Solved

Windows 2008 DHCP/DNS Server Linux Clients get dhcp address but do not update DNS

Posted on 2010-08-23
13
1,905 Views
Last Modified: 2013-12-05
We have two Windows 2008 servers that one runs dhcp and both have dns running on them.

Our Windows clients work great and get a dhcp address and it updates dns.

The issue we are having is our Suse 10/11 clients get an address from DHCP but do not update dns.  The linux clients are using dhcpcd.

Someone ran dns scavenging and it removed all of the dhcp linux clients and none of them could update again.

Thanks
0
Comment
Question by:nstd-sts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 3

Expert Comment

by:tomex07
ID: 33506339
Hello,
You can use a feature of Windows DNS to allow DHCP to updates DNS record on behalf of the clients when they are not compatible with Dynamic Updates.
See http://support.microsoft.com/kb/816592/en-us

This part:
Use the DnsUpdateProxy security group
You can configure a Windows Server 2003-based DHCP server so that it dynamically registers host A and PTR resource records on behalf of DHCP clients. If you use secure dynamic updates in this configuration with Windows Server 2003-based DNS servers, resource records may become stale.

For example, consider the following scenario:
A Windows Server 2003 DHCP server (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.
Because the DHCP server successfully created the name, it becomes the owner of the name.
After the DHCP server becomes the owner of the client name, only that DHCP server can update the name.
In some circumstances, this scenario may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because the server is not the owner of the name.

In another example, assume that the DHCP server performs dynamic updates for legacy clients. If you upgrade those clients to Windows Server 2003, Windows 2000, or Windows XP, the upgraded client cannot take ownership or update its DNS records.

To solve this problem, a built-in security group named DnsUpdateProxy is provided. If all DHCP servers are added to the DnsUpdateProxy group, the records of one server can be updated by another server if the first server fails. Also, all the objects that are created by the members of the DnsUpdateProxy group are not secured. Therefore, the first user who is not a member of the DnsUpdateProxy group and that modifies the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can take ownership of their name records at the DNS server. If every DHCP server that registers resource records for legacy clients is a member of the DnsUpdateProxy group, many problems are eliminated.


Add members to the DnsUpdateProxy group
Use the Active Directory Users and Computers snap-in to configure the DnsUpdateProxy security group.

Note If you are using multiple DHCP servers for fault tolerance and secure dynamic updates, add each server to the DnsUpdateProxy global security group.


Security considerations when you use the DnsUpdateProxy group
DNS domain names that are registered by the DHCP server are not secure if the DHCP server is a member of the DnsUpdateProxy group. The host (A) resource record for the DHCP server itself is an example of such a record. Also, objects that are created by the members of the DnsUpdateProxy group are not secure. Therefore, you cannot use this group effectively in an Active Directory-integrated zone that enables only secure dynamic updates unless you take additional steps to enable records that are created by members of the group to be secured.

To help protect against nonsecure records or to enable members of the DnsUpdateProxy group to register records in zones that enable only secured dynamic updates, follow these steps:
Create a dedicated user account.
Configure DHCP servers to perform DNS dynamic updates with the user account credentials. (These credentials are the user name, the password, and the domain.)
The credentials of one dedicated user account can be used by multiple DHCP servers.

A dedicated user account is a user account whose sole purpose is to supply DHCP servers with credentials for DNS dynamic update registrations. Assume that you have created a dedicated user account and configured DHCP servers with the account credentials. Each DHCP server will supply these credentials when it registers names on behalf of DHCP clients that are using DNS dynamic update. The dedicated user account should be created in the forest where the primary DNS server for the zone to be updated resides. The dedicated user account can also be located in another forest. However, the forest that the account resides in must have a forest trust established with the forest that contains the primary DNS server for the zone to be updated.

When the DHCP Server service is installed on a domain controller, you can configure the DHCP server by using the credentials of the dedicated user account to prevent the server from inheriting, and possibly misusing, the power of the domain controller. When the DHCP Server service is installed on a domain controller, it inherits the security permissions of the domain controller. The service also has the authority to update or delete any DNS record that is registered in a secure Active Directory-integrated zone. (This includes records that were securely registered by other Windows 2000-based or Windows Server 2003-based computers, and by domain controllers.)
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33510042
I will give this a try, I will add the dhcp server to that group.

I need to schedule this since I probably need to restart some services.

I will let you know what happens
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33510313
Ok, good luck!
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:nstd-sts
ID: 33512828
Just got a chance and I restarted the services.

Still no luck with the SUSE 10/11 boxes showing up in DNS.  They still do get an ip address from DHCP.

0
 
LVL 3

Expert Comment

by:tomex07
ID: 33513710
When you add a computer account into a group, I think that it is the same mechanism gor a user:
The kerberos ticket has to be renewed in order to the new membership beeing seen. So you have to wait for the maximum lifetime of the ticket or you have to reboot the DHCP server.
I am seeking for the maximum lifetime of the ticket (10 hours for a user I think)
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33531131
Was able to reboot the dhcp server and still no luck.

I was testing things and I added wins to the server and now linux clients get added to dns.

Is there anyway around this?
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33531348
I know that you can integrate WINS in DNS thanks to WINS forward lookup and WINS-R but it has nothing to do with dynamics update...
Have a look at the option you can modifiy for Dynamic DNS, seems that you have to check the good options as in screenshot.
To access this menu and configure DHCP for dynamic updates:
1.Click Start | Administrative Tools and select DHCP
2.Right-click on the DHCP scope you want to configure and click Properties
3.Click the DNS tab
4.Configure your settings
5.Click OK
Dynamic-DNS.PNG
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33533785
I do have those options already selected.
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33534231
So with a WINS added on the TCP IP config of the DHCP server, it works?
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33534274
Or with WINS Service added to the DHCP Server?
0
 
LVL 1

Author Comment

by:nstd-sts
ID: 33535594
I had to do both to get it working.
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33535639
Strange!
0
 
LVL 1

Accepted Solution

by:
jjoz earned 500 total points
ID: 34193537
yes, I also face the same problem here with my non windows host: so i must allow the following settings:

Dynamic Updates - Nonsecure and secure that's it and leave it overnight to correct the DNS entry.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question