Solved

DNS & DHCP configuration

Posted on 2010-09-05
24
1,800 Views
Last Modified: 2012-08-13
hi
hi have 2 server 2008 domain controllers with DHCP on one of them and dns on each one
i want to know what is best practice for configuration  the dns and dhcp
i need detailed configuration like i starting from scratch

thanks
0
Comment
Question by:ywainberg
  • 7
  • 7
  • 5
  • +3
24 Comments
 
LVL 9

Expert Comment

by:MinoDC
ID: 33609264
0
 
LVL 9

Expert Comment

by:Gianpiero Rossi
ID: 33609273
for the dns configuration it will configure by it self when you start the new domain (dcpromo) and both dc wil lhave the dns zone in sync from eaxh other.

for the dhcp you wil lhave to set up a scope for ur lan segment, ex 192.168.x.0
and remove from the pool the addresses that you have configured in a static way (ex the IPs of ur servers)
then you have to configure
the option of the dns (them should refere to you DCs)
the option for the Router (you should insert your lan gateway, es: the ip of your router)
if you have starte the wins service you have to put also it.

these are the basics setting that you have to put inside it
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33609282
Both Servers need to have statically assigned values. For my purposes I'm going to choose a small network 192.168.1.0/24

I personally like to use 192.168.1.1-9 for my routers/switches but these are up to you.

SERVER1
IP: 192.168.1.10/24
DNS1 - 192.168.1.10
DNS2 - 192.168.1.11

SERVER2
IP: 192.168.1.11/24
DNS1 - 192.168.1.11
DNS2 - 192.168.1.10

For the DNS Servers since they are both domain controllers in what I assume are the same domain then you should make them Active Directory Integrated. You do this by right clicking on the primary zone and making sure this is set to Active Directory Integrated for the Zone Type. Since I'm assuming they were domain controllers first than they are probably already set this way (they usually are by default)

For the DHCP Server your going to want to setup a scope of 192.168.1.0/24. Add an exclusion range of 192.168.1.1-20  (Or however many addresses you'll need for servers and other equipment)
Set the DNS Server option for 192.168.1.10 and 192.168.1.11

Let me know if you need further help on design questions.
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33609287
As gpiero74 stated you're also going to want to setup the default gateway on both the DHCP server and the static values for the Domain Controllers if you have a default gateway. If this is a localized subnet with no escape than leave this blank.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33609292
I would suggest using DNS on both DCs as Active Directory Integrated zones with "Secure only" updates.
DNS Best Practices read this article
http://technet.microsoft.com/en-us/library/cc778439%28WS.10%29.aspx

For DHCP you can use on:

- 1 server (scope for all computers 100% addresses), then make copy of %WINDIR%\SYSTEM32\DHCP in any case of server failure. You would be able to restore DHCP server on other machine very quick.

- 2 servers:
* scope with 50% addresses on the first one and 50% addresses on the second one
* scope with 80% addresses on the first one and 20% addresses on the second one

DHCP Best Practices read this article
http://technet.microsoft.com/en-us/library/cc780311%28WS.10%29.aspx
0
 
LVL 1

Expert Comment

by:snapfriend
ID: 33611175
You have to install normal server 2008 STD. OR ENT. edition with respective h/w.

go to roles
and add roles into it
whichever yyou want for that
DNS & DHCP
assign primary zone in DNS when you innstall it & provide forward look up zone & reverse look up zonne.

assign scope for DHCP after installing DHCP server.

you can assign reservation into DHCP also
0
 
LVL 2

Author Comment

by:ywainberg
ID: 33611212
if i configure scavenging to be 90 days, it doesn't natter that the dhcp is 6 days lease?
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33611246
90 Day Scavenging is a little high. Scavenging specifically removes old A Records. The timestamp is reset everytime the record is updated which is on startup on newer systems. On older systems (98 and before) the record is updated when the Lease is Renewed which (if everything is functioning) is half the lease duration.

I would recommend setting scavenging to be at 7 with a 6 day lease.

Static records will never be removed via scavenging unless you manually set timestamp
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33611255
Nope, scavenging is performed in DNS zone, so DHCP sends only DDNS updates. DHCP lease only reserves particular IP address for machine. Please, read this article, maybe it would clarify it a little bit more :)

http://technet.microsoft.com/en-us/library/cc776907%28WS.10%29.aspx
0
 
LVL 1

Expert Comment

by:snapfriend
ID: 33611312
Using DNS servers with DHCP
When installing the Windows Server 2003 DHCP service, you can configure the server to perform updates on behalf of its DHCP clients to any Domain Name System (DNS) servers that support dynamic updates.

