DNS Scaveging - Server 2003

Hey all,

I am looking for some help with DNS Scaveging. A little background..

1. We are Server 2003 with XP Professional laptops
2. Clients get an address from the DHCP servers
3. Servers have static IP's but do dynamicaly register (we have the "Register this connection with DNS" checkbox checked on each server)

Our issue is that we use our VPN to access other locations within the company (we are all laptops). As people hop from VPN to local network, we end up with multiple DNS entries for each user all with different IP's. We want to clean these on schedule, preferably a few times a day.

I tried this once before with a 4 hour scavenge and we lost a lot of server records. I know 4 hours is really short but since people bounce between networks all day we run into issues where they can't acess resources, etc., correctly as DNS is using the wrong A record.

So my question is....given this environment...how can I bet setup Scaveging? I know servers only register once every 24 hours right? Which would explain why I lost entries the last time. If there is no way to change that time period, should I uncheck the "Register this connection's address in DNS" for each server and only go to static DNS entiries for them?

Thanks all.


Whatever happens, do not set the Refresh Interval lower than 24 hours. Clients with static IP addresses only update once a day, if they don't have the opportunity their records will be marked as stale and removed from DNS.
exadmin2006Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TimorosCommented:
The following links provide additional information on how it all works.

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Using DNS Aging and ScavengingAging and scavenging of stale resource records
are features of Domain Name System (DNS) that are available when you deploy
your server with primary zones.
http://technet.microsoft.com/en-us/l.../cc757041.aspx

Microsoft Enterprise Networking Team : Don't be afraid of DNS
2008 ... DNS Scavenging is a great answer to a problem that has been nagging
everyone since RFC 2136 came out way back in 1997.
http://blogs.technet.com/networking/...e-patient.aspx

Best Practices on Windows DNS Scavenging
http://www.gilham.org/Blog/Lists/Posts/Post.aspx?ID=211

0
exadmin2006Author Commented:
Thank Tiimoros. I've read most of these already...my issue is really we are a special case and may need a 4 hours scavenge interval. I am not able to determine how to set this up even with the articles. That, and I want to know that if we do need a 4 hour scavege if I need to change my servers over from dynamic registation to manual A records in DNS. Thanks!
0
Chris DentPowerShell DeveloperCommented:
Hmmm...

It would seem far more appropriate to let clients update DNS directly and stop DHCP doing it for them.

That way if they move between networks, and between DHCP servers, they'll still be able to update the existing record.

Implementing static records for all of your static clients is going to be a bit tricky otherwise. I'm not aware of any way to change the default 24 hour refresh short of restarting the DHCP Client service (or scheduling "ipconfig /registerdns").

Chris
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

exadmin2006Author Commented:
Chris,

Are you referring to letting DHCP own the entire record? I know by default the laptop owns and registers the A record and DHCP registers the PTR. I have read that it helpd to use Credentials in the DHCP server so it completely owns both records. Do you recommend this? Not sure if that's what you meant.

As for the servers...if we want to keep scaveging <24 hours...I guess it makes since to remove dynamic registration and just enter A records manually? I know this will fix the issue of the "Deletet thie record when it becomes stale" checkbox being checked on the A record (I can manually uncheck this now, but when the server registers again it resets the checkbox).

Thanks!
0
Chris DentPowerShell DeveloperCommented:

> Are you referring to letting DHCP own the entire record?

No, I mean prevent DHCP from updating the record entirely by disabling all associated options in DHCP. Is that what you have set at the moment?

You see, either you want all DHCP servers to update using the same credentials, so every server can modify records created by every other server. Or you want all clients to register their own records (anything from 2000 up is more than capable of this) in which case they'll update it as they move around.

> remove dynamic registration and just enter A records manually?

Yes, but you will have difficulty preventing systems from overwriting the record.

When you delete a record from DNS it stays in AD and gets a dNSTombstone attribute set. Since the record still exists so does the associated security. The end result is that if you add a static record the original client will still have permission to modify it.

If you really want to go down that road the safest method is for you to disable the DHCP Client service (that's the one that registers records, even if the client has a static IP).

Personally I would let clients update themselves, it's far less maintenance than trying to keep up with changes for static clients.

