@OsborneProLLC it's been a while since you made a content, just wanted to let you know how valuable and practical your videos are, just wish there were more.
@@OsbornePro that would be awesome, it would also be nice if you had courses, if time allows it for you. I really like your way of explaining. Looking forward. Much respect.
@@OsbornePro that would be great, maybe OS in general, security courses you seem great at it. So starting with the concept of it and implementations.... But you know best. I am absolutely sure your channel is going to bomb anytime soon.
@@hermonkidane1503 I will probably do some videos like you are thinking. My plan was to see what kind of following I could build with RUclips and use that to put out a course of some kind. I will keep it mind for sure.
We are using dynamic updates but without the DHCP updating dns records. We have scavenging setup on one of our dns servers and this is AD integrated. I am seeing an issue though where timestamps for dns records are not updating. We are also noticing that for some reason (seems isolated to win 11 clients) that if a client is moved to another subnet, the dns record fails to update with the new IP. I get a dns event error 8018 on these and this happens when I try and force registerdns. It’s so bizarre. Probably a small amount of records for clients both win 11 and 10 are getting updating timestamps. I have no idea what the issue is. Do I still need an account entered in the credentials area in dhcp manager even if we are having clients updating and create records? Secure updates are selected
Thanks for watching! Event ID 8018 when I looked it up is a Zone Transfer failure. It sounds to me like the DNS records are not able to be updated in DNS because of Zone Transfer restrictions. Open the DNS configuration area. Right click and select Properties (on the DNS server if I remember correctly) and go to the Forwarders tab. Then you want to allow forwarding to your specific DNS servers. This prevents an attacker from having the ability to dump your DNS records. You should not configure the DHCP Dynamic DNS credentials if you are allowing the clients to secure update themselves. This can create overlaps and permission issues and mismatched records. If you have the dynamic DNS account update a DNS entry, the device referenced by that DNS entry will not be able to update that record.
What if you have DHCP in another subnet and you have everything open between those 2 servers and still it dose not work? But when i put them in an isolated network on the same subnet it works well. Do windows have some sort of firewall rules that affect this...
@@filipfabicevic3077 thanks for watching! The DHCP server is registering the domain and IP resolution on behalf of the client so as long as the client can get a DHCP address it should work. It sounds like you need to set an ip helper-address on the switch for that VLAN. Make sure the forward look up zone exists on the DHCP server also. In the DNS server check your security settings to see if there are restrictions and what subnets allow updates
Dumb question since I know this is for sure not best practice, but what if you have DHCP and DNS running on your server? Is the DnsUpdateProxy group even necessary at that point? What about even worse yet, your DHCP server is also functioning as DC (holding no fsmo roles) and DNS? In the video, it was mentioned if your DHCP server is also a DC, you should run "dnscmd /config /OpenAclOnProxyUpdates 0" on the server to secure it. What I got from the video was that I should do the following. !--- DHCP ---! 1. Assign only DHCP servers to DnsUpdateProxy group for each domain 2. Create service account for dynamic DNS update from DHCP 3. Assigned service account to only be a Domain Users member 4. Change DHCP advanced DNS dynamic update registration credentials to new service account on DHCP server !--- DNS ---! 5. Change forward zone to Secure dynamic updates Thanks!
Thanks for watching! I would still assign the server to the DnsUpdateProxy group. If there ever comes a time when the role is moved off the server, it can be seen the current server is a member of that group and it will make whoever looks at it take notice possibly preventing or shortening a resolution. Twenty years from now some IT guy will say thank you Wyatt. This is not needed however when you issue that command. The link below references if that helps you decide whatever is best for you. Your summary of actions looks complete to me and yes use "dnscmd /config /OpenAclOnProxyUpdates 0" since your DC is also a DHCP server. Here is a link to Microsoft's mention of this learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff631099(v=ws.10)#summary
@OsbornePro awesome! Thank you! This was the first video of yours that I have seen and it was perfect. Explain everything so well. Will definitely recommend to others and watch more of your tutorials!
When dhcp creates the records the dynamic dns user is owner on this record. What if a client also connects from vpn and do not contact the dhcp? Then it is not allowed to update the record. Do you know a solution for that ?
