Solved

dual redundant DCs no longer update reverse lookup zone info from secondary DHCP

Posted on 2013-05-10
4
326 Views
Last Modified: 2013-07-22
Configuration:
primary site:
- two (2)  DCs (2008 R2 domain controllers) configured for redundancy on 172.16.10 subnet
- DNS integrated with AD (Active Directory)
- SOA (Start of Authority) here for entire domain

two (2) remote sites:
- two (2) remote locations 172.16.20 & 172.16.30
- single 2008 R2 server at each site with mainly IP devices
- both remote locations have secondary DNS servers and local DHCP
- DHCP configured to point to primary site DCs as DNS

Functionality we had:
- when we had one (1) DC at primary site (172.16.10) - DHCP updates at secondary sites (172.16.20 & 172.16.30) would show up in "reverse lookup zones" in the DNS of the primary site (172.16.10)  ... this allowed primary site to know dynamic IP addresses of secondary sites remote devices

This functionality was lost when we added second (2) DC to the primary site.  Changes by remote secondary sites' DHCP (172.16.20 & 172.16.30) are no longer seen in primary site (172.16.10) DNS "reverse lookup zones"

How do we configure so we have the desired functionality with redundant primary DCs?

Thanks in advance for your help
0
Comment
Question by:wmhooper
  • 2
  • 2
4 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39157703
Why not use AD-integrated zones at all sites, and point machines at remote sites to use the local DNS server?  Replication can handle getting all the information to all the DNS servers.

How are the reverse zones configured?  Are they AD-integrated?  If so, are they configured to allow only secure dynamic updates, or what?  For secure zones, since it is the DHCP server that registers the PTR records for dynamic clients, I would check the credentials that you are using.
0
 

Author Comment

by:wmhooper
ID: 39175031
The remote sites are warehouses, with RF devices and single servers - insecure sites from an IT perspective.

The company only wants domain controllers in the central location, plus the disaster recovery location (the reason for the two (2) primary DCs)

Further research on this problem seems to point to the need to have one DC as read / write and the second DC be ReadOnly and not have both DCs as read/write

We may try this option in few months if we can not get the current configuration working as required.
0
 

Author Comment

by:wmhooper
ID: 39175062
From footech:

Q1: How are the reverse zones configured?  Are they AD-integrated?  If so, are they configured to allow only secure dynamic updates, or what?  

A1:The two DCs with reverse zones are AD-integrated. They were configured for secure updates but we also tried to allow for un-secure updates as a test.

Q2: For secure zones, since it is the DHCP server that registers the PTR records for dynamic clients, I would check the credentials that you are using.

A2: The dynamic updates from remote DHCP to the reverse zones on the DCs worked when we only had a single DC.

The introduction of a second redundant DC (at disaster backup site) broke this functionality.
0
 
LVL 39

Accepted Solution

by:
footech earned 400 total points
ID: 39175986
At the most basic, there's no reason (that I can think of) that just adding another DC would impact DNS records registration.  In my experience, problems with records registration almost always stem from security configuration, resulting in records that cannot be updated due to the record's ownership.
The best recommendation I have is that you configure all DHCP servers to use the same domain account to perform DNS dynamic updates (under Advanced tab > Credentials), and to add all DHCP server accounts to the DNSUpdateProxy group in AD.

See this link for further details.
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Manual DNS and blocking mapped drives 8 88
Problem with autodiscover SBS 2011 4 72
Why do I get "media disconnected" when I run ipconfig? 2 28
AD Account Lockout 22 31
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now