Solved

DNS - Idiot Duplicates Issue

Posted on 2013-01-28
15
1,044 Views
Last Modified: 2013-01-31
ISSUE

We seem to be having an issue with duplicate DNS records in our forward lookup zones.
Our reverse lookup zones do have a few duplicate machine names as well – no duplicate IPs thankfully.

This is a 2003 domain with a mix of XP and W7 clients.

The issue seems to be related, at least in part, to DNS and DHCP not communicating properly.

DHCP should be setup to keep DNS up to date via implementing the DnsUpdateProxy group per http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx.

And yet I have duplicates.

With the behavior above and the settings below, does anything stand out as a possible cause of the duplicate issue?


CONFIGURATION

DNS

Forward Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 7 days

Reverse Zone settings:

Active Directory integrated
Dynamic updates: secure only
Aging (refresh \ no-refresh interval) : 1 days

DHCP

Enable DNS dynamic updates
Always dynamically update DNS A and PTR record
Discard A and PTR records when lease is deleted
DNS dynamic updates registration credentials: setup and enabled
Lease duration: 1 day

WINS – not in use
0
Comment
Question by:acmi
  • 8
  • 5
  • 2
15 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38829001
0
 

Author Comment

by:acmi
ID: 38829055
Thanks Choward16980,

I'll give this a good read as soon as I can get free tomorrow.  Just out of curiosity, what did you search on to get this article?
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829073
How many DHCP servers and how many DNS servers?  And if all of your DHCP clients are in the domain, then you don't need to bother with having DHCP perform DNS updates.

If you do need to have DNS updated by DHCP (because you need to access non-domain clients/devices by name), then my next question is whether or not your DHCP server is a domain member (I'm presuming that it is and is probably a DC)?
0
 

Author Comment

by:acmi
ID: 38829116
We have one DHCP server and two DNS servers.  
The DHCP server is a member server (DC) running AD and DNS as well.  
All clients are within the same domain.

The reason why we are bothering with having DHCP update DNS was due to our DNS duplicate issue.

According to MS, the way around that is to have DHCP updating DNS – just does not seem to be working.
0
 
LVL 12

Expert Comment

by:mlongoh
ID: 38829617
Doesn't make much sense to me. The way dynamic DNS works in an AD environment is that when the client comes up and the IP stack comes up, the workstation registers its address in DNS automatically. That registration process should update any existing record for the workstation instead of creating a new record. Have you tried setting the lease duration for the dhcp lease duration to be greater than the aging for the forward zone? I would set the aging to 1 day and the lease duration to 3 days. I believe that setting dhcp to update DNS only applies to devices that don't update dynamic DNS automatically, like an older OS like Windows 95 or NT 4.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38831938
If you have DHCP doing this and you have your network adapter doing this, you will receive duplicates.  Please either remove the checkbox shown in the picture or disable on DHCP.
Untitled.png
0
 

Author Comment

by:acmi
ID: 38832384
Thanks Choward16980,

I’m taking a look at the screen shot but I am unsure of which checkmark you are referring to.

Remove from Append primary and connection specific DNS suffixes?

Or

Remove from Register this connections address in DNS?

I’m also going through the article you sent yesterday as well as time allows today.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:acmi
ID: 38832757
deleted comment (ignore)
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38833058
register this connections address in dns

That option is the same as the DHCP one.  Having both rules will create a duplicate lease.
0
 

Author Comment

by:acmi
ID: 38833155
Choward16980,

The pic in your attachment is from the network properties of a client computer.

In DHCP, I do not see the same setting, “Register this connections address in DNS”.

Specifically, what is the setting for the alternative to “Register this connections address in DNS” within DHCP?
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38835970
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38836031
Oh wait, you're using 2003....  My bad.


http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

I really think you need to reconfigure your scavenging then...
0
 

Author Comment

by:acmi
ID: 38836909
Just to give a quick update…

I’ve gone through the complete article:

http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Most of what was mentioned  was already in place with a few exceptions:

The DNSUpdateProxy group not only had the DC as a member, it also had the user account that was created to configure the DHCP credentials.  Not sure if that mattered but this has been corrected.

The password for the user account that was created to configure the DHCP credentials was updated as well on the chance that it had been changed by another admin (both in AD and in DHCP obviously).

And the DHCP lease time has been changed from 1 day to 8 days due to the DNS scavenging being set to 7 days (scavaging needs to be 1 day less than the lease time).

So I believe I am now in a holding pattern and will have to monitor for duplicates to see if everything is correct and in place and working.

And with scavenging set to 7 days, it looks like it will take up to 4 weeks to see if everything is working as it should.

Rough formula to go by: NoRefresh + Refresh * 2 + the point in time during the 7 day scavenge period. If you choose the default 7 day setting may take up to 4 weeks + 1 day (29 days) for scavenging to take place.
0
 

Author Comment

by:acmi
ID: 38841364
We are not seeing duplicates in any zones since the changes above were made.  Unfortunately, it may take a few weeks before an issue to arise if we are still having problems.  Rather than leaving this question open to wait for a future issue, I’m going to close this now and can revisit should further issues arise.
0
 

Author Closing Comment

by:acmi
ID: 38841385
Great article.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now