Chris
0
exadmin2006Author Commented:
Thanks Chris. I agree...I just don't know how we could do this with a 4 hour scavenge. Maybe I can script a .bst fiile to run on the servers hourly to do ipconfig /registerdns?

As for DHCP...so if I used Credentials on the DHCP server, this would have the same effect as allowing the clients to update all their own records? That is...an either/or?

How would I allow the client to register and own all their records without DHCP interferring?

Thanks!
0
Chris DentPowerShell DeveloperCommented:

> Maybe I can script a .bst fiile to run on the servers hourly to do ipconfig /registerdns?

It's possible, but chance of something going wrong is much higher so I can't say I would personally favour it.

> That is...an either/or?

In effect yes. Both are valid solutions to the same problem, but there's no point in doing both.

All you're really after is consistency. You want a record to be updated with the same credentials no matter where it is updated from. Either you have DHCP do it, and make all DHCP servers use the same credentials. Or you have the client do it directly.

In both cases you'll get a bit of disruption while credentials are changed (either from DHCP to client, or from DHCP to specified credentials). After that everything should update cleanly.

> How would I allow the client to register and own all their records without DHCP interferring?

Simply disable the associated options in DHCP. That's it. It's just if they're set DHCP will actively prevent the client registering directly.

Chris
0
exadmin2006Author Commented:
Thanks. Would this disruption be eased if, say, I picked a path (DHCP or have the clients own the record) and then deleted all the DHCP and registered DNS entries for users...so in effect, forcing everyone to grab a new IP?

Sorry...which associated options are these? This sounds like an easier solution.
0
Chris DentPowerShell DeveloperCommented:

> deleted all the DHCP and registered DNS entries for users...so in effect, forcing everyone to grab a new IP?

That might just make it harder :)

I would set No-Refresh and Refresh down to 1 day each and let that take care of the cleanup. Bear in mind that clients won't change addresses so DNS won't contain any more invalid information than unusual.

> Sorry...which associated options are these? This sounds like an easier solution.

See the attached image from the DHCP server properties :) If DHCP doesn't update for you clients will do it themselves. The options in DHCP are for legacy support more than anything else.

Chris
DHCPSettings.png
0
exadmin2006Author Commented:
OK, thanks. So I would set the Refresh and N Refresh ro 1 day on the zone and the server...how often should I tell it to scavenge then? I assume since the servers need at least 24 hours I can't make it anything less?
0
Chris DentPowerShell DeveloperCommented:

> So I would set the Refresh and N Refresh ro 1 day on the zone and the server

Just the zone.

The server holds default values, so if you've set it on the zone you don't need to set it on the server as well.

> how often should I tell it to scavenge then?

Once a day will do.

The Refresh Interval is the important one, setting that less than 24 hours will cause problems with static records as you previously discovered.

Chris
0
exadmin2006Author Commented:
Thanks Chris. Huge help. Last questions...

Just the zone...I know you set the Refresh and no Refresh Interval in two spots...if I tell it 1 day for just the zone, what do I set it at on the server level?

OK...so if I pick 1 day to run the job that will suffice for the servers? I wasn't sure if it had to be two days.

I hope this is easier in Server 2008! :)
0
exadmin2006Author Commented:
Oh...almost forgot...you mentioned before if I changed DHCP the way we discussed there could be some pain intiially as people reregister? What were you referring to?
0
Chris DentPowerShell DeveloperCommented:
> what do I set it at on the server level?

It doesn't matter. The zone-level setting overrides the default value set on the server level.

You only need set the Automatic Scavenging Interval on the server level.

> OK...so if I pick 1 day to run the job that will suffice for the servers?

Scavenging only removes records which are stale, so as long as Refresh allows clients time to refresh it will be fine.

> Oh...almost forgot...you mentioned before if I changed DHCP the way we discussed there could be some pain
> intiially as people reregister? What were you referring to?

Clients will not have permission to update / change the existing record (which was created by DHCP) until that record gets Scavenged.

It shouldn't make your current issue worse, it just sees it continue until clients are able to update records.

> I hope this is easier in Server 2008! :)

It isn't, no changes there I'm afraid.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.