CHI-LTD
asked on
DNS Scavenging/Refresh 2008 r2
Should this be enabled on our DS servers, which are also DC/GCs?
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
Our remote connections get a 10.*.*.* IP directly from the firewall. Then route to the 192.*.*.* or 172.*.*.* networks.
We also changed our DHCP lease from the default (7 days) to 1hr and i also see duplicates on our main LAN scope within DNS. eg:
172.19.1.1
172.19.1.2
both assigned to host1
both with 2x different timestamps of today 9am and yesterday 9am..
Our remote connections get a 10.*.*.* IP directly from the firewall. Then route to the 192.*.*.* or 172.*.*.* networks.
We also changed our DHCP lease from the default (7 days) to 1hr and i also see duplicates on our main LAN scope within DNS. eg:
172.19.1.1
172.19.1.2
both assigned to host1
both with 2x different timestamps of today 9am and yesterday 9am..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, changed the DNS settings in dhcp.
I have same problem, the reverse lookup folder is showing machine twice with 2x ips. The domain.local folder is showing correct details...
I have same problem, the reverse lookup folder is showing machine twice with 2x ips. The domain.local folder is showing correct details...
Have you set credentials in DHCP console as stated in my earlier comment
This needs to be a standard domain user account with non expiring password, but it required in order to work dynamic update correctly
Then restart DHCP server service once.
Also add your DHCP server to DNSUpdateProxy group on domain Controller
Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0
https://www.experts-exchange.com/questions/28302450/What's-this-cmd-mean-dnscmd-config-OpenAclOnProxyUpdates-0.html
Mahesh
This needs to be a standard domain user account with non expiring password, but it required in order to work dynamic update correctly
Then restart DHCP server service once.
Also add your DHCP server to DNSUpdateProxy group on domain Controller
Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0
https://www.experts-exchange.com/questions/28302450/What's-this-cmd-mean-dnscmd-config-OpenAclOnProxyUpdates-0.html
Mahesh
ASKER
my dhcp servers are DCs
ASKER
In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Always dynamically update DNS A and PTR records, then DHCP server will always update host (A) and PTR records on behalf of clients and you must set domain service account in DHCP server properties (IPV4 in case of 2008) \ advanced \ credentials tab in order to dynamic update work correctly, otherwise it will fail.
- should i be doing this on all scopes with ipv4 enabled on all my servers?
- should i be doing this on all scopes with ipv4 enabled on all my servers?
This is not on scope basis, but this is per server basis and you need to setup for every server
Only one service account is enough for all DHCP servers
Also do not forget to add those servers in DNSUpdateProxygroup on Domain Controller and also run above dnscmd command on DC if DHCP is running on 2008 R2 server
Only one service account is enough for all DHCP servers
Also do not forget to add those servers in DNSUpdateProxygroup on Domain Controller and also run above dnscmd command on DC if DHCP is running on 2008 R2 server
ASKER
well i now have a windows account thats locking itself and wont unlock, i assume after i have made these changes,..?
What is your account lockout policy for domain ?
If your account is getting permenentlt locked ?
By setting account in DHCP, it should never get locked
Do not use existing account
Please create brand new service account which would be used only for this purpose
Further more keep password of account you enter in all dhcp servers same
Because it will not throw any error while entering credentials
You need to be careful while entering credentials
Other wise account keep getting locked every time if entered wrong credentials on multiple DHCP server
Mahesh
If your account is getting permenentlt locked ?
By setting account in DHCP, it should never get locked
Do not use existing account
Please create brand new service account which would be used only for this purpose
Further more keep password of account you enter in all dhcp servers same
Because it will not throw any error while entering credentials
You need to be careful while entering credentials
Other wise account keep getting locked every time if entered wrong credentials on multiple DHCP server
Mahesh
ASKER
its the reverse lookup records which are not updating...
Have you setup "Always dynamically update DNS A and PTR records" in DHCP advanced DHCP properties ?
Also if you have very old reverse look up records, you need to cleanup them with scavenging OR manually once
Check below article again
https://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
Mahesh
Also if you have very old reverse look up records, you need to cleanup them with scavenging OR manually once
Check below article again
https://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
Mahesh
ASKER
Yes i have on all servers.
