Link to home
Start Free TrialLog in
Avatar of CHI-LTD
CHI-LTDFlag for United Kingdom of Great Britain and Northern Ireland

asked on

DNS Scavenging/Refresh 2008 r2

Should this be enabled on our DS servers, which are also DC/GCs?

Thanks
Avatar of CHI-LTD
CHI-LTD
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

to add, we have 4x DCs split over 2x sites.  We also have remote connections over VPN into both of these sites, and would like to force an update of the DNS entries for the hosts.

I also have found one server to have forwarders set, whereas the other 3 do not..

Ideas?
SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of CHI-LTD

ASKER

Thanks.

Our remote connections get a 10.*.*.* IP directly from the firewall.  Then route to the 192.*.*.* or 172.*.*.* networks.

We also changed our DHCP lease from the default (7 days) to 1hr and i also see duplicates on our main LAN scope within DNS.  eg:

172.19.1.1
172.19.1.2

both assigned to host1

both with 2x different timestamps of today 9am and yesterday 9am..
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of CHI-LTD

ASKER

ok, changed the DNS settings in dhcp.
I have same problem, the reverse lookup folder is showing machine twice with 2x ips.  The domain.local folder is showing correct details...
Have you set credentials in DHCP console as stated in my earlier comment
This needs to be a standard domain user account with non expiring password, but it required in order to work dynamic update correctly
Then restart DHCP server service once.
Also add your DHCP server to DNSUpdateProxy group on domain Controller

Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0

https://www.experts-exchange.com/questions/28302450/What's-this-cmd-mean-dnscmd-config-OpenAclOnProxyUpdates-0.html

Mahesh
Avatar of CHI-LTD

ASKER

my dhcp servers are DCs
Avatar of CHI-LTD

ASKER

In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Always dynamically update DNS A and PTR records, then DHCP server will always update host (A) and PTR records on behalf of clients and you must set domain service account in DHCP server properties (IPV4 in case of 2008) \ advanced \ credentials tab in order to dynamic update work correctly, otherwise it will fail.

- should i be doing this on all scopes with ipv4 enabled on all my servers?
This is not on scope basis, but this is per server basis and you need to setup for every server
Only one service account is enough for all DHCP servers
Also do not forget to add those servers in DNSUpdateProxygroup on Domain Controller and also run above dnscmd command on DC if DHCP is running on 2008 R2 server
Avatar of CHI-LTD

ASKER

well i now have a windows account thats locking itself and wont unlock, i assume after i have made these changes,..?
What is your account lockout policy for domain ?
If your account is getting permenentlt locked ?
By setting account in DHCP, it should never get locked
Do not use existing account
Please create brand new service account which would be used only for this purpose

Further more keep password of account you enter in all dhcp servers same
Because it will not throw any error while entering credentials
You need to be careful while entering credentials
Other wise account keep getting locked every time if entered wrong credentials on multiple DHCP server

Mahesh
Avatar of CHI-LTD

ASKER

its the reverse lookup records which are not updating...
Have you setup "Always dynamically update DNS A and PTR records" in DHCP advanced DHCP properties ?

Also if you have very old reverse look up records, you need to cleanup them with scavenging OR manually once

Check below article again
https://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Mahesh
Avatar of CHI-LTD

ASKER

Yes i have on all servers.
I have manually scavenged but they stay there.
Avatar of CHI-LTD

ASKER

but the remote clients (10. range) aren't managed by DHCP...
Avatar of CHI-LTD

ASKER

sorry, aren't managed by the windows DHCP server, the IPs are allocated by the firewall.
Those Ips which are not assigned by DHCP will not be updated by DHCP, it will be updated by DNS clients who gets IP from firewall through dynamic update DNS feature

You need to ensure that dynamic update is enabled on dns zone properties to secure only


Also even if you trigger scavenging manually it won't delete any records that are not eligible for scavenging

Scavenging trigger will delete only those records which are older than (total of refresh interval+no refresh interval)
Avatar of CHI-LTD

ASKER

dynamic is enabled.

ideas why these ips arent updating then?
Can you please check who has got ownership of those reverse records please

In DNS console go to reverse look up zone and go to properties of PTR record that is created by Firewall and check security tab and check advanced \ owner

May be you need to enable advanced view in DNS console on view menu
Avatar of CHI-LTD

ASKER

COnnected from 2x of my laptops to both sites (different networks) and both records are owned by the computer/host.

The PTR details on one record is showing 'delete this record when it becomes stale', with tick box and time stamp & TTL field.  
The other record doesn't show this (not that i think this is the problem)...
Those records which don't show up above info are probably manually created PTR records

Also those records which ownership is associated with computers \ host, they won't be updated by DHCP since you have setup "Always update Host(A) records and PTR records"
and those records are not updated because of respective computers may be not in network
May be those records are there before you changed DHCP settings

The best way to update these records are manually delete them once (Except  manually created records) and then check if next time they are updating properly

Also have you added your DHCP server to DNSUpdateProxy group on domain Controller ?

Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0

Then restart DHCP server service once.
Avatar of CHI-LTD

ASKER

No they were created earlier today when i connected over VPn.

I had manually deleted the records over the weekend, so no entries there until today.

Yes, added the DCs to proxy group.

Not ran the command as yet...
Will restart them too..
Avatar of CHI-LTD

ASKER

I think the problem isnt actually realted to the scavenging side of things.

looking through logs i see netlogon id:5807 http://support.microsoft.com/kb/2668820
Avatar of CHI-LTD

ASKER

is is possible to update/scavenge the DNS records for my remote clients in the reverse lookup zone?
As, currently when the machines connect into the 2x sites over remote VPN and/or physically attached to the 2x LANs the DNS records are wrong and the clients cannot communicate with the remote sites correctly.
Avatar of CHI-LTD

ASKER

so add to the resolution, i have setup scavenging on the 2x remote zones to hours, which is looking good.