Solved

Windows 2008 DHCP/DNS Server Linux Clients get dhcp address but do not update DNS

Posted on 2010-08-23
13
1,888 Views
Last Modified: 2013-12-05
We have two Windows 2008 servers that one runs dhcp and both have dns running on them.

Our Windows clients work great and get a dhcp address and it updates dns.

The issue we are having is our Suse 10/11 clients get an address from DHCP but do not update dns.  The linux clients are using dhcpcd.

Someone ran dns scavenging and it removed all of the dhcp linux clients and none of them could update again.

Thanks
0
Comment
Question by:nstd-sts
  • 7
  • 5
13 Comments
 
LVL 3

Expert Comment

by:tomex07
ID: 33506339
Hello,
You can use a feature of Windows DNS to allow DHCP to updates DNS record on behalf of the clients when they are not compatible with Dynamic Updates.
See http://support.microsoft.com/kb/816592/en-us

This part:
Use the DnsUpdateProxy security group
You can configure a Windows Server 2003-based DHCP server so that it dynamically registers host A and PTR resource records on behalf of DHCP clients. If you use secure dynamic updates in this configuration with Windows Server 2003-based DNS servers, resource records may become stale.

For example, consider the following scenario:
A Windows Server 2003 DHCP server (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
Because the DHCP server successfully created the name, it becomes the owner of the name.
After the DHCP server becomes the owner of the client name, only that DHCP server can update the name.
In some circumstances, this scenario may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because the server is not the owner of the name.

In another example, assume that the DHCP server performs dynamic updates for legacy clients. If you upgrade those clients to Windows Server 2003, Windows 2000, or Windows XP, the upgraded client cannot take ownership or update its DNS records.

To solve this problem, a built-in security group named DnsUpdateProxy is provided. If all DHCP servers are added to the DnsUpdateProxy group, the records of one server can be updated by another server if the first server fails. Also, all the objects that are created by the members of the DnsUpdateProxy group are not secured. Therefore, the first user who is not a member of the DnsUpdateProxy group and that modifies the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can take ownership of their name records at the DNS server. If every DHCP server that registers resource records for legacy clients is a member of the DnsUpdateProxy group, many problems are eliminated.


Add members to the DnsUpdateProxy group
Use the Active Directory Users and Computers snap-in to configure the DnsUpdateProxy security group.

Note If you are using multiple DHCP servers for fault tolerance and secure dynamic updates, add each server to the DnsUpdateProxy global security group.


Security considerations when you use the DnsUpdateProxy group
DNS domain names that are registered by the DHCP server are not secure if the DHCP server is a member of the DnsUpdateProxy group. The host (A) resource record for the DHCP server itself is an example of such a record. Also, objects that are created by the members of the DnsUpdateProxy group are not secure. Therefore, you cannot use this group effectively in an Active Directory-integrated zone that enables only secure dynamic updates unless you take additional steps to enable records that are created by members of the group to be secured.

To help protect against nonsecure records or to enable members of the DnsUpdateProxy group to register records in zones that enable only secured dynamic updates, follow these steps:
Create a dedicated user account.
Configure DHCP servers to perform DNS dynamic updates with the user account credentials. (These credentials are the user name, the password, and the domain.)
The credentials of one dedicated user account can be used by multiple DHCP servers.

A dedicated user account is a user account whose sole purpose is to supply DHCP servers with credentials for DNS dynamic update registrations. Assume that you have created a dedicated user account and configured DHCP servers with the account credentials. Each DHCP server will supply these credentials when it registers names on behalf of DHCP clients that are using DNS dynamic update. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides. The dedicated user account can also be located in another forest. However, the forest that the account resides in must have a forest trust established with the forest that contains the primary DNS server for the zone to be updated.

When the DHCP Server service is installed on a domain controller, you can configure the DHCP server by using the credentials of the dedicated user account to prevent the server from inheriting, and possibly misusing, the power of the domain controller. When the DHCP Server service is installed on a domain controller, it inherits the security permissions of the domain controller. The service also has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone. (This includes records that were securely registered by other Windows 2000-based or Windows Server 2003-based computers, and by domain controllers.)
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33510042
I will give this a try, I will add the dhcp server to that group.

I need to schedule this since I probably need to restart some services.

I will let you know what happens
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33510313
Ok, good luck!
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33512828
Just got a chance and I restarted the services.

Still no luck with the SUSE 10/11 boxes showing up in DNS.  They still do get an ip address from DHCP.

0
 
LVL 3

Expert Comment

by:tomex07
ID: 33513710
When you add a computer account into a group, I think that it is the same mechanism gor a user:
The kerberos ticket has to be renewed in order to the new membership beeing seen. So you have to wait for the maximum lifetime of the ticket or you have to reboot the DHCP server.
I am seeking for the maximum lifetime of the ticket (10 hours for a user I think)
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33531131
Was able to reboot the dhcp server and still no luck.

I was testing things and I added wins to the server and now linux clients get added to dns.

Is there anyway around this?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Expert Comment

by:tomex07
ID: 33531348
I know that you can integrate WINS in DNS thanks to WINS forward lookup and WINS-R but it has nothing to do with dynamics update...
Have a look at the option you can modifiy for Dynamic DNS, seems that you have to check the good options as in screenshot.
To access this menu and configure DHCP for dynamic updates:
1.Click Start | Administrative Tools and select DHCP
2.Right-click on the DHCP scope you want to configure and click Properties
3.Click the DNS tab
4.Configure your settings
5.Click OK
Dynamic-DNS.PNG
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33533785
I do have those options already selected.
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33534231
So with a WINS added on the TCP IP config of the DHCP server, it works?
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33534274
Or with WINS Service added to the DHCP Server?
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33535594
I had to do both to get it working.
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33535639
Strange!
0
 
LVL 1

Accepted Solution

by:
jjoz earned 500 total points
ID: 34193537
yes, I also face the same problem here with my non windows host: so i must allow the following settings:

Dynamic Updates - Nonsecure and secure that's it and leave it overnight to correct the DNS entry.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now