Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DNS - Idiot Duplicates Issue

Posted on 2013-01-28
15
Medium Priority
?
1,140 Views
Last Modified: 2013-01-31
ISSUE

We seem to be having an issue with duplicate DNS records in our forward lookup zones.
Our reverse lookup zones do have a few duplicate machine names as well – no duplicate IPs thankfully.

This is a 2003 domain with a mix of XP and W7 clients.

The issue seems to be related, at least in part, to DNS and DHCP not communicating properly.

DHCP should be setup to keep DNS up to date via implementing the DnsUpdateProxy group per http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx.

And yet I have duplicates.

With the behavior above and the settings below, does anything stand out as a possible cause of the duplicate issue?


CONFIGURATION

DNS

Forward Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 7 days

Reverse Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 1 days

DHCP

Enable DNS dynamic updates
Always dynamically update DNS A and PTR record
Discard A and PTR records when lease is deleted
DNS dynamic updates registration credentials: setup and enabled
Lease duration: 1 day

WINS – not in use
0
Comment
Question by:acmi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 2
15 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 2000 total points
ID: 38829001
0
 

Author Comment

by:acmi
ID: 38829055
Thanks Choward16980,

I'll give this a good read as soon as I can get free tomorrow.  Just out of curiosity, what did you search on to get this article?
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829073
How many DHCP servers and how many DNS servers?  And if all of your DHCP clients are in the domain, then you don't need to bother with having DHCP perform DNS updates.

If you do need to have DNS updated by DHCP (because you need to access non-domain clients/devices by name), then my next question is whether or not your DHCP server is a domain member (I'm presuming that it is and is probably a DC)?
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 

Author Comment

by:acmi
ID: 38829116
We have one DHCP server and two DNS servers.  
The DHCP server is a member server (DC) running AD and DNS as well.  
All clients are within the same domain.

The reason why we are bothering with having DHCP update DNS was due to our DNS duplicate issue.

According to MS, the way around that is to have DHCP updating DNS – just does not seem to be working.
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829617
Doesn't make much sense to me. The way dynamic DNS works in an AD environment is that when the client comes up and the IP stack comes up, the workstation registers its address in DNS automatically. That registration process should update any existing record for the workstation instead of creating a new record. Have you tried setting the lease duration for the dhcp lease duration to be greater than the aging for the forward zone? I would set the aging to 1 day and the lease duration to 3 days. I believe that setting dhcp to update DNS only applies to devices that don't update dynamic DNS automatically, like an older OS like Windows 95 or NT 4.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38831938
If you have DHCP doing this and you have your network adapter doing this, you will receive duplicates.  Please either remove the checkbox shown in the picture or disable on DHCP.
Untitled.png
0
 

Author Comment

by:acmi
ID: 38832384
Thanks Choward16980,

I’m taking a look at the screen shot but I am unsure of which checkmark you are referring to.

Remove from Append primary and connection specific DNS suffixes?

Or

Remove from Register this connections address in DNS?

I’m also going through the article you sent yesterday as well as time allows today.
0
 

Author Comment

by:acmi
ID: 38832757
deleted comment (ignore)
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38833058
register this connections address in dns

That option is the same as the DHCP one.  Having both rules will create a duplicate lease.
0
 

Author Comment

by:acmi
ID: 38833155
Choward16980,

The pic in your attachment is from the network properties of a client computer.

In DHCP, I do not see the same setting, “Register this connections address in DNS”.

Specifically, what is the setting for the alternative to “Register this connections address in DNS” within DHCP?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835970
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38836031
Oh wait, you're using 2003....  My bad.


http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I really think you need to reconfigure your scavenging then...
0
 

Author Comment

by:acmi
ID: 38836909
Just to give a quick update…

I’ve gone through the complete article:

http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 

Most of what was mentioned  was already in place with a few exceptions:

The DNSUpdateProxy group not only had the DC as a member, it also had the user account that was created to configure the DHCP credentials.  Not sure if that mattered but this has been corrected.

The password for the user account that was created to configure the DHCP credentials was updated as well on the chance that it had been changed by another admin (both in AD and in DHCP obviously).

And the DHCP lease time has been changed from 1 day to 8 days due to the DNS scavenging being set to 7 days (scavaging needs to be 1 day less than the lease time).

So I believe I am now in a holding pattern and will have to monitor for duplicates to see if everything is correct and in place and working.

And with scavenging set to 7 days, it looks like it will take up to 4 weeks to see if everything is working as it should.

Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 7 day scavenge period. If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.
0
 

Author Comment

by:acmi
ID: 38841364
We are not seeing duplicates in any zones since the changes above were made.  Unfortunately, it may take a few weeks before an issue to arise if we are still having problems.  Rather than leaving this question open to wait for a future issue, I’m going to close this now and can revisit should further issues arise.
0
 

Author Closing Comment

by:acmi
ID: 38841385
Great article.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question