Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2011-01-01) DHCP And Name Protection In Windows Server 2008 R2

Posted by Jorge on 2011-01-01


For a project at a customer I wanted to implement Name Protection through DHCP in W2K8R2. With regards to DHCP and related technologies the requirements were as follows:

  • One or more RODCs are the only computers that can have contact with one or more RWDCs;
  • A firewall separates RODCs and AD member clients from RWDCs;
  • AD member clients should not register ‘A’ DNS record and the ‘PTR’ DNS record;
  • Implement DHCP on an RODC to perform DNS record registration/updates on behalf of the AD member clients;
  • Implement Name Protection through DHCP;
  • AD member clients are Windows Server and non-Windows computers (e.g. Unix).

Based on these requirements I wanted to implement and configure DHCP as follows:

  • Use specific credentials to perform all DDNS registrations and updates;
  • DHCP always registers and updates both ‘A’ DNS records and ‘PTR’ DNS records for both Windows and non-Windows AD member clients;
  • DHCP Reservation for every AD member client;
  • DHCP distributes the following configuration to AD member clients:
    • IP Address and Subnet Mask;
    • Lease Period (Option 051 – ‘Standard’ Vendor)
    • Router IP Address (Option 003 – ‘Standard’ Vendor);
    • DNS IP Addresses (Option 006 – ‘Standard’ Vendor);
    • DNS Domain Name (Option 015 – ‘Standard’ Vendor);
    • NetBIOS State (Option 001 – ‘Microsoft Windows 2000 Options’ Vendor);

Based on these requirements I wanted to implement and configure AD member clients as follows:

  • Windows AD member clients request DHCP to register both the ‘A’ DNS record and the ‘PTR’ DNS record on behalf of the AD member client

Because I wanted to implement Name Protection for the first I decided to perform tests in a staged manner, just to see what happens and what the differences are between the different scenarios

One thing that’s certain, is the behavior of the Windows AD member client:

  • [‘A’] Windows AD member client with static IP address configured: AD member client registers/updates both the ‘A’ DNS record and the ‘PTR’ DNS record;
  • [‘B’] Windows AD member client with dynamic IP address (through DHCP) configured: AD member client registers/updates the ‘A’ DNS record and requests DHCP to register/update the ‘PTR’ DNS record on behalf of it;

REMARK: In lots of document I see the following: "The DHCP server updates both the ‘A’ DNS record and the ‘PTR’ DNS record if requested by clients using option 81". I have never found a way to configure a Windows AD member client to request the DHCP server to register/update BOTH the ‘A’ DNS record and the ‘PTR’ DNS record! In other words, the Windows AD member client already knows how to request DHCP to register/update the ‘PTR’ DNS record, but how the heck do you configure the Windows AD member client to also request DHCP to register/update the the ‘A’ DNS record? Anyone knows this? If you do, then please place a comment!
According to the information in RFC 4702, page 8 paragraph 3.3, such as request must be possible. However, I wonder if this has been implemented in the Microsoft’s DHCP.

REMARK: For more detailed information with regards to the DHCP protocol and especially in Windows, please see:

 

[‘Scenario 1’]

DHCP was configured as shown in the picture below. The Windows AD member client was configured as a DHCP client (dynamic IP address allocation) and in that case behavior [‘B’] will be experienced.

With this configuration the DHCP server will register a DNS record on behalf of the DHCP client only when that DHCP client actually requests it. In this case you will see that after the DDNS registration/update the ‘A’ DNS record is owned by the computer account of the AD member client and the ‘PTR’ DNS record is owned by the user account specified as DDNS credentials in DHCP.

image

image

image

image

image

image

In both the "DHCP Request" and the "DHCP Ack" messages you can see the DHCP client is registering the ‘A’ DNS record and the DHCP is NOT overriding it.

[‘Scenario 2’]

DHCP was configured as shown in the picture below. The Windows AD member client was configured as a DHCP client (dynamic IP address allocation) and in that case behavior [‘B’] will be experienced.

