links about DHCP and DNS
http://technet.microsoft.com/en-us/library/cc771732.aspx
http://technet.microsoft.com/en-us/library/ee941150(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc732584.aspx
0
 
LVL 27

Expert Comment

by:Steve
ID: 39937249
secure DNS updates just restricts who/what can make changes.
Domain joined PCs and your existing AD approved DHCP servers are included so shouldn't be affected.

Non secure & secure updates is normally enabled if you have other devices on site that may nee to make DNS changes, but are not Windows domain based machines (eg routers, printers etc)

Most companies are fine on secure only. It makes no changes and doesn't stop anything working on your existing network. The only real issue occurs if you do have non-windows systems that are trying to make DNS changes (eg DHCP on a router)
0
 

Author Closing Comment

by:nassr101
ID: 39952407
Thanks Mahesh. I changed the zone type yesterday and it went smoothly
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question