We help IT Professionals succeed at work.

DHCP is not dynamically updating DNS

amerretz
amerretz asked
on
Hi,

I have a Windows Server 2008 R2 domain controller. Active directory integrated DNS is installed along with DHCP on the DC. I have configured the following on the dhcp server properties;

In the dhcp console if I right click on IPV4 and select properties > dns tab

- 'Enable DNS Dynamic updates according to the settings below' is ticked

- 'Always dynamically update DNS A and PTR records' is selected

- 'Discard A and PTR records when lease is deleted' is ticked

In the advanced tab > credentials button:

- I have entered in the credentials of a domain admin user account, this domain admin account is a member of the 'DnsUpdateProxy' security group in active directory.

On the DHCP scope > properties > dns tab:

- 'Enable DNS Dynamic updates according to the settings below' is ticked

- 'Always dynamically update DNS A and PTR records' is selected

- 'Discard A and PTR records when lease is deleted' is ticked

On the DNS server I have configured a reverse lookup zone for the subnet which the DHCP scope issues ip addresses.

----------------------------------------------------------------------------------

When a client connects to network a ip address is correctly issued and also appears as a lease on the DHCP server. If I look at the DNS console I do not have an entry appear in the forward zone for the host. There is no entry in the reverse zone for the ip address either.

I have checked the server event log and the log file for DHCP and cannot find any errors.

On the client, if I open a command propmt and type 'ipconfig /registerdns' I now have a DNS entry within the forward zone. However, I do not have a entry in the reverse lookup zone.

Can someone please help me troubleshoot why DHCP is not updating DNS correctly.

Thank you.
Comment
Watch Question

Are you by any chance running DNS on multiple Domain Controllers? are is one domain controller acting as DHCP, and DNS? ... where I'm going at, is maybe it's a replication issue?

Are your netdiag  and dcdiag  clean?

Author

Commented:
Hi,

I have two DC's in the one site. Each DC has DNS which is AD integrated and is a DHCP server. One is a server 2003 and is issuing DHCP addresses for different subnets. This DC (Server 2008) is issuing dhcp addresses for a completely different subnet.

dcdiag fails on 'NCSecDesc' it says:

"error enterprise read only domain controllers doesn't have replicating directory changes access rights for the naming context."

Not sure what this means really as this is not a RODC.

When I type netdiag it does not recognise it as a command.

------------------------------------

Thanks.

Author

Commented:
I must add.

DNS is dynamically updated sometimes. But it is not consistent.

If I connect a computer and it receives a DHCP addresses, it may register in DNS. If I delete the DNS entry and lease and do this again, it may not register the entry. It never seems to register the PTR record in the reverse DNS zone whatever I try.


Additionally,  'Discard A and PTR records when lease is deleted' option also does not work.

I have experimented with these settings using a short DHCP lease time of 5 minutes. It may create the DNS record if Im lucky. But if I disconnect the computer within the 5 minutes, it certainly wont delete the record when the lease is deleted at the end of the 5 minutes.
Well, the issue with NCSecDesc is not a problem if you're not, and not planning to run an RODC.

I have a feeling that your issue is either with your DNS setup, or your replication.
Netdiag should help you figure out your DNS problems if you have any. netdiag is part of the Windows Support tools, so you can get those and run it against your servers individually, and make sure you're not getting any DNS errors.

Another useful tool in this case, is replmon, which is also part of the support tools.
By the way, I'm assuming you did go through restarting netlogon ? ... (that would be helpful in case your netdiag results have any problems), as it would re-register _mscds entries.

In any case, let's start with running some additional tests, and then we can go from there:
result of netdiag, and resulsts of replmon . (btw, replmon is a GUI utility).
Also, another thing that I recently learned, is related to scavenging of stale records in DNS. This is VERY crucial to be setup right, or you end up with DNS records that are completely out of whack, and behavior that is completely inexplicable.

to be completely honest, I had a call to Microsoft to straighten out my scavenging settings, as it is a bit confusing being available on the DNS server level, and on the DNS Zone level. Take a look at what you have there for now, and if you feel that this may even be an issue, I'll try to see if I can pull back up that ticket I had open for any notes I may have on scavenging.