How DHCP/DNS update interaction works
The DHCP server can be used to register and update the pointer (PTR) and host (A) resource records on behalf of its DHCP-enabled clients.

This process requires the use of an additional DHCP option, the Client FQDN option (option 81). This option permits the client to provide its fully qualified domain name (FQDN) as well as instructions to the DHCP server on how it would like the server to process DNS dynamic updates (if any) on its behalf.

When this option is issued by a qualified DHCP client, such as a DHCP-enabled computer running Windows 2000, Windows XP, or a Windows Server 2003 operating system, option 81 is processed and interpreted by a DHCP server running Windows Server 2003 to determine how the server initiates updates on behalf of the client. If the server is configured to perform DNS dynamic updates, it takes one of the following actions:

The DHCP server updates both DNS A and PTR records if requested by clients using option 81.


The DHCP server updates DNS A and PTR records regardless of whether the client requests this action or not.


In addition, the DHCP server can dynamically update DNS A and PTR records on behalf of legacy clients that are not capable of sending option 81 to the server. You can also configure the DHCP server to discard client A and PTR records when the client lease is deleted.

The DHCP server might be configured in one of the following ways:

The DHCP server registers and updates client information with the authoritative DNS server of the zone in which the DHCP server is located according to the DHCP client request.

This is the default configuration for DHCP servers running Windows Server 2003 and DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system. In this mode, the DHCP client can request the way in which the DHCP server performs updates of its host (A) and pointer (PTR) resource records. If possible, the DHCP server accommodates the client request for handling updates to its name and IP address information in DNS.

To modify this setting, select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.


The DHCP server always registers and updates client information in DNS.

This is a modified configuration supported for DHCP servers running Windows Server 2003 and DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system. In this mode, the DHCP server always performs updates of the client's FQDN, leased IP address information, and both its host (A) and pointer (PTR) resource records, regardless of whether the client has requested to perform its own updates.

To modify this setting, select the Enable DNS dynamic updates according to the settings below check box and click Always dynamically update DNS A and PTR records, which is located in Properties on the DNS tab on the applicable DHCP server or on one of its scopes.


The DHCP server never registers and updates client information in DNS.

To set this behavior, the DHCP server must be configured to disable performance of DHCP/DNS proxied updates. By disabling this feature, no client host (A) or pointer (PTR) resource records are updated in DNS for DHCP clients.

If necessary, this change in setting can be made at DHCP servers running Windows Server 2003 by clearing the Enable DNS dynamic updates according to the settings below check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes. By default, updates are always performed for newly installed DHCP servers running Windows Server 2003 and any new scopes created for them.
0
 
LVL 1

Expert Comment

by:snapfriend
ID: 33611316
Advanced DHCP/DNS server configuration options
In addition to these standard DHCP/DNS interactions, the DHCP server can be configured to perform these optional update tasks as follows:

The server can selectively be configured to not send updates for discarding a client host (A) resource record when the client lease expires.

When the DHCP server is enabled to perform DNS updates, it always sends updates to discard the client pointer (PTR) resource records when the lease expires. Whether the server also does this with client host (A) resource records when the lease of a client expires (by default, the server discards these) is a configurable option.

To modify this at the applicable DHCP server, clear the Discard forward (name-to-address) lookups when leases expires check box in Properties on the DNS tab.


The server can be selectively configured to not send updates for clients unable to use the Client FQDN option (option 81), to request the way that updates are handled.

By default, the DHCP server does not send updates for clients that do not support option 81.

To modify this setting, select the Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0) check box, which is located in Properties on the DNS tab on the applicable DHCP server or one of its scopes.


Windows DHCP clients and DNS dynamic update protocol
DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system interact differently than earlier versions of Windows when performing the DHCP/DNS interactions previously described. The following examples and graphics show how this process varies in different cases.

Example 1: DHCP/DNS update interaction for DHCP clients running Windows 2000, Windows XP , or a Windows Server 2003 operating system
DHCP clients running Windows 2000, Windows XP, or a Windows Server 2003 operating system interact with DNS dynamic update protocol as follows:

The client initiates a DHCP request message (DHCPREQUEST) to the server and includes DHCP option 81. By default, the client requests that the DHCP server register the DNS PTR record, while the client registers its own DNS A record.


