Solved

DNS - Idiot Duplicates Issue

Posted on 2013-01-28
15
1,090 Views
Last Modified: 2013-01-31
ISSUE

We seem to be having an issue with duplicate DNS records in our forward lookup zones.
Our reverse lookup zones do have a few duplicate machine names as well – no duplicate IPs thankfully.

This is a 2003 domain with a mix of XP and W7 clients.

The issue seems to be related, at least in part, to DNS and DHCP not communicating properly.

DHCP should be setup to keep DNS up to date via implementing the DnsUpdateProxy group per http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx.

And yet I have duplicates.

With the behavior above and the settings below, does anything stand out as a possible cause of the duplicate issue?


CONFIGURATION

DNS

Forward Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 7 days

Reverse Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 1 days

DHCP

Enable DNS dynamic updates
Always dynamically update DNS A and PTR record
Discard A and PTR records when lease is deleted
DNS dynamic updates registration credentials: setup and enabled
Lease duration: 1 day

WINS – not in use
0
Comment
Question by:acmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38829001
0
 

Author Comment

by:acmi
ID: 38829055
Thanks Choward16980,

I'll give this a good read as soon as I can get free tomorrow.  Just out of curiosity, what did you search on to get this article?
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829073
How many DHCP servers and how many DNS servers?  And if all of your DHCP clients are in the domain, then you don't need to bother with having DHCP perform DNS updates.

If you do need to have DNS updated by DHCP (because you need to access non-domain clients/devices by name), then my next question is whether or not your DHCP server is a domain member (I'm presuming that it is and is probably a DC)?
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:acmi
ID: 38829116
We have one DHCP server and two DNS servers.  
The DHCP server is a member server (DC) running AD and DNS as well.  
All clients are within the same domain.

The reason why we are bothering with having DHCP update DNS was due to our DNS duplicate issue.

According to MS, the way around that is to have DHCP updating DNS – just does not seem to be working.
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829617
Doesn't make much sense to me. The way dynamic DNS works in an AD environment is that when the client comes up and the IP stack comes up, the workstation registers its address in DNS automatically. That registration process should update any existing record for the workstation instead of creating a new record. Have you tried setting the lease duration for the dhcp lease duration to be greater than the aging for the forward zone? I would set the aging to 1 day and the lease duration to 3 days. I believe that setting dhcp to update DNS only applies to devices that don't update dynamic DNS automatically, like an older OS like Windows 95 or NT 4.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38831938
If you have DHCP doing this and you have your network adapter doing this, you will receive duplicates.  Please either remove the checkbox shown in the picture or disable on DHCP.
Untitled.png
0
 

Author Comment

by:acmi
ID: 38832384
Thanks Choward16980,

I’m taking a look at the screen shot but I am unsure of which checkmark you are referring to.

Remove from Append primary and connection specific DNS suffixes?

Or

Remove from Register this connections address in DNS?

I’m also going through the article you sent yesterday as well as time allows today.
0
 

Author Comment

by:acmi
ID: 38832757
deleted comment (ignore)
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38833058
register this connections address in dns

That option is the same as the DHCP one.  Having both rules will create a duplicate lease.
0
 

Author Comment

by:acmi
ID: 38833155
Choward16980,

The pic in your attachment is from the network properties of a client computer.

In DHCP, I do not see the same setting, “Register this connections address in DNS”.

Specifically, what is the setting for the alternative to “Register this connections address in DNS” within DHCP?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835970
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38836031
Oh wait, you're using 2003....  My bad.


http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I really think you need to reconfigure your scavenging then...
0
 

Author Comment

by:acmi
ID: 38836909
Just to give a quick update…

I’ve gone through the complete article:

http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

Most of what was mentioned  was already in place with a few exceptions:

The DNSUpdateProxy group not only had the DC as a member, it also had the user account that was created to configure the DHCP credentials.  Not sure if that mattered but this has been corrected.

The password for the user account that was created to configure the DHCP credentials was updated as well on the chance that it had been changed by another admin (both in AD and in DHCP obviously).

And the DHCP lease time has been changed from 1 day to 8 days due to the DNS scavenging being set to 7 days (scavaging needs to be 1 day less than the lease time).

So I believe I am now in a holding pattern and will have to monitor for duplicates to see if everything is correct and in place and working.

And with scavenging set to 7 days, it looks like it will take up to 4 weeks to see if everything is working as it should.

Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 7 day scavenge period. If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.
0
 

Author Comment

by:acmi
ID: 38841364
We are not seeing duplicates in any zones since the changes above were made.  Unfortunately, it may take a few weeks before an issue to arise if we are still having problems.  Rather than leaving this question open to wait for a future issue, I’m going to close this now and can revisit should further issues arise.
0
 

Author Closing Comment

by:acmi
ID: 38841385
Great article.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question