Link to home
Start Free TrialLog in
Avatar of molly22
molly22

asked on

DNS setting in DHCP scope

We are using Windows 2008R2 servers.
In DHCP what is the best practice for the DNS setting under the DNS tab under scope properties.
I see a tab to enable DNS dynamic updates according to the setting below. Under this setting I see two options.
Option one: Dynamically update DNS A and PTR records only if requested by client.
Option two: always update DNS A and PTR records.

Also have options to Discard A and PTR records when release is deleted or to Dynamically update DNS A and PTR records for DHCP client that do not request updates.
Need to know what the best practice for this is on a large network? I have several subnet with their on DHCP and DNS servers.
ASKER CERTIFIED SOLUTION
Avatar of Gareth Gudger
Gareth Gudger
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In Above Comment:
For example "Dynamically update DNS A and PTR records for DHCP clients that do not request updates" is more for legacy clients such as NT4 or clients that do not support registering there DNS through DHCP

Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0) - This option can be selected if you have Down level clients (95/98/NT) or third party OS who doesn't have functionality of DDNS (Dynamic DNS Update). If we uncheck them, mentioned clients will unable to register themselves with DNS.

Always dynamically update DNS A and PTR records" - Which mean we are asking DHCP to register DNS records on behalf of client machines. If you run DHCP on DC, DHCP will not register records in DNS unless we set credentials (standard user credentials). You can create one user and use his credentials for DNS registration, you don't need to use Admin accounts.credential tab will be found under IPv4 properties\Advanced tab

Instead of above option you can use another option "Dynamically update A and PTR records only if requested by DHCP client machines". If we select this option, client will register A records  and DHCP will register PTR records. We need to set credentials for registering PTR records.

Discard A and PTR records when lease is deleted
Please understand that discard does not mean delete records by DHCP server itself immediately, system will clean these records only if DNS aging/scavenging settings on DNS server is set properly.

You must create a dedicated user account and configure the DHCP servers with its credentials under the following circumstances:
•The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
• A domain controller is configured to function as a DHCP server. Without the dedicated user account, secure updates will not work.
• The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.


Check mine comments in below posts on same topic for more information regarding DNS scavenging
https://www.experts-exchange.com/questions/28306544/Window-DNS-DHCP-setting.html

Since you are running Windows 2008 R2, also check mine comment in below article for more information regarding DNS proxy Updates and DHCP name protection.
https://www.experts-exchange.com/questions/28302450/What's-this-cmd-mean-dnscmd-config-OpenAclOnProxyUpdates-0.html

Lastly check below TechNet blog
http://social.technet.microsoft.com/Forums/windowsserver/en-US/1515eca4-8716-4360-9d40-383145c528ff/dhcp-best-practices-and-dc?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8d4b5f8e-3290-4a9b-8f9d-68fafdd895a2/dhcp-service-not-siscarding-a-and-ptr-records-in-dns-when-lease-is-deleted

Mahesh
Avatar of molly22
molly22

ASKER

Thanks, this answered all my question.
Not sure on what basis you have accepted 1st comment since comment is not perfect

Anyways, Thanks

Mahesh
Isn't perfection relative? :)
Yes, basically there are some statements in your comment are not correct \ partially correct

Your comment:
"Dynamically update DNS A and PTR records for DHCP clients that do not request updates" is more for legacy clients such as NT4 or clients that do not support registering there DNS through DHCP
My explanation:
In reality those legacy client are not DDNS (DNS dynamic update) capable, hence DHCP options need to select so that DHCP will handle dynamic registration on behalf of those clients

Discard can help clean up DNS so you don't have stale records on your network once a client changes IPs or moves to another subnet.
My explanation:
Discard does not mean delete records by DHCP server itself immediately, system will clean these records only if you set DNS aging/scavenging settings on DNS server. This hidden fact must reflect in comment.

Of course if you have no need to register DHCP clients in DNS, as they are most often client computers, you can disable these options
My Explanation:
You should not disable these advanced DNS options on DHCP as it is the only best way to deal with DNS dynamic update and DHCP combination. If you deselect those options then you will lose sync between DNS and DHCP and create unnecessarily stale records in DNS
if you have static IP configurations, then you don't need DHCP and these advanced DNS options as well

in original question "Option one: Dynamically update DNS A and PTR records only if requested by client. " asked by author.
Your comment don't talk about that option


Finally setting dedicated DDNS account is mandatory if you want to work with DHCP advanced DNS options, this is hidden fact must reflect in comment

My earlier comment is self explanatory

If author of this question do not realize difference between two comments, then I cannot do any thing. Author always reserved rights to accept any comment they wanted to.

Finally we both are here to suggest right solutions as far as possible
It not a matter of grabbing points and I don't want to fight for points
I just wanted to point out corrections \ right things, nothing else, Thanks.

Mahesh