With this configuration the DHCP server will always register a DNS record on behalf of the DHCP client whether or not that DHCP client actually requests it. In this case you will see that after the DDNS registration/update both the ‘A’ DNS record and the ‘PTR’ DNS record are owned by the user account specified as DDNS credentials in DHCP.

image

image

image

image

image

image

In the "DHCP Request" message you can see the DHCP client is requesting to self-register the ‘A’ DNS record. Because of the DHCP server configuration, the DHCP server is overriding that request and is telling that to the DHCP client in the "DHCP Ack" message. The DHCP server is overriding the DHCP client’s request and the registration of the ‘A’ DNS record will be done by the DHCP server.

[‘Scenario 3’]

DHCP was configured as shown in the picture below. The Windows AD member client was configured as a DHCP client (dynamic IP address allocation) and in that case behavior [‘B’] will be experienced.

With this configuration Name Protection is enabled. As soon as Name Protection is enabled, the DHCP server is automatically configured to behave as specified in [‘scenario 1’]. The DHCP server will always register a DNS record on behalf of the DHCP client whether or not that DHCP client actually requests it. In this case you will see that after the DDNS registration/update both the ‘A’ DNS record and the ‘PTR’ DNS record are owned by the user account specified as DDNS credentials in DHCP.

image
image

image

image

image

image

image

In both the "DHCP Request" and the "DHCP Ack" messages you can see the DHCP client is registering the ‘A’ DNS record and the DHCP is NOT overriding it.

SUMMARIZED:

When Name Protection is enabled, I cannot fulfill the requirements I explained at the beginning of this post. So to fulfill my requirements I need to implement [‘scenario 2’] and NOT enable Name Protection.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

This entry was posted on 2011-01-01 at 20:30 and is filed under Core Networking Services, Windows Server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “(2011-01-01) DHCP And Name Protection In Windows Server 2008 R2”

  1. Alexander said

    2013-05-10 at 11:56

    The only way (to configure a windows DHCP client to request the DHCP server to register/update the ‘A’ DNS record) is disassembly and modification of “dhcpcore.dll” library because corresponding option 81 flag is hardcoded.

    One byte on DHCP client in library (source value of option 81 byte in network packet) must be modified to achieve desired result.

    I was able to successfully deploy modified library in test environment with windows 7 (with and without SP1, x86 and x64) and “Name Protection” was works as expected.

    Another way to achieve the same result is modification of client identifier (one string “Windows”) in “dhcpsvc.dll” on DHCP server OR “dhcpcore.dll” on DHCP client.
    As long as client identifier at DHCP Client and DHCP Server is different, DHCP server thinks that windows computers is non-windows computers and DCHP Server will register ‘A’ DNS record always (even if computer don’t request it) as expected for non-windows computers.

    A second way is more simple (you don’t need to disassemble all versions of “dhcpcore.dll” and deploy it on clients; only server’s library can be modified).
    But the second way can have unknown side affects.

    This is tested only in environment with windows 7 and windows server 2008 r2. Another Windows OS can have other behaviour.

    Like

    Reply

  2. Patrick said

    2015-02-17 at 09:15

    Hi, very well writte

    Perhaps I’m misinterpreting but you seem to contradict yourself in Scenario 3?

    Specifically,

    “The DHCP server will always register a DNS record on behalf of the DHCP client whether or not that DHCP client actually requests it. In this case you will see that after the DDNS registration/update both the ‘A’ DNS record
    and the ‘PTR’ DNS record are owned by the user account specified as DDNS credential”

    And

    “In both the “DHCP Request” and the “DHCP Ack” messages you can see the DHCP client is registering the ‘A’ DNS record and the DHCP is NOT overriding it.”

    If the DHCP client is registering the A record, then the credentials on the record cannot be that of the DHCP Server Credentials (as you state in the first quoted paragraph).

    So which was it?

    Also the behavior of DHCP with Name Protection enabled seems to be more like Scenario 2 than Scenario 1 going by your screenshot? ( looking at what options are enabled but greyed out)

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»