Thanks for watching. That’s a great situation to bring up. I don’t think I have a good answer for off the top of my head. I would picture the way to do it would be to add the firewall or whatever is assigning the DHCP addresses to the Dynamic DNs Proxy group in Active Directory and see if it can perform the DNS updates. Otherwise it may be that you would have to change the DHCP server to use the Windows one or add all VPN connection machines to the DynamicDNS proxy group. That would over grant permissions which may or not be acceptable risk to your environment. I’ll have to look into it and let you know if I find anything. If you find a good solution I’d love if you share
@@OsbornePro i have added a new dhcp server to take care of vpn client addresses. The Server is domain joined and a dynamic dns user is configured. Also i added the server to dns proxy group but it is not able to update dns records. Dont know why .. It deploys leases to the vpn clients but does not update or create dns records.
@@ZZREPLAY in the DHcP server setting so the box checked to register PTR records whether or not the client attempts to register? If that is done take a look at the DNS logs to see if any errors stand out
Thanks for watching! In case this helps you setup what you would like I have a PowerShell configuration script that you may find useful at github.com/OsbornePro/ConfigTemplates/blob/main/ConfigureDynamicDNS.ps1 Since remote management of servers can vary it is not able to be executed in one go. I would recommend having the script open on your desktop or laptop. Remote into the DHCP server and remote into your DNS server. Then copy and paste in the sections I created. For existing environments you can use the below commands for your setup. #====================================================== # EXECUTE BELOW COMMANDS ON ACTIVE DIRECTORY SERVER #====================================================== # Create the Dynamic DNS user with normal user permissions $DHCPServer = Read-Host -Prompt "What is the hostname of your DHCP server? EXMAPLE: dhcp01" New-ADUser -Name "Dynamic DNS" -GivenName "Dynamic" -Surname "DNS" -SamAccountName "dyndns" -AccountPassword (Read-Host -AsSecureString "Enter strong password for account. This password should be very long") -ChangePasswordAtLogon $False -Description "This account is used by the DHCP servers to register Dynamic DNS updates" -DisplayName "Dynamic DNS" -Enabled $True Get-ADUser -Filter 'SamAccountName -like "dyndns"' -SearchBase "CN=Users,DC=$env:USERDOMAIN,DC=com" | Set-ADUser -PasswordNeverExpires:$True -CanNotChangePassword:$True # Create the required DHCP groups in Active Directory New-ADGroup -Name "DHCP Administrators" -DsiplayName "DHCP Administrators" -SamAccountName "DHCP Administrators" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have DHCP administrative permissions" New-ADGroup -Name "DHCP Users" -DsiplayName "DHCP Users" -SamAccountName "DHCP Users" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have limited DHCP permissions" Write-Output "[*] Adding DHCP server to DNSUpdateProxy group which is required for Dynamic DNS" Add-ADGroupMember -Identity DnsUpdateProxy -Members "$($DHCPServer)$" #============================================================== # Execute these commands on the DHCP server (Configure Dynamic DNS) #============================================================== # Authorize the DHCP server in Active Directory Add-DhcpServerInDC -DnsName $FQDN -IPAddress $DhcpIpAddress $CheckAuthorizedDhcpServer = Get-DhcpServerInDC If ($CheckAuthorizedDhcpServer.DnsName -contains "$($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain)") { Write-Output "[*] Successfully authorized DHCP server $($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain) in Active Directory" Write-Output "[*] Notifying 'Server Manager' application of the update" Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2 } Else { Throw "Make sure you are a member of the 'Enterprise Admins' Security Group then try again. DHCP server is not authorized in Active Directory. " } # End If Else #=============================================================== # THE BELOW IS FOR CONFIGURING NEW DHCP SCOPES with Dynamic DNS #=============================================================== $Domain = Read-Host -Prompt "Enter the domain name to join EXAMPLE: domain.com " $DnsServer = Read-Host -Prompt "Enter the IP Address of your primary DNS Server " $PrimaryDC = Read-Host -Prompt "Enter the IP Address of your primary Active Directory Server " $NTPServer = Read-Host -Prompt "Enter the IP Address of your NTP Server (Typicaly your DC) " $DhcpIpAddress = Read-Host -Prompt "Enter the DHCP servers IP Address " $DefaultGateway = Read-Host -Prompt "Enter the default gateway Address for the DHCP scope " $NewHostname = Read-Host -Prompt "Enter the hostname for your DHCP server " $InterfaceAlias = (Get-NetAdapter)[0].InterfaceAlias $ScopeName = Read-Host -Prompt "Enter an identifying name for your new DHCP Scope EXAMPLE: Servers :" $ScopeID = Read-Host -Prompt "Enter your Scope ID EXAMPLE: 192.168.137.0 :" $StartRange = Read-Host -Prompt "Enter the starting range for DHCP scope EXAMPLE: 192.168.137.1 :" $EndRange = Read-Host -Prompt "Enter the ending rnage for the DHCP scope EXMAMPLE: 192.168.137.254 :" $FQDN = "$($NewHostname).