The server returns a DHCP acknowledgment message (DHCPACK) to the client, granting an IP address lease and including DHCP option 81. If the DHCP server is configured with the default settings (dynamically update DNS A and PTR records only if requested by the DHCP clients), then option 81 instructs the client that the DHCP server will register the DNS PTR record and the client will register the DNS A record.


Asynchronously, the client registers its DNS A record, and the DHCP server registers the DNS PTR record of the client.


 
Example 2: DHCP/DNS update interaction for earlier Windows DHCP clients (prior to Windows 2000)
Earlier versions of Windows DHCP clients do not support the DNS dynamic update process directly, and therefore, cannot directly interact with the DNS server. For these DHCP clients, updates are typically handled as follows:

The client initiates a DHCP request message (DHCPREQUEST) to the server. The request does not include DHCP option 81.


The server returns a DHCP acknowledgment message (DHCPACK) to the client, granting an IP address lease, without DHCP option 81.


The server then sends updates to the DNS server for the forward lookup record of the client, which is a host (A) resource record. The server also sends updates for the reverse lookup record of the client, which is a pointer (PTR) resource record.


 
DNS record ownership and the DnsUpdateProxy group
As previously described, you can configure a DHCP server so that it dynamically registers host (A) and pointer (PTR) resource records on behalf of DHCP clients. In this configuration, the use of secure dynamic update with DNS servers might cause stale resource records.

For example, suppose the following sequence of events occurs:

A DHCP server running Windows Server 2003 (DHCP1) performs a secure dynamic update on behalf of one of its clients for a specific DNS domain name.


Because the DHCP server successfully created the name, it becomes the owner of the name.


Once the DHCP server becomes the owner of the name, only that DHCP server can update the DNS records for that name.


In some circumstances, this can cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the second server cannot update the client name because it is not the owner of the name.

In another example, if the DHCP server performs DNS dynamic updates for legacy DHCP clients (clients running a version of Windows earlier than Windows 2000), and those clients are later upgraded to Windows 2000, Windows XP, or a Windows Server 2003 operating system, the upgraded client cannot take ownership of or update its own DNS records.

To solve this problem, the built-in security group called DnsUpdateProxy is provided. If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of one server can be updated by another server if the first server fails. Also, because all of the objects that are created by the members of the DnsUpdateProxy group are not secured, the first user (that is not a member of the DnsUpdateProxy group) to modify the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can therefore take ownership of their name records at the DNS server. If every DHCP server registering resource records for legacy clients is a member of the DnsUpdateProxy group, the problems discussed earlier are eliminated.

You can configure the DnsUpdateProxy security group through Active Directory Users and Computers. For more information, see Add a member to a group.

0
 
LVL 2

Author Comment

by:ywainberg
ID: 33611356
sorry guys ,I'm a bit confused
if i changed the scavenging back to 7 days and an employee with a laptop dident logon for 60 days
will he have a problem log in?
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33611405
nope, it doen't remove them from domain. It will clear ony host records in dns. They will re-register after first logon.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33611423
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33611469
iSiek is correct. Newer systems will reset the timestamp everytime system logs on to the domain. Older systems 98 and before (assuming your having DHCP Register for them) will update record timestamp when the lease is requested.

A new lease starts to get requested when the lease period is half over. So if you have a lease period of 8 days systems will request new lease period starting at 4 days.
0
 
LVL 2

Author Comment

by:ywainberg
ID: 33611582
can you answer my question above?
thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33611600
who and which one? :)
0
 
LVL 2

Author Comment

by:ywainberg
ID: 33611631
if i changed the scavenging back to 7 days and an employee with a laptop dident logon for 60 days
will he have a problem log in?
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33611640
"if i changed the scavenging back to 7 days and an employee with a laptop dident logon for 60 days
will he have a problem log in?"

No. Scavenging only applies to OLD A Records in DNS being associated with the Computer. These records are updated at every login with newer systems or when the DHCP server updates them for older systems at time of issuing lease.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33611647
that's right. Nuttycomputer explained you it well :)
0
 
LVL 2

Author Comment

by:ywainberg
ID: 33611697
what could be the risk in applying scavenging ?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 250 total points
ID: 33611738
do you have anu older clients than 2000 pro? if not, then is no risk at all
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33611968
To answer the opposite of that question is that having Old A records could cause confusion for people viewing the records and leads to an unnecessary larger dns file to be replicated.
0
 
LVL 6

Assisted Solution

by:Nuttycomputer
Nuttycomputer earned 250 total points
ID: 33611983
While were tossing around links you can find a great article on scavenging here: http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now