I recently upgraded from a 2003 to 2008 r2 domain. My user workstations have been having problems with registering updated DNS names. I traced this down to our old domain controller having the nonsecure dynamic update box checked. When I disabled the DNS services and redirected to my new environment these updates stopped working.
What do I need to do to allow my clients to perform these updates without enabling these nonsecure updates? All the documentation I've seen has pointed to using the nonsecure option but several have stated it is possible to continue using secure updates.
The permissions on the DNS objects are basic – the owner is the SYSTEM account and there are no references anywhere in the security granting the named computers rights over their records.
Best Answer
It looks like you're seeing the default permissions that are applied to DNS objects when non-secure updates to an Active Directory-integrated zone are performed. Now that you've switched over to requiring secure updates the clients don't have permission to perform the updates.
At this point your options would be to:
Add the computer account with "Write All Properties", "Read Permissions", and "All Validated Writes" permission to each DNS record (ideally with a script but you can test by adding the permission "by hand" on a single record and performing an
ipconfig /registerdnson the subject client computer).Delete the old DNS records (either "by hand" or by way of "Aging and Scavenging") and allow the clients to register new records securely.
If you're at all able to just delete the old records and let the clients re-register themselves I think you'll find that course the easiest to manage.