$($Domain)" Write-Output "[*] Setting the server level DNS Dynamic Update configuration settings" Set-DhcpServerv4DnsSetting -ComputerName $FQDN -DynamicUpdates Always -NameProtection $True Set-DhcpServerDnsCredential -Credential (Get-Credential -Message "Enter credentials for the normal user account used to update Dynamic DNS records through the DHCP server") -ComputerName $FQDN Write-Output "[*] Enabling the ability to deny assigning IP addresses to MAC addresses" Set-DhcpServerv4FilterList -ComputerName $FQDN -Allow $False -Deny $True Write-Output "[*] Creating an initial scope on the DHCP server and setting options" Add-DhcpServerv4Scope -Name $ScopeName -StartRange $StartRange -EndRange $EndRange -Description "Default $ScopeName subnet" -SubnetMask 255.255.255.0 -State Active Add-DhcpServerv4ExclusionRange -ScopeId $ScopeID -StartRange $StartRange -EndRange $EndRange -ComputerName $FQDN Set-DhcpServerv4OptionValue -ComputerName $FQDN -ScopeId $ScopeID -DnsServer $DnsServer -DnsDomain $Domain -Router $DefaultGateway -Force Set-DhcpServerv4OptionValue -OptionId 42 -Value $NTPServer -ScopeId $ScopeID -ComputerName $FQDN Write-Output "[*] Disabling NetBIOS in DHCP assignments" Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Options" -OptionId 1 -Value 1 Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Windows 2000 Options" -OptionId 1 -Value 1
![Securing DNS (DNSSEC, DoH, LLMNR, NetBIOS, LMHOSTS) [Windows Server 2019]](http://i.ytimg.com/vi/6ymgjHRKZ20/mqdefault.jpg)
![Securing DNS (DNSSEC, DoH, LLMNR, NetBIOS, LMHOSTS) [Windows Server 2019]](/img/tr.png)
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/1.gif)
@OsborneProLLC it's been a while since you made a content, just wanted to let you know how valuable and practical your videos are, just wish there were more.
Thanks for watching I appreciate the support. I plan on putting out more videos at least by January
Hey Rob welcome back it's been a while, thank you for your awesome tutorials really great stuff. I hope you do this more often going forward.
Thanks Hermon! Glad you like them, I plan on putting them out with more regularity
@@OsbornePro that would be awesome, it would also be nice if you had courses, if time allows it for you. I really like your way of explaining. Looking forward. Much respect.
Thank you appreciate it. I was thinking of doing a powershell course at some point
@@OsbornePro that would be great, maybe OS in general, security courses you seem great at it. So starting with the concept of it and implementations.... But you know best. I am absolutely sure your channel is going to bomb anytime soon.
@@hermonkidane1503 I will probably do some videos like you are thinking. My plan was to see what kind of following I could build with RUclips and use that to put out a course of some kind. I will keep it mind for sure.
We are using dynamic updates but without the DHCP updating dns records. We have scavenging setup on one of our dns servers and this is AD integrated. I am seeing an issue though where timestamps for dns records are not updating. We are also noticing that for some reason (seems isolated to win 11 clients) that if a client is moved to another subnet, the dns record fails to update with the new IP. I get a dns event error 8018 on these and this happens when I try and force registerdns. It’s so bizarre. Probably a small amount of records for clients both win 11 and 10 are getting updating timestamps. I have no idea what the issue is. Do I still need an account entered in the credentials area in dhcp manager even if we are having clients updating and create records? Secure updates are selected
Thanks for watching! Event ID 8018 when I looked it up is a Zone Transfer failure. It sounds to me like the DNS records are not able to be updated in DNS because of Zone Transfer restrictions. Open the DNS configuration area. Right click and select Properties (on the DNS server if I remember correctly) and go to the Forwarders tab. Then you want to allow forwarding to your specific DNS servers. This prevents an attacker from having the ability to dump your DNS records.
You should not configure the DHCP Dynamic DNS credentials if you are allowing the clients to secure update themselves. This can create overlaps and permission issues and mismatched records. If you have the dynamic DNS account update a DNS entry, the device referenced by that DNS entry will not be able to update that record.
What if you have DHCP in another subnet and you have everything open between those 2 servers and still it dose not work?
But when i put them in an isolated network on the same subnet it works well.
Do windows have some sort of firewall rules that affect this...
