We’ve had a couple of folks from the field ask this question, worried that the port number displayed in DNS as a result of automatically publishing the default management point was symptomatic of a configuration problem. Worse, was it a security issue?
Update June 27th 2008: Torsten Meringer (MVP) recently brought to my attention that when publishing the default management point in Windows Server 2008 DNS, the port number is displayed as blank in the record properties, and zero in the data field. This post has been updated to incorporate the different results for the two server platforms.
The documentation for manually publishing the default management point in DNS tells you to enter for the port number value “the port configured for Configuration Manager 2007 client requests, for example 80 for a mixed mode site and 443 for a native mode site.” During automatic publishing, the current client request port was supposed to be picked up and used when creating the DNS SRV record. As it turns out, Windows Server 2003 DNS always publishes port 79 – irrespective of the port number you are using and the site mode. It results in a record similar to the one below:
For those of you familiar with port numbers, you’ll know that port 79 is used for the finger protocol, which is usually prohibited on corporate networks for security reasons. However, the actual port number in the DNS SRV record is not used – it literally could be any number in there and make no difference to Configuration Manager clients.
So while this looks to be a bad bug, in fact it’s benign and safe to ignore. Because it does not impact product behavior, it’s unlikely to be fixed in the near future.
Although there’s a discrepancy between the port information documented for manually publishing the DNS SRV record and what is automatically published, I’ve decided not to revise the documentation. If the documentation said configure the record for port 79, I can see security-minded administrators scratching their head about this. If it said enter any number because it wasn’t used, I can see this confusing a lot of people who don’t want the worry of selecting a number themselves - they just want definitive instructions. And if I change it and they do fix this bug, I’ll then have to change the documentation again!
So, for the record:
· Automatically publishing the default management point in Windows Server 2003 DNS results in an SRV record with a port value of 79, and no port number in Windows Server 2008 DNS. This is a benign bug and is not indicative of a configuration or security issue.
· The port number in the DNS SRV record is never used by Configuration Manager clients.
· The documentation that tells you to enter the client request port number mirrors how automatic DNS publishing is supposed to work – and if you are manually publishing the management point you can either enter the current client request port number or any port number and not worry about whether it’s the right value.
· If you have security concerns about an SRV record with port 79 in DNS, do not use automatic DNS publishing and instead use manual publishing with a port number other than 79.
- Carol This posting is provided AS IS with no warranties and confers no rights.
This posting is provided AS IS with no warranties and confers no rights.