Author

Commented:
I cant seem to find out how to install replmon and netdiag for Server 2008 R2. I found this article which mentions that these tools are no longer available in Server 2008.

http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/a0bc113d-63f5-437a-96a6-da75d38b6ef2

I have run the commands on the Server 2003 DC.

Netdiag checks out clean. Everything Passed.

Dcdiag only fails on one item. frsevent. It says: There are warning or error events within the last 24 hours.....
When I check the event log it has one warning messages from 8 hours saying:

----------------------------------------------------------------------

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13562
Date:            14/06/2010
Time:            4:09:15 AM
User:            N/A

Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller s-syd-18-ad.internal.cdm.com.au for FRS replica set configuration information.

-----------------------------------

I loaded replmon and have added both server 2003 and 2008 DC to the console. Not sure what to verify here. Need more guidence.

Thanks.

Author

Commented:
Scavenging is an issue which I am trying to fine tune. Our network users mostly use laptops, we have a few hundred of them. So fast scavenging of records is paramount when considering they travel interstate between branches and connect to a VPN solutioon that issues addresses from a different subnet.

I feel that alot of my scavenging problems would be resolved if I could get the  'Discard A and PTR records when lease is deleted' option to work as suggested. It does not delete the records. I have tested it many time. As this option does not work, this only leaves scavenging to clean up the mess.

I would appreciate if you can look up that Microsoft ticket.
Well, I looked up in my records, and I actually found two quite detailed blog posts that I posted internally regarding that topic. Following is the piece that deals with the facts about scavenging:
 
In a nutshell, scavenging processes and DHCP lease time are directly interdependent. when a certain threshold is met which would cause an overlap between the two timeout, scavenging will plain stop doing anything it’s supposed to do. So without going  into extreme detail. Here’s how scavenging should be setup.

Currently, the DHCP lease time is setup to 8 days, we will be changing this to 4 days, as we have mobile users, and it doesn’t make sense to keep the lease for long all the time

There are options for the refresh and no refresh interval in the DNS server settings, as well as on each zone. If not setup on the DNS server level, then each zone needs to be configured individually for the scavenging of stale records. This setting does not trigger any deletion, it is merely a method that DNS uses to check the time stamp of the records, to determine whether to mark them as stale or not. The values of the  refresh and the no-refresh interval, added together should be greater than the DHCP lease level.

In addition, there is a setting that will actually trigger the deletion of stale records, which were marked by the running process  of scavenging for stale records. That process can be set for anytime that is greater than 24 hours.


In addition, here are the couple of pointers that the Microsoft SE sent me from the opened ticket:
1.       Make Scavenging period as 1 day so that scavenging will try to delete stale records after every 24 hours.

2.       Also no-refresh and refresh interval should be greater then lease period, so as you said that you’ll  lower down the  lease period to 4 days ,so in this case no refresh and refresh interval should be 3 & 2  and also restart DNS service after  making this change.


And here are my notes about it:
We need to change the DHCP lease time to 4 days
The Refresh, and No refresh interval added values should be equal to LONGER than the DHCP Expiration.

The Scavenging time can be set to 1 day, but not recommend for less than that..

Set the scavenging to be set on off hours, as it is lower priority process thread, and there is no way to actually schedule it.

Now regarding replmon, the one thing i would check in your case is to make sure that the replication is happening, you can check on the right pane, to make sure that the last successful replication happened within a reasonable time.

Again, sometimes, kicking your netlogon service on the DCs sometimes fixes any replication issues.
regarding netdiag not existing on 2008, that's correct I believe, if it's not in RSAT, then I believe you would need to be using the w2k3 tools. But honestly, my environment is still on 2003  R2, so I can't speak as to what works for sure for 2008.

 

 

 

Author

Commented:

After reading all the info, what I would like to do as a test is setup my DNS scavenging and DHCP lease as follows.

DNS Server scavanging period = 1 Day
DNS Zone No-refresh interval = 1 Hour
DNS Zone Refresh Interval = 1 Hour
DHCP lease time = 10 Minutes

Do you see any problem with this configuration?

