Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2128
  • Last Modified:

DNS and DHCP best practice for windows server 2008 domain

hi dear experts

i will need some help on a very unconfortable problem i do have on the network.
we use application distribution software that needs 100% correct DNS entries.
we have a server 2008 domain with 6 locations around the world and we offer vpn access to laptop users.

right now, usually about 10% of the domains machines have incorrect DNS entries.
Ive been searching all over the net to get some information about it, but a lot of people say that it is nearly impossible to get a dns to 100%, except of using reservations for ip adresses.

well, we dont want to use reservations, so I would be very happy if somone could give me some nice hints on the configuration of dhcp leasetimes, dns configuration etc.. so that i will at least get the DNS entries from 80% to 99% - that would be good enough.

thanks in advance.
0
gilget
Asked:
gilget
  • 6
  • 5
  • 2
1 Solution
 
gilgetAuthor Commented:
hi
thanks for your links but I guess I didnt explain my problem clearly enugh.

my dns works basically fine, but as I said about 10% of the host have bad dns entries for some reason.

now what I would like to know is:

- is there any co-relation between dns registers and the dhcp lease times of a host?
- what clean-up time do you configure for your dns servers?
- possibilities to force an update of a dns record from a host except of loginscript (ipconfig /registerdns)?
- any other configuration hints to get my dns more reliable?

in my network, hosts change their subnets very often (lots of remote users but machines also often change locations in our buildings here)..... wich makes it all a bit more difficult.
0
 
Premkumar YogeswaranAnalyst II - System AdministratorCommented:
Dynamic DNS have the relation between the DNS and Dhcp updates.

Default it is 8 days process called Aging and Scavenging

It will be forced while system startup

If you changing the Subnet often meansit will going to affect the AD Sites and services...!
Check that too..
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Chris DentPowerShell DeveloperCommented:

Hey,

> - is there any co-relation between dns registers and the dhcp lease times of a host?

If you have enabled Scavenging there certainly is.

It is easier to keep DNS accurate with longer lease times. Whether or not that is practical depends on your environment.

> - what clean-up time do you configure for your dns servers?

Personally...

DHCP Lease: 16 Days
No-Refresh: 4 Days
Refresh: 4 Days
Automatic Scavenging Interval: 1 Day

The total record age (8 days) is equal to the DHCP Renewal interval (8 days, 50% of lease).

> - possibilities to force an update of a dns record from a host except of
> loginscript (ipconfig /registerdns)?

Restart either DHCP Client service or DNS Client service (depending on version of Windows). But those amount to the same thing as running "ipconfig /registerdns".

In an environment with a large number of changes like this I would be quite inclined to let clients update their own records. That is, disable the update of records by DHCP.

Chris
0
 
gilgetAuthor Commented:
hi chris

expert is what they call you, genius is what you are ;)-

thanks for the great help.
it looks like most of the stuff here was installed and left on standard settings.
so I will go thru the configuration and make sure I have the following setup:

- scavenging activ and interval set to 1 Day
- DHCP Lease: 16 Days
- No-Refresh: 4 Days
- Refresh: 4 Days
- disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

thanks and I will inform You if it helped later on.
0
 
Chris DentPowerShell DeveloperCommented:

No rush, it'll take quite a while for the impact of those settings to become apparent.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

> - disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

Sorry... should have qualified that one:

It's not bad at all if you have a consistent configuration for your DHCP servers, that is, all must use exactly the same credentials. It's vital that you do not have a mix of DHCP updating and clients updating directly if you want accuracy, one or the other is the order of the day.

In most large networks I've worked with the difficulty has been in making all DHCP servers update. There tends to be a mixture of MS DHCP servers, DHCP servers resident on network devices (routers / firewalls) and DHCP servers for inbound VPN connections. Some can, some can't. If any can't then none should.

I hope that makes more sense of that statement. By all means leave the setting enabled if you can make all behave in the same way.

Chris
0
 
gilgetAuthor Commented:
well, i only have windows DHCP servers, except of the one for the VPNs, but that one runs on a cisco device and I can configure it to forward DHCP requests to our main DHCP server insted of acting as DHCP server on its own.

so Im propably going to leave it enabled, but will make sure its the same on every of the 7 DHCP servers....
0
 
Chris DentPowerShell DeveloperCommented:

Sounds good to me :)

You may have issues updating records while the credentials kick in (if they're not already configured). The DHCP server will not be able to update existing records.

There are possibly ways around that if continuation of service is essential, probably something down the scripting path to update the existing rights.

Only necessary if credentials aren't configured at all though.

Chris
0
 
gilgetAuthor Commented:
sorry this might sound stupid, but what you mean by the "credentials". do you mean the credentials of the user login into his workstation? sorry im not sure plz enlighten me.
0
 
Chris DentPowerShell DeveloperCommented:

Head to the DHCP console, then open the properties for the server, select the Advanced Tab and you'll see a Credentials button (I hope). It allows you to specify a user account to use to perform dynamic updates. If an account is not set the server's computer account is used.

The account you use does not need to be anything more than a standard domain users, by default that will have rights to create new records in DNS.

It does lead to a problem. If an account has not already been set, changing it will mean that each DHCP server will no longer be able to maintain / update existing records. It is possible to work around this issue by rewriting the access control lists on each DNS record (something you'd need a script to do), or alternatively by waiting for old records to be scavenged.

Chris
0
 
gilgetAuthor Commented:
hi chris

thx for your help, i will go after this and will let you know if i was successful.
however, I would like to keep this post open for a little more time, because i still might have another question.
your gona get the points for sure, as soon as I close the subject.

thanks again
0
 
Chris DentPowerShell DeveloperCommented:

No problem, no rush :)

Chris
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now