Link to home
Start Free TrialLog in
Avatar of Shaun Gorman
Shaun GormanFlag for Australia

asked on

Client computers in a domain won't dynamically update their A records

Hi,
In our domain DNS works fine in terms of going out and resolving sites on the internet, and for the servers.  However nearly all client computers have no A records in DNS.  I have put a couple in there by going to the client computer, and going ipconfig/registerdns.  When you look in DHCP all the client computers are represented showing the hostname and the allocated IP address.  The only time anyone notices this issue is when users try to login from home using our terminal server gateway.  I guess it is the only time the clients IP addresses need to be resolved.  When they complain they can't login remotely, I ping their computer name and notice it doesn't resolve internally.  As soon as I go ipconfig/registerdns their login from home works fine.  At the moment that is the only way their A record appears in our zone.  
I understand that the client computers are meant to dynamically update their own A records at startup, and when DHCP renews their ip address.  
This isn't happening.  
I would rather not let the DHCP server register for them because of security concerns I have read about.
More details: Dynamic updates for this zone are set to "secure only", replication is set to "All DNS servers in the zone"; we run "Active Directory-Integrated" type zone and the status for the zone is "running".

Could anyone help with why the clients can't dynamically update their own A records?
Thanks,
Shaun
Avatar of strivoli
strivoli
Flag of Italy image

Which OS hosts the DNS server? Windows 2003, 2003R2, 2008, 2008R2, ...?
Avatar of Shaun Gorman

ASKER

Hi strivoli,
2008
Shaum
"I would rather not let the DHCP server register for them because of security concerns I have read about"

This is the key point of the issue. You should set the DHCP server to register (please see the attached pic). I have never heard about security concerns and I kindly ask you to report back some links that talk about it because I manage several systems and all are set to allow DHCP server to register.
Thank you.
Untitled.png
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, I have been in DNS and on the zone for our network Dynamic updates is set to "Secure only", Aging is set to "Scavenge stale resource records" No refresh interval is 2 days, Refresh interval is set to 2 days.
Hi Strivoli and Mahesh,
I had a look and in DHCP on the scope  settings in the DNS tab “Enable DNS dynamic updates according to settings”  was enabled, “Always dynamically update DNS A and PTR records, and “discard A and ptr when lease is deleted” was enabled.  As well as in DNS dynamic updates is set to "Secure only".
The only 3 A records in our zone in DNS are 3 DHCP enabled clients are ones I ran "Ipconfig/registerdns" against.
All the servers are there though that have static IPs.
This seems to be a problem that has occurred in the last 3 or 4 months and there wasn't a reason to change anything, so I am not sure what has changed.

Thanks heaps for your quick replies and good thoughts so far,
Shaun
Sorry if that last post was a bit confusing about the A records. What I meant to say was "The only 3 A records in our zone in DNS for DHCP enabled clients are 3 computers I ran "Ipconfig/registerdns" against. "
Thanks again for your quick replies,
Shaun
Move to the General tab (1st attached PIC) and make sure the "Enable DHCP audit logging" option is enabled. The log will help us understand what is going on.
Move to the Advanced tab (2nd attached PIC) and make sure the Credentials are set correctly. Use the "Credentials" button.
Thank you.
Untitled1.png
Untitled2.png
Thanks heaps Mahesh, it was the authentication for dynamic updates.  It was set to use an administration account that is used for lots of things prior to me starting. Someone a long time ago changed the password for that account and dynamic updates hasn't been working since. The reason it stayed like that so long is it only seemed to affect people logging in from home.  Well done!