@@filipfabicevic3077 thanks for watching! The DHCP server is registering the domain and IP resolution on behalf of the client so as long as the client can get a DHCP address it should work. It sounds like you need to set an ip helper-address on the switch for that VLAN. Make sure the forward look up zone exists on the DHCP server also. In the DNS server check your security settings to see if there are restrictions and what subnets allow updates
Dumb question since I know this is for sure not best practice, but what if you have DHCP and DNS running on your server? Is the DnsUpdateProxy group even necessary at that point?
What about even worse yet, your DHCP server is also functioning as DC (holding no fsmo roles) and DNS?
In the video, it was mentioned if your DHCP server is also a DC, you should run "dnscmd /config /OpenAclOnProxyUpdates 0" on the server to secure it.
What I got from the video was that I should do the following.
!--- DHCP ---!
1. Assign only DHCP servers to DnsUpdateProxy group for each domain
2. Create service account for dynamic DNS update from DHCP
3. Assigned service account to only be a Domain Users member
4. Change DHCP advanced DNS dynamic update registration credentials to new service account on DHCP server
!--- DNS ---!
5. Change forward zone to Secure dynamic updates
Thanks!
Thanks for watching! I would still assign the server to the DnsUpdateProxy group. If there ever comes a time when the role is moved off the server, it can be seen the current server is a member of that group and it will make whoever looks at it take notice possibly preventing or shortening a resolution. Twenty years from now some IT guy will say thank you Wyatt. This is not needed however when you issue that command. The link below references if that helps you decide whatever is best for you.
Your summary of actions looks complete to me and yes use "dnscmd /config /OpenAclOnProxyUpdates 0" since your DC is also a DHCP server. Here is a link to Microsoft's mention of this learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff631099(v=ws.10)#summary
@OsbornePro awesome! Thank you! This was the first video of yours that I have seen and it was perfect. Explain everything so well. Will definitely recommend to others and watch more of your tutorials!
When dhcp creates the records the dynamic dns user is owner on this record. What if a client also connects from vpn and do not contact the dhcp? Then it is not allowed to update the record. Do you know a solution for that ?
Thanks for watching. That’s a great situation to bring up. I don’t think I have a good answer for off the top of my head. I would picture the way to do it would be to add the firewall or whatever is assigning the DHCP addresses to the Dynamic DNs Proxy group in Active Directory and see if it can perform the DNS updates. Otherwise it may be that you would have to change the DHCP server to use the Windows one or add all VPN connection machines to the DynamicDNS proxy group. That would over grant permissions which may or not be acceptable risk to your environment. I’ll have to look into it and let you know if I find anything. If you find a good solution I’d love if you share
@@OsbornePro i have added a new dhcp server to take care of vpn client addresses. The Server is domain joined and a dynamic dns user is configured. Also i added the server to dns proxy group but it is not able to update dns records. Dont know why ..
It deploys leases to the vpn clients but does not update or create dns records.
@@ZZREPLAY in the DHcP server setting so the box checked to register PTR records whether or not the client attempts to register? If that is done take a look at the DNS logs to see if any errors stand out
Need step by step
Thanks for watching! In case this helps you setup what you would like I have a PowerShell configuration script that you may find useful at github.com/OsbornePro/ConfigTemplates/blob/main/ConfigureDynamicDNS.ps1
Since remote management of servers can vary it is not able to be executed in one go. I would recommend having the script open on your desktop or laptop. Remote into the DHCP server and remote into your DNS server. Then copy and paste in the sections I created. For existing environments you can use the below commands for your setup.
