Solved

DNS - Idiot Duplicates Issue

Posted on 2013-01-28
15
1,125 Views
Last Modified: 2013-01-31
ISSUE

We seem to be having an issue with duplicate DNS records in our forward lookup zones.
Our reverse lookup zones do have a few duplicate machine names as well – no duplicate IPs thankfully.

This is a 2003 domain with a mix of XP and W7 clients.

The issue seems to be related, at least in part, to DNS and DHCP not communicating properly.

DHCP should be setup to keep DNS up to date via implementing the DnsUpdateProxy group per http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx.

And yet I have duplicates.

With the behavior above and the settings below, does anything stand out as a possible cause of the duplicate issue?


CONFIGURATION

DNS

Forward Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 7 days

Reverse Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 1 days

DHCP

Enable DNS dynamic updates
Always dynamically update DNS A and PTR record
Discard A and PTR records when lease is deleted
DNS dynamic updates registration credentials: setup and enabled
Lease duration: 1 day

WINS – not in use
0
Comment
Question by:acmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38829001
0
 

Author Comment

by:acmi
ID: 38829055
Thanks Choward16980,

I'll give this a good read as soon as I can get free tomorrow.  Just out of curiosity, what did you search on to get this article?
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829073
How many DHCP servers and how many DNS servers?  And if all of your DHCP clients are in the domain, then you don't need to bother with having DHCP perform DNS updates.

If you do need to have DNS updated by DHCP (because you need to access non-domain clients/devices by name), then my next question is whether or not your DHCP server is a domain member (I'm presuming that it is and is probably a DC)?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:acmi
ID: 38829116
We have one DHCP server and two DNS servers.  
The DHCP server is a member server (DC) running AD and DNS as well.  
All clients are within the same domain.

The reason why we are bothering with having DHCP update DNS was due to our DNS duplicate issue.

According to MS, the way around that is to have DHCP updating DNS – just does not seem to be working.
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829617
Doesn't make much sense to me. The way dynamic DNS works in an AD environment is that when the client comes up and the IP stack comes up, the workstation registers its address in DNS automatically. That registration process should update any existing record for the workstation instead of creating a new record. Have you tried setting the lease duration for the dhcp lease duration to be greater than the aging for the forward zone? I would set the aging to 1 day and the lease duration to 3 days. I believe that setting dhcp to update DNS only applies to devices that don't update dynamic DNS automatically, like an older OS like Windows 95 or NT 4.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38831938
If you have DHCP doing this and you have your network adapter doing this, you will receive duplicates.  Please either remove the checkbox shown in the picture or disable on DHCP.
Untitled.png
0
 

Author Comment

by:acmi
ID: 38832384
Thanks Choward16980,

I’m taking a look at the screen shot but I am unsure of which checkmark you are referring to.

Remove from Append primary and connection specific DNS suffixes?

Or

Remove from Register this connections address in DNS?

I’m also going through the article you sent yesterday as well as time allows today.
0
 

Author Comment

by:acmi
ID: 38832757
deleted comment (ignore)
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38833058
register this connections address in dns

That option is the same as the DHCP one.  Having both rules will create a duplicate lease.
0
 

Author Comment

by:acmi
ID: 38833155
Choward16980,

The pic in your attachment is from the network properties of a client computer.

In DHCP, I do not see the same setting, “Register this connections address in DNS”.

Specifically, what is the setting for the alternative to “Register this connections address in DNS” within DHCP?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835970
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38836031
Oh wait, you're using 2003....  My bad.


http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I really think you need to reconfigure your scavenging then...
0
 

Author Comment

by:acmi
ID: 38836909
Just to give a quick update…

I’ve gone through the complete article:

http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

Most of what was mentioned  was already in place with a few exceptions:

The DNSUpdateProxy group not only had the DC as a member, it also had the user account that was created to configure the DHCP credentials.  Not sure if that mattered but this has been corrected.

The password for the user account that was created to configure the DHCP credentials was updated as well on the chance that it had been changed by another admin (both in AD and in DHCP obviously).

And the DHCP lease time has been changed from 1 day to 8 days due to the DNS scavenging being set to 7 days (scavaging needs to be 1 day less than the lease time).

So I believe I am now in a holding pattern and will have to monitor for duplicates to see if everything is correct and in place and working.

And with scavenging set to 7 days, it looks like it will take up to 4 weeks to see if everything is working as it should.

Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 7 day scavenge period. If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.
0
 

Author Comment

by:acmi
ID: 38841364
We are not seeing duplicates in any zones since the changes above were made.  Unfortunately, it may take a few weeks before an issue to arise if we are still having problems.  Rather than leaving this question open to wait for a future issue, I’m going to close this now and can revisit should further issues arise.
0
 

Author Closing Comment

by:acmi
ID: 38841385
Great article.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question