I still think 'Discard A and PTR records when lease is deleted' is a real issue and would like to know if you can confirm this is working on your system.

Thanks.


Author

Commented:
Also in my dhcp log file (location c:\windows\system32\dhcp\%date%)  I see the following table of event id's.

Microsoft DHCP Service Activity Log

--------------------------------------------------------------

Event ID  Meaning
00      The log was started.
01      The log was stopped.
02      The log was temporarily paused due to low disk space.
10      A new IP address was leased to a client.
11      A lease was renewed by a client.
12      A lease was released by a client.
13      An IP address was found to be in use on the network.
14      A lease request could not be satisfied because the scope's address pool was exhausted.
15      A lease was denied.
16      A lease was deleted.
17      A lease was expired and DNS records for an expired leases have not been deleted.
18      A lease was expired and DNS records were deleted.
20      A BOOTP address was leased to a client.
21      A dynamic BOOTP address was leased to a client.
22      A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted.
23      A BOOTP IP address was deleted after checking to see it was not in use.
24      IP address cleanup operation has began.
25      IP address cleanup statistics.
30      DNS update request to the named DNS server.
31      DNS update failed.
32      DNS update successful.
33      Packet dropped due to NAP policy.
34      DNS update request failed.as the DNS update request queue limit exceeded.
35      DNS update request failed.
50+      Codes above 50 are used for Rogue Server Detection information.

QResult: 0: NoQuarantine, 1:Quarantine, 2:Drop Packet, 3:Probation,6:No Quarantine Information ProbationTime:Year-Month-Day Hour:Minute:Second:MilliSecond.


-----------------------------------------------------------


I dont seem to see entries in the log fiel for event id's 17,18,30, 31, 34, 35,

I only see lease even id's. I.e. lease create and lease deleted messages. Nothing which relates to DNS at all.
I think your config is fine, the only thing I would change is change your no-refresh interval to 2 hours instead of 1. I think everything else seems to meet best practice values. I think DHCP lease time is a bit too short, but if you have good reason to do this,  (you said you have a lot of roaming users), it may work.

Unfortunately, there's no way you can schedule DNS scavenging. So if you have a big AD environment with a lot of replication going on during business hours, I would schedule scavenging to kick off during off hours. I'm not sure if they changed the option in 2008, but in 2003, the only way to schedule it, is to actually SET it at the time you want it to trigger. I set it up on mine at 7:00pm, and that seems to work well.

Also, you gotta remember scavenging is a patience matter, so, set it, and sleep on it for a couple of days, and see if things clean up in your DNS. Honestly, this was one of my major mistakes when I was dealing with this, is that I wasn't patient enough.

go ahead and make these changes, and let's see what happens.

Author

Commented:
You know what happed?

Well.... today was a !@#$% nightmare! That's what happened.

After setting my scavenging to the above mentioned settings. My DNS server proceeded to delete many of so called "static" server A records. Many people called with issues connecting to server applications and resources. Lucky I notice in time and shut down the new server 2008 dc before it got to delete all of them. I spent about 5 hours creating A records and rebooting client machines and servers to get things semi working again.

For anyone else thinking of setting their scavenging to the above. DO NOT DO IT!!!

I actually called Microsoft and opened a case so that they could explain what went wrong.




Wait.. it deleted STATIC records??? that shouldn't happen! Scavenging should only touch dynamically created DNS entries...  
What did they recommend you do with your scavenging?

Author

Commented:
....

Commented:
Please read:  http://technet.microsoft.com/en-us/library/cc753014.aspx
 
The secure dynamic updates functionality can be compromised if the following conditions are true:
 - You run a DHCP server on a Windows Server 2008–based domain controller
 - The DHCP server is configured to perform registration of DNS records on behalf of its clients.
 
*** To avoid this issue, deploy DHCP servers and domain controllers on separate computers, or configure the DHCP server to use a dedicated user account for dynamic updates. ***

Commented:
Also see: Configure DNS dynamic update credentials
http://technet.microsoft.com/en-us/library/cc775839(WS.10).aspx