Link to home
Start Free TrialLog in
Avatar of abrusko
abruskoFlag for United States of America

asked on

stale dns records from VPN clients

Hello,
We are seeing stale records within dns coming from our VPN clients (both host (a) and ptr).  All the clients are Windows XP.  IPs are assigned through a VPN Concentrator.  Lease is only for the duration of the session.  DNS zones are not integrated with our Active Directory (although they use to be, not sure why they aren't anymore)  All internal PCs are setup for DHCP reservations, if they don't have reservation, the lease is for 3 days.  DHCP server settings for DNS updates are set to "Always dynamically update DNS A and PTR records" and also "Discard A and PTR records when lease is deleted".      Scavaging is set at 7 days for both "no-refresh" and "refresh" settings.  Dynamic updates for the DNS zone is set for both "secure and non-secure".   So far I've tried to use the "DnsUpdateProxy" group to see if this will help.  It seems to be doing the job for the newer records that are created but, I don't think our scavaging settings are correct.  I'm thinking of setting the scavaging to 2 days or less.   Plus, I was also thinking about going back to the integrated zones.  I know this is alot of info but, if anyone can give me a little advice it would be greatly appreciated..!!!  Thanks,  Bob
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image


Hi Bob,

I do recommend going back to AD Integrated Zones, just makes life easier.

Anyway, your problem is a common one, especially when DHCP is updating DNS on behalf of the clients. You may consider allowing clients to update their own records instead of relying on DHCP. All clients from Windows 2000 and up are capable of performing Secure Dynamic Updates directly.

The two Aging intervals normally work best when set to match your DHCP Lease duration (if you add the two together). Obviously that's a little tricky for leases only the duration of a session. However, if the client can update directly it should update the IP to reflect the current one rather than a record in DHCP (and rather than adding a duplicate entry).

The minimum you should really consider for Aging is a total of 2 days. The Service Records for the domain only refresh once every 24 hours, such a short Aging interval would mean those records would occasionally be scavenged.

Chris
Avatar of abrusko

ASKER

Hi Chris,
If I want the clients to do it themselves, do I just un-check the option called  --Enable DNS dynamic updates according to the settings below--?  

Can I do the above before or after I integrate the zone with AD?

The Aging - maybe I'll just set it at 3 days and see how it goes?
Bob
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of abrusko

ASKER

Thanks for the help, it is appreciated!