I have manually scavenged but they stay there.
I have manually scavenged but they stay there.
ASKER
but the remote clients (10. range) aren't managed by DHCP...
ASKER
sorry, aren't managed by the windows DHCP server, the IPs are allocated by the firewall.
Those Ips which are not assigned by DHCP will not be updated by DHCP, it will be updated by DNS clients who gets IP from firewall through dynamic update DNS feature
You need to ensure that dynamic update is enabled on dns zone properties to secure only
Also even if you trigger scavenging manually it won't delete any records that are not eligible for scavenging
Scavenging trigger will delete only those records which are older than (total of refresh interval+no refresh interval)
You need to ensure that dynamic update is enabled on dns zone properties to secure only
Also even if you trigger scavenging manually it won't delete any records that are not eligible for scavenging
Scavenging trigger will delete only those records which are older than (total of refresh interval+no refresh interval)
ASKER
dynamic is enabled.
ideas why these ips arent updating then?
ideas why these ips arent updating then?
Can you please check who has got ownership of those reverse records please
In DNS console go to reverse look up zone and go to properties of PTR record that is created by Firewall and check security tab and check advanced \ owner
May be you need to enable advanced view in DNS console on view menu
In DNS console go to reverse look up zone and go to properties of PTR record that is created by Firewall and check security tab and check advanced \ owner
May be you need to enable advanced view in DNS console on view menu
ASKER
COnnected from 2x of my laptops to both sites (different networks) and both records are owned by the computer/host.
The PTR details on one record is showing 'delete this record when it becomes stale', with tick box and time stamp & TTL field.
The other record doesn't show this (not that i think this is the problem)...
The PTR details on one record is showing 'delete this record when it becomes stale', with tick box and time stamp & TTL field.
The other record doesn't show this (not that i think this is the problem)...
Those records which don't show up above info are probably manually created PTR records
Also those records which ownership is associated with computers \ host, they won't be updated by DHCP since you have setup "Always update Host(A) records and PTR records"
and those records are not updated because of respective computers may be not in network
May be those records are there before you changed DHCP settings
The best way to update these records are manually delete them once (Except manually created records) and then check if next time they are updating properly
Also have you added your DHCP server to DNSUpdateProxy group on domain Controller ?
Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0
Then restart DHCP server service once.
Also those records which ownership is associated with computers \ host, they won't be updated by DHCP since you have setup "Always update Host(A) records and PTR records"
and those records are not updated because of respective computers may be not in network
May be those records are there before you changed DHCP settings
The best way to update these records are manually delete them once (Except manually created records) and then check if next time they are updating properly
Also have you added your DHCP server to DNSUpdateProxy group on domain Controller ?
Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0
Then restart DHCP server service once.
ASKER
No they were created earlier today when i connected over VPn.
I had manually deleted the records over the weekend, so no entries there until today.
Yes, added the DCs to proxy group.
Not ran the command as yet...
Will restart them too..
I had manually deleted the records over the weekend, so no entries there until today.
Yes, added the DCs to proxy group.
Not ran the command as yet...
Will restart them too..
ASKER
I think the problem isnt actually realted to the scavenging side of things.
looking through logs i see netlogon id:5807 http://support.microsoft.com/kb/2668820
looking through logs i see netlogon id:5807 http://support.microsoft.com/kb/2668820
ASKER
is is possible to update/scavenge the DNS records for my remote clients in the reverse lookup zone?
As, currently when the machines connect into the 2x sites over remote VPN and/or physically attached to the 2x LANs the DNS records are wrong and the clients cannot communicate with the remote sites correctly.
As, currently when the machines connect into the 2x sites over remote VPN and/or physically attached to the 2x LANs the DNS records are wrong and the clients cannot communicate with the remote sites correctly.
ASKER
so add to the resolution, i have setup scavenging on the 2x remote zones to hours, which is looking good.
ASKER
I also have found one server to have forwarders set, whereas the other 3 do not..
Ideas?