DNS and DHCP best practice for windows server 2008 domain

hi dear experts

i will need some help on a very unconfortable problem i do have on the network.
we use application distribution software that needs 100% correct DNS entries.
we have a server 2008 domain with 6 locations around the world and we offer vpn access to laptop users.

right now, usually about 10% of the domains machines have incorrect DNS entries.
Ive been searching all over the net to get some information about it, but a lot of people say that it is nearly impossible to get a dns to 100%, except of using reservations for ip adresses.

well, we dont want to use reservations, so I would be very happy if somone could give me some nice hints on the configuration of dhcp leasetimes, dns configuration etc.. so that i will at least get the DNS entries from 80% to 99% - that would be good enough.

thanks in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gilgetAuthor Commented:
thanks for your links but I guess I didnt explain my problem clearly enugh.

my dns works basically fine, but as I said about 10% of the host have bad dns entries for some reason.

now what I would like to know is:

- is there any co-relation between dns registers and the dhcp lease times of a host?
- what clean-up time do you configure for your dns servers?
- possibilities to force an update of a dns record from a host except of loginscript (ipconfig /registerdns)?
- any other configuration hints to get my dns more reliable?

in my network, hosts change their subnets very often (lots of remote users but machines also often change locations in our buildings here)..... wich makes it all a bit more difficult.
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Dynamic DNS have the relation between the DNS and Dhcp updates.

Default it is 8 days process called Aging and Scavenging

It will be forced while system startup

If you changing the Subnet often meansit will going to affect the AD Sites and services...!
Check that too..
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Chris DentPowerShell DeveloperCommented:


> - is there any co-relation between dns registers and the dhcp lease times of a host?

If you have enabled Scavenging there certainly is.

It is easier to keep DNS accurate with longer lease times. Whether or not that is practical depends on your environment.

> - what clean-up time do you configure for your dns servers?


DHCP Lease: 16 Days
No-Refresh: 4 Days
Refresh: 4 Days
Automatic Scavenging Interval: 1 Day

The total record age (8 days) is equal to the DHCP Renewal interval (8 days, 50% of lease).

> - possibilities to force an update of a dns record from a host except of
> loginscript (ipconfig /registerdns)?

Restart either DHCP Client service or DNS Client service (depending on version of Windows). But those amount to the same thing as running "ipconfig /registerdns".

In an environment with a large number of changes like this I would be quite inclined to let clients update their own records. That is, disable the update of records by DHCP.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gilgetAuthor Commented:
hi chris

expert is what they call you, genius is what you are ;)-

thanks for the great help.
it looks like most of the stuff here was installed and left on standard settings.
so I will go thru the configuration and make sure I have the following setup:

- scavenging activ and interval set to 1 Day
- DHCP Lease: 16 Days
- No-Refresh: 4 Days
- Refresh: 4 Days
- disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

thanks and I will inform You if it helped later on.
Chris DentPowerShell DeveloperCommented:

No rush, it'll take quite a while for the impact of those settings to become apparent.

Chris DentPowerShell DeveloperCommented:

> - disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

Sorry... should have qualified that one:

It's not bad at all if you have a consistent configuration for your DHCP servers, that is, all must use exactly the same credentials. It's vital that you do not have a mix of DHCP updating and clients updating directly if you want accuracy, one or the other is the order of the day.

In most large networks I've worked with the difficulty has been in making all DHCP servers update. There tends to be a mixture of MS DHCP servers, DHCP servers resident on network devices (routers / firewalls) and DHCP servers for inbound VPN connections. Some can, some can't. If any can't then none should.

I hope that makes more sense of that statement. By all means leave the setting enabled if you can make all behave in the same way.

gilgetAuthor Commented:
well, i only have windows DHCP servers, except of the one for the VPNs, but that one runs on a cisco device and I can configure it to forward DHCP requests to our main DHCP server insted of acting as DHCP server on its own.

so Im propably going to leave it enabled, but will make sure its the same on every of the 7 DHCP servers....
Chris DentPowerShell DeveloperCommented:

Sounds good to me :)

You may have issues updating records while the credentials kick in (if they're not already configured). The DHCP server will not be able to update existing records.

There are possibly ways around that if continuation of service is essential, probably something down the scripting path to update the existing rights.

Only necessary if credentials aren't configured at all though.

gilgetAuthor Commented:
sorry this might sound stupid, but what you mean by the "credentials". do you mean the credentials of the user login into his workstation? sorry im not sure plz enlighten me.
Chris DentPowerShell DeveloperCommented:

Head to the DHCP console, then open the properties for the server, select the Advanced Tab and you'll see a Credentials button (I hope). It allows you to specify a user account to use to perform dynamic updates. If an account is not set the server's computer account is used.

The account you use does not need to be anything more than a standard domain users, by default that will have rights to create new records in DNS.

It does lead to a problem. If an account has not already been set, changing it will mean that each DHCP server will no longer be able to maintain / update existing records. It is possible to work around this issue by rewriting the access control lists on each DNS record (something you'd need a script to do), or alternatively by waiting for old records to be scavenged.

gilgetAuthor Commented:
hi chris

thx for your help, i will go after this and will let you know if i was successful.
however, I would like to keep this post open for a little more time, because i still might have another question.
your gona get the points for sure, as soon as I close the subject.

thanks again
Chris DentPowerShell DeveloperCommented:

No problem, no rush :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.