?
Solved

DNS and DHCP best practice for windows server 2008 domain

Posted on 2010-01-11
13
Medium Priority
?
2,054 Views
Last Modified: 2012-05-08
hi dear experts

i will need some help on a very unconfortable problem i do have on the network.
we use application distribution software that needs 100% correct DNS entries.
we have a server 2008 domain with 6 locations around the world and we offer vpn access to laptop users.

right now, usually about 10% of the domains machines have incorrect DNS entries.
Ive been searching all over the net to get some information about it, but a lot of people say that it is nearly impossible to get a dns to 100%, except of using reservations for ip adresses.

well, we dont want to use reservations, so I would be very happy if somone could give me some nice hints on the configuration of dhcp leasetimes, dns configuration etc.. so that i will at least get the DNS entries from 80% to 99% - that would be good enough.

thanks in advance.
0
Comment
Question by:gilget
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 2
13 Comments
 
LVL 4

Author Comment

by:gilget
ID: 26281848
hi
thanks for your links but I guess I didnt explain my problem clearly enugh.

my dns works basically fine, but as I said about 10% of the host have bad dns entries for some reason.

now what I would like to know is:

- is there any co-relation between dns registers and the dhcp lease times of a host?
- what clean-up time do you configure for your dns servers?
- possibilities to force an update of a dns record from a host except of loginscript (ipconfig /registerdns)?
- any other configuration hints to get my dns more reliable?

in my network, hosts change their subnets very often (lots of remote users but machines also often change locations in our buildings here)..... wich makes it all a bit more difficult.
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 26281912
Dynamic DNS have the relation between the DNS and Dhcp updates.

Default it is 8 days process called Aging and Scavenging

It will be forced while system startup

If you changing the Subnet often meansit will going to affect the AD Sites and services...!
Check that too..
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 26281926

Hey,

> - is there any co-relation between dns registers and the dhcp lease times of a host?

If you have enabled Scavenging there certainly is.

It is easier to keep DNS accurate with longer lease times. Whether or not that is practical depends on your environment.

> - what clean-up time do you configure for your dns servers?

Personally...

DHCP Lease: 16 Days
No-Refresh: 4 Days
Refresh: 4 Days
Automatic Scavenging Interval: 1 Day

The total record age (8 days) is equal to the DHCP Renewal interval (8 days, 50% of lease).

> - possibilities to force an update of a dns record from a host except of
> loginscript (ipconfig /registerdns)?

Restart either DHCP Client service or DNS Client service (depending on version of Windows). But those amount to the same thing as running "ipconfig /registerdns".

In an environment with a large number of changes like this I would be quite inclined to let clients update their own records. That is, disable the update of records by DHCP.

Chris
0
 
LVL 4

Author Comment

by:gilget
ID: 26281999
hi chris

expert is what they call you, genius is what you are ;)-

thanks for the great help.
it looks like most of the stuff here was installed and left on standard settings.
so I will go thru the configuration and make sure I have the following setup:

- scavenging activ and interval set to 1 Day
- DHCP Lease: 16 Days
- No-Refresh: 4 Days
- Refresh: 4 Days
- disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

thanks and I will inform You if it helped later on.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26282002

No rush, it'll take quite a while for the impact of those settings to become apparent.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26282037

> - disable update of DNS records by DHCP (i dont fully understand why this is bad thought).

Sorry... should have qualified that one:

It's not bad at all if you have a consistent configuration for your DHCP servers, that is, all must use exactly the same credentials. It's vital that you do not have a mix of DHCP updating and clients updating directly if you want accuracy, one or the other is the order of the day.

In most large networks I've worked with the difficulty has been in making all DHCP servers update. There tends to be a mixture of MS DHCP servers, DHCP servers resident on network devices (routers / firewalls) and DHCP servers for inbound VPN connections. Some can, some can't. If any can't then none should.

I hope that makes more sense of that statement. By all means leave the setting enabled if you can make all behave in the same way.

Chris
0
 
LVL 4

Author Comment

by:gilget
ID: 26282082
well, i only have windows DHCP servers, except of the one for the VPNs, but that one runs on a cisco device and I can configure it to forward DHCP requests to our main DHCP server insted of acting as DHCP server on its own.

so Im propably going to leave it enabled, but will make sure its the same on every of the 7 DHCP servers....
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26282091

Sounds good to me :)

You may have issues updating records while the credentials kick in (if they're not already configured). The DHCP server will not be able to update existing records.

There are possibly ways around that if continuation of service is essential, probably something down the scripting path to update the existing rights.

Only necessary if credentials aren't configured at all though.

Chris
0
 
LVL 4

Author Comment

by:gilget
ID: 26282392
sorry this might sound stupid, but what you mean by the "credentials". do you mean the credentials of the user login into his workstation? sorry im not sure plz enlighten me.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26282447

Head to the DHCP console, then open the properties for the server, select the Advanced Tab and you'll see a Credentials button (I hope). It allows you to specify a user account to use to perform dynamic updates. If an account is not set the server's computer account is used.

The account you use does not need to be anything more than a standard domain users, by default that will have rights to create new records in DNS.

It does lead to a problem. If an account has not already been set, changing it will mean that each DHCP server will no longer be able to maintain / update existing records. It is possible to work around this issue by rewriting the access control lists on each DNS record (something you'd need a script to do), or alternatively by waiting for old records to be scavenged.

Chris
0
 
LVL 4

Author Comment

by:gilget
ID: 26282569
hi chris

thx for your help, i will go after this and will let you know if i was successful.
however, I would like to keep this post open for a little more time, because i still might have another question.
your gona get the points for sure, as soon as I close the subject.

thanks again
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 26282576

No problem, no rush :)

Chris
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question