Changing Built-in group scope: DNSUpdateProxy

Andres Soncini 1 Reputation point

Hi everyone! It's a pleasure to write one more time, after many years.

We have come across a problem regarding DCHP & DNS Dynamic Update. I'm postig here, because we think the solution relies on Active Directory Group Nesting.

Here is the thing: Our Forest has 3 domains: A, B, C. Every Domain has a two-way trust relationship with the others. Domain A has DHCP A, Domain B has DHCP B and Domain C has DHCP C.

After solving some problems with DNS Aging and Scavenging in Domain A (our principal Site), we need DHCP B and C to have the requiered permissions to make Dynamic Updates in DNSs zones of Domain A. So we created a service account DomainB\dhcp_service and DomainC\dhcp_service & configured DNS Dynamic update to happen always from the DHCP Server, not the client. So we need the service accounts DomainC\dhcp_service and DomainB\dhcp_service to be members of DomainA\DnsUpdateProxy, but this group has a scope of Global.

I can't find the nesting strategy to have those users as member of this group. Not with Global Scope. Is it possible to change-it to Universal and then to Domain Local to be able to add users from another domain? I don't know if theese built-in things are made to be changeable. I don't want to have problems running further active directory updates or extensions or functional levels...

Maybe there are another way to solve this and we are trying to solve this in a dirty or wrong way. But i cannot think of another way...

Any help will be appreciated.


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,233 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. cthivierge 4,056 Reputation points

    But normally, the client should be able to register it's own records in the DNS, why do you need to force the DHCP to register on behalf of the client computer ?

    And what is the issue you had with the aging / scavenging in domain A ?

    1 person found this answer helpful.

  2. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee

    So we need the service accounts DomainC\dhcp_service and DomainB\dhcp_service to be members of DomainA\DnsUpdateProxy

    Isn't the solution to use the same account on all DHCP servers? Then there are no permissions issues.

    0 comments No comments

  3. Andres Soncini 1 Reputation point

    Hi @Pierre Audonnet - MSFT . No is not. Here is why:

    If we configure DHCP B, to make dynamic updates as DomainA\dhcp_service, then we need to make DomainA\dhcp_service member of DomainB\DnsUpdateProxy in orden to update DomainB DNSs Zones. And this is the same problem. DomainB\DnsUpdateProxy is a Global Group and cannot have user accounts from other domains.

    So... we need to solve the same problem again, but from DomainB perspective.


  4. Gary Reynolds 9,406 Reputation points

    Hi @Andres Soncini ,

    I don't a have an environment to confirm this but changing the scope of the group shouldn't impact the DNS update process, and as the group already exists in the domain, future updates are unlikely to be impacted, but as always, you can't 100% sure.

    To confirm this, if you look at the permissions of a record that has been added by the DHCP service account, the account is probably the owner of the record and the DNSUpdateProxy group should also have been assigned permissions on the record. As the permissions are assigned based on the group SID, changing the group scope should not impact the permissions assigned.

    Another option if you don't want to change the group scope, is change the delegated permissions on the DNS zones and add a domain local group that has permissions to add\delete and update DNS records and add the DHCP service accounts to that group. The only down side to this approach is that the group will have permissions to update all the records in the domain, including DC records.


    0 comments No comments

  5. Andres Soncini 1 Reputation point

    Hi @GaryReynolds-8098. Thanks for your answer. I think that one downside to this approach is also that i have multiple reverse zones in DNSs. So thoose manual delegated permissions needs to be maintained there too. I know that changing the group scope does not alter ACEs in ACLs, but i am not sure if doing this can lead to some error when upgrading functional levels, extending schemma or some other AD Operations. Hence the question.

    0 comments No comments