#======================================================
# EXECUTE BELOW COMMANDS ON ACTIVE DIRECTORY SERVER
#======================================================
# Create the Dynamic DNS user with normal user permissions
$DHCPServer = Read-Host -Prompt "What is the hostname of your DHCP server? EXMAPLE: dhcp01"
New-ADUser -Name "Dynamic DNS" -GivenName "Dynamic" -Surname "DNS" -SamAccountName "dyndns" -AccountPassword (Read-Host -AsSecureString "Enter strong password for account. This password should be very long") -ChangePasswordAtLogon $False -Description "This account is used by the DHCP servers to register Dynamic DNS updates" -DisplayName "Dynamic DNS" -Enabled $True
Get-ADUser -Filter 'SamAccountName -like "dyndns"' -SearchBase "CN=Users,DC=$env:USERDOMAIN,DC=com" | Set-ADUser -PasswordNeverExpires:$True -CanNotChangePassword:$True
# Create the required DHCP groups in Active Directory
New-ADGroup -Name "DHCP Administrators" -DsiplayName "DHCP Administrators" -SamAccountName "DHCP Administrators" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have DHCP administrative permissions"
New-ADGroup -Name "DHCP Users" -DsiplayName "DHCP Users" -SamAccountName "DHCP Users" -GroupCategory Security -GroupScope Global -Path "CN=Users,DC=$env:USERDOMAIN,DC=com" -Description "Members of this group have limited DHCP permissions"
Write-Output "[*] Adding DHCP server to DNSUpdateProxy group which is required for Dynamic DNS"
Add-ADGroupMember -Identity DnsUpdateProxy -Members "$($DHCPServer)$"
#==============================================================
# Execute these commands on the DHCP server (Configure Dynamic DNS)
#==============================================================
# Authorize the DHCP server in Active Directory
Add-DhcpServerInDC -DnsName $FQDN -IPAddress $DhcpIpAddress
$CheckAuthorizedDhcpServer = Get-DhcpServerInDC
If ($CheckAuthorizedDhcpServer.DnsName -contains "$($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain)") {
Write-Output "[*] Successfully authorized DHCP server $($env:COMPUTERNAME).$((Get-CimInstance -ClassName Win32_ComputerSystem).Domain) in Active Directory"
Write-Output "[*] Notifying 'Server Manager' application of the update"
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
} Else {
Throw "Make sure you are a member of the 'Enterprise Admins' Security Group then try again. DHCP server is not authorized in Active Directory. "
} # End If Else
#===============================================================
# THE BELOW IS FOR CONFIGURING NEW DHCP SCOPES with Dynamic DNS
#===============================================================
$Domain = Read-Host -Prompt "Enter the domain name to join EXAMPLE: domain.com "
$DnsServer = Read-Host -Prompt "Enter the IP Address of your primary DNS Server "
$PrimaryDC = Read-Host -Prompt "Enter the IP Address of your primary Active Directory Server "
$NTPServer = Read-Host -Prompt "Enter the IP Address of your NTP Server (Typicaly your DC) "
$DhcpIpAddress = Read-Host -Prompt "Enter the DHCP servers IP Address "
$DefaultGateway = Read-Host -Prompt "Enter the default gateway Address for the DHCP scope "
$NewHostname = Read-Host -Prompt "Enter the hostname for your DHCP server "
$InterfaceAlias = (Get-NetAdapter)[0].InterfaceAlias
$ScopeName = Read-Host -Prompt "Enter an identifying name for your new DHCP Scope EXAMPLE: Servers :"
$ScopeID = Read-Host -Prompt "Enter your Scope ID EXAMPLE: 192.168.137.0 :"
$StartRange = Read-Host -Prompt "Enter the starting range for DHCP scope EXAMPLE: 192.168.137.1 :"
$EndRange = Read-Host -Prompt "Enter the ending rnage for the DHCP scope EXMAMPLE: 192.168.137.254 :"
$FQDN = "$($NewHostname).$($Domain)"
Write-Output "[*] Setting the server level DNS Dynamic Update configuration settings"
Set-DhcpServerv4DnsSetting -ComputerName $FQDN -DynamicUpdates Always -NameProtection $True
Set-DhcpServerDnsCredential -Credential (Get-Credential -Message "Enter credentials for the normal user account used to update Dynamic DNS records through the DHCP server") -ComputerName $FQDN
Write-Output "[*] Enabling the ability to deny assigning IP addresses to MAC addresses"
Set-DhcpServerv4FilterList -ComputerName $FQDN -Allow $False -Deny $True
Write-Output "[*] Creating an initial scope on the DHCP server and setting options"
Add-DhcpServerv4Scope -Name $ScopeName -StartRange $StartRange -EndRange $EndRange -Description "Default $ScopeName subnet" -SubnetMask 255.255.255.0 -State Active
Add-DhcpServerv4ExclusionRange -ScopeId $ScopeID -StartRange $StartRange -EndRange $EndRange -ComputerName $FQDN
Set-DhcpServerv4OptionValue -ComputerName $FQDN -ScopeId $ScopeID -DnsServer $DnsServer -DnsDomain $Domain -Router $DefaultGateway -Force
Set-DhcpServerv4OptionValue -OptionId 42 -Value $NTPServer -ScopeId $ScopeID -ComputerName $FQDN
Write-Output "[*] Disabling NetBIOS in DHCP assignments"
Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Options" -OptionId 1 -Value 1
Set-DhcpServerv4OptionValue -ComputerName $FQDN -VendorClass "Microsoft Windows 2000 Options" -OptionId 1 -Value 1