Solved

DNS - Idiot Duplicates Issue

Posted on 2013-01-28
15
1,101 Views
Last Modified: 2013-01-31
ISSUE

We seem to be having an issue with duplicate DNS records in our forward lookup zones.
Our reverse lookup zones do have a few duplicate machine names as well – no duplicate IPs thankfully.

This is a 2003 domain with a mix of XP and W7 clients.

The issue seems to be related, at least in part, to DNS and DHCP not communicating properly.

DHCP should be setup to keep DNS up to date via implementing the DnsUpdateProxy group per http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx.

And yet I have duplicates.

With the behavior above and the settings below, does anything stand out as a possible cause of the duplicate issue?


CONFIGURATION

DNS

Forward Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 7 days

Reverse Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 1 days

DHCP

Enable DNS dynamic updates
Always dynamically update DNS A and PTR record
Discard A and PTR records when lease is deleted
DNS dynamic updates registration credentials: setup and enabled
Lease duration: 1 day

WINS – not in use
0
Comment
Question by:acmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38829001
0
 

Author Comment

by:acmi
ID: 38829055
Thanks Choward16980,

I'll give this a good read as soon as I can get free tomorrow.  Just out of curiosity, what did you search on to get this article?
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829073
How many DHCP servers and how many DNS servers?  And if all of your DHCP clients are in the domain, then you don't need to bother with having DHCP perform DNS updates.

If you do need to have DNS updated by DHCP (because you need to access non-domain clients/devices by name), then my next question is whether or not your DHCP server is a domain member (I'm presuming that it is and is probably a DC)?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:acmi
ID: 38829116
We have one DHCP server and two DNS servers.  
The DHCP server is a member server (DC) running AD and DNS as well.  
All clients are within the same domain.

The reason why we are bothering with having DHCP update DNS was due to our DNS duplicate issue.

According to MS, the way around that is to have DHCP updating DNS – just does not seem to be working.
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829617
Doesn't make much sense to me. The way dynamic DNS works in an AD environment is that when the client comes up and the IP stack comes up, the workstation registers its address in DNS automatically. That registration process should update any existing record for the workstation instead of creating a new record. Have you tried setting the lease duration for the dhcp lease duration to be greater than the aging for the forward zone? I would set the aging to 1 day and the lease duration to 3 days. I believe that setting dhcp to update DNS only applies to devices that don't update dynamic DNS automatically, like an older OS like Windows 95 or NT 4.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38831938
If you have DHCP doing this and you have your network adapter doing this, you will receive duplicates.  Please either remove the checkbox shown in the picture or disable on DHCP.
Untitled.png
0
 

Author Comment

by:acmi
ID: 38832384
Thanks Choward16980,

I’m taking a look at the screen shot but I am unsure of which checkmark you are referring to.

Remove from Append primary and connection specific DNS suffixes?

Or

Remove from Register this connections address in DNS?

I’m also going through the article you sent yesterday as well as time allows today.
0
 

Author Comment

by:acmi
ID: 38832757
deleted comment (ignore)
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38833058
register this connections address in dns

That option is the same as the DHCP one.  Having both rules will create a duplicate lease.
0
 

Author Comment

by:acmi
ID: 38833155
Choward16980,

The pic in your attachment is from the network properties of a client computer.

In DHCP, I do not see the same setting, “Register this connections address in DNS”.

Specifically, what is the setting for the alternative to “Register this connections address in DNS” within DHCP?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835970
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38836031
Oh wait, you're using 2003....  My bad.


http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I really think you need to reconfigure your scavenging then...
0
 

Author Comment

by:acmi
ID: 38836909
Just to give a quick update…

I’ve gone through the complete article:

http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

Most of what was mentioned  was already in place with a few exceptions:

The DNSUpdateProxy group not only had the DC as a member, it also had the user account that was created to configure the DHCP credentials.  Not sure if that mattered but this has been corrected.

The password for the user account that was created to configure the DHCP credentials was updated as well on the chance that it had been changed by another admin (both in AD and in DHCP obviously).

And the DHCP lease time has been changed from 1 day to 8 days due to the DNS scavenging being set to 7 days (scavaging needs to be 1 day less than the lease time).

So I believe I am now in a holding pattern and will have to monitor for duplicates to see if everything is correct and in place and working.

And with scavenging set to 7 days, it looks like it will take up to 4 weeks to see if everything is working as it should.

Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 7 day scavenge period. If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.
0
 

Author Comment

by:acmi
ID: 38841364
We are not seeing duplicates in any zones since the changes above were made.  Unfortunately, it may take a few weeks before an issue to arise if we are still having problems.  Rather than leaving this question open to wait for a future issue, I’m going to close this now and can revisit should further issues arise.
0
 

Author Closing Comment

by:acmi
ID: 38841385
Great article.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question