Solved

Client computers in a domain won't dynamically update their A records

Posted on 2014-03-03
9
4,071 Views
Last Modified: 2014-03-05
Hi,
In our domain DNS works fine in terms of going out and resolving sites on the internet, and for the servers.  However nearly all client computers have no A records in DNS.  I have put a couple in there by going to the client computer, and going ipconfig/registerdns.  When you look in DHCP all the client computers are represented showing the hostname and the allocated IP address.  The only time anyone notices this issue is when users try to login from home using our terminal server gateway.  I guess it is the only time the clients IP addresses need to be resolved.  When they complain they can't login remotely, I ping their computer name and notice it doesn't resolve internally.  As soon as I go ipconfig/registerdns their login from home works fine.  At the moment that is the only way their A record appears in our zone.  
I understand that the client computers are meant to dynamically update their own A records at startup, and when DHCP renews their ip address.  
This isn't happening.  
I would rather not let the DHCP server register for them because of security concerns I have read about.
More details: Dynamic updates for this zone are set to "secure only", replication is set to "All DNS servers in the zone"; we run "Active Directory-Integrated" type zone and the status for the zone is "running".

Could anyone help with why the clients can't dynamically update their own A records?
Thanks,
Shaun
0
Comment
Question by:shaunwoy
  • 5
  • 3
9 Comments
 
LVL 19

Expert Comment

by:strivoli
ID: 39902446
Which OS hosts the DNS server? Windows 2003, 2003R2, 2008, 2008R2, ...?
0
 

Author Comment

by:shaunwoy
ID: 39902519
Hi strivoli,
2008
Shaum
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39902543
"I would rather not let the DHCP server register for them because of security concerns I have read about"

This is the key point of the issue. You should set the DHCP server to register (please see the attached pic). I have never heard about security concerns and I kindly ask you to report back some links that talk about it because I manage several systems and all are set to allow DHCP server to register.
Thank you.
Untitled.png
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39902841
In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Always dynamically update DNS A and PTR records, then DHCP server will always update host (A) and PTR records on behalf of clients
OR
In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Dynamically update DNS A and PTR records only if requested by the DHCP clients
In this case if IP lease has changed then client computers will dynamically update DNS records and DHCP server will update PTR records

Also you must set domain service account in DHCP server properties (IPV4 in case of 2008) \ advanced \ credentials tab in order to dynamic update work correctly, otherwise it will fail.
You can create standard domain account with non expiring password for this purpose

Also you must set "Discard A and PTR records when dhcp lease expires" in order to delete expired DHCP leases from DHCP console automatically, otherwise you must delete expired DHCP leases from DHCP console manually.
Note that this will not delete DNS records automatically unless you setup DNS scavenging properly
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8d4b5f8e-3290-4a9b-8f9d-68fafdd895a2/dhcp-service-not-siscarding-a-and-ptr-records-in-dns-when-lease-is-deleted
http://241931348f64b1d1.wordpress.com/2010/11/08/how-to-configure-dns-scavenging-stale-record/

On affected computer please open Advanced Tcp/IP settings and check DNS Tab.
In DNS tab, check below settings.
ensure that "Append Primary and connection specific dns suffixes" radio button is selected
Ensure that "Append parent suffixes of primary dns suffix" checkbox is selected
Ensure that "register this connection addresses in Dns" checkbox is selected
If there is any deviation in the above settings, its probably you will face name resolution issues

Mahesh
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:shaunwoy
ID: 39905482
Also, I have been in DNS and on the zone for our network Dynamic updates is set to "Secure only", Aging is set to "Scavenge stale resource records" No refresh interval is 2 days, Refresh interval is set to 2 days.
0
 

Author Comment

by:shaunwoy
ID: 39905508
Hi Strivoli and Mahesh,
I had a look and in DHCP on the scope  settings in the DNS tab “Enable DNS dynamic updates according to settings”  was enabled, “Always dynamically update DNS A and PTR records, and “discard A and ptr when lease is deleted” was enabled.  As well as in DNS dynamic updates is set to "Secure only".
The only 3 A records in our zone in DNS are 3 DHCP enabled clients are ones I ran "Ipconfig/registerdns" against.
All the servers are there though that have static IPs.
This seems to be a problem that has occurred in the last 3 or 4 months and there wasn't a reason to change anything, so I am not sure what has changed.

Thanks heaps for your quick replies and good thoughts so far,
Shaun
0
 

Author Comment

by:shaunwoy
ID: 39905509
Sorry if that last post was a bit confusing about the A records. What I meant to say was "The only 3 A records in our zone in DNS for DHCP enabled clients are 3 computers I ran "Ipconfig/registerdns" against. "
Thanks again for your quick replies,
Shaun
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39905555
Move to the General tab (1st attached PIC) and make sure the "Enable DHCP audit logging" option is enabled. The log will help us understand what is going on.
Move to the Advanced tab (2nd attached PIC) and make sure the Credentials are set correctly. Use the "Credentials" button.
Thank you.
Untitled1.png
Untitled2.png
0
 

Author Closing Comment

by:shaunwoy
ID: 39907811
Thanks heaps Mahesh, it was the authentication for dynamic updates.  It was set to use an administration account that is used for lots of things prior to me starting. Someone a long time ago changed the password for that account and dynamic updates hasn't been working since. The reason it stayed like that so long is it only seemed to affect people logging in from home.  Well done!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now