Solved

DNS Scavenging/Refresh 2008 r2

Posted on 2014-03-18
25
520 Views
Last Modified: 2014-05-29
Should this be enabled on our DS servers, which are also DC/GCs?

Thanks
0
Comment
Question by:CHI-LTD
  • 16
  • 9
25 Comments
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39936486
to add, we have 4x DCs split over 2x sites.  We also have remote connections over VPN into both of these sites, and would like to force an update of the DNS entries for the hosts.

I also have found one server to have forwarders set, whereas the other 3 do not..

Ideas?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 39936523
Scavenging need to be enabled on any one DNS server (Domain Controller) in a given domain

Also it must be set on server level and zone level in order to work properly

Also your dns zone must be enabled for secure dynamic update, other wise it will not work
http://241931348f64b1d1.wordpress.com/2010/11/08/how-to-configure-dns-scavenging-stale-record/
https://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Check below threads on EE for more information
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28361151.html

Mahesh
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39936554
Thanks.

Our remote connections get a 10.*.*.* IP directly from the firewall.  Then route to the 192.*.*.* or 172.*.*.* networks.

We also changed our DHCP lease from the default (7 days) to 1hr and i also see duplicates on our main LAN scope within DNS.  eg:

172.19.1.1
172.19.1.2

both assigned to host1

both with 2x different timestamps of today 9am and yesterday 9am..
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39936596
In order to work with DHCP lease and DNS dynamic update following must be configured properly

You have to set secure dynamic updates to secure only in dns zone properties

In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Always dynamically update DNS A and PTR records, then DHCP server will always update host (A) and PTR records on behalf of clients and you must set domain service account in DHCP server properties (IPV4 in case of 2008) \ advanced \ credentials tab in order to dynamic update work correctly, otherwise it will fail.

Also you must set "Discard A and PTR records when dhcp lease expires" in order to delete expired DHCP leases from DHCP console automatically, otherwise you must delete expired DHCP leases from DHCP console manually.
Note that this will not delete DNS records automatically unless you setup DNS scavenging properly
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8d4b5f8e-3290-4a9b-8f9d-68fafdd895a2/dhcp-service-not-siscarding-a-and-ptr-records-in-dns-when-lease-is-deleted

You will find difficulties if you keep DHCP lease to 1 HR
Because as a general rule scavenging must be equal to half of the DHCP lease
In that case your DC SRV records may be get deleted through scavenging
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_28376098.html
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

Mahesh
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39936986
ok, changed the DNS settings in dhcp.
I have same problem, the reverse lookup folder is showing machine twice with 2x ips.  The domain.local folder is showing correct details...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39937006
Have you set credentials in DHCP console as stated in my earlier comment
This needs to be a standard domain user account with non expiring password, but it required in order to work dynamic update correctly
Then restart DHCP server service once.
Also add your DHCP server to DNSUpdateProxy group on domain Controller

Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28302450.html

Mahesh
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39937105
my dhcp servers are DCs
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39937204
In the properties of DHCP server (Ipv4 in case of 2008 DHCP server), on the DNS tab if have set Always dynamically update DNS A and PTR records, then DHCP server will always update host (A) and PTR records on behalf of clients and you must set domain service account in DHCP server properties (IPV4 in case of 2008) \ advanced \ credentials tab in order to dynamic update work correctly, otherwise it will fail.

- should i be doing this on all scopes with ipv4 enabled on all my servers?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39937550
This is not on scope basis, but this is per server basis and you need to setup for every server
Only one service account is enough for all DHCP servers
Also do not forget to add those servers in DNSUpdateProxygroup on Domain Controller and also run above dnscmd command on DC if DHCP is running on 2008 R2 server
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39939203
well i now have a windows account thats locking itself and wont unlock, i assume after i have made these changes,..?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39939255
What is your account lockout policy for domain ?
If your account is getting permenentlt locked ?
By setting account in DHCP, it should never get locked
Do not use existing account
Please create brand new service account which would be used only for this purpose

Further more keep password of account you enter in all dhcp servers same
Because it will not throw any error while entering credentials
You need to be careful while entering credentials
Other wise account keep getting locked every time if entered wrong credentials on multiple DHCP server

Mahesh
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39940013
its the reverse lookup records which are not updating...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39940078
Have you setup "Always dynamically update DNS A and PTR records" in DHCP advanced DHCP properties ?

Also if you have very old reverse look up records, you need to cleanup them with scavenging OR manually once

Check below article again
https://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Mahesh
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39940111
Yes i have on all servers.
I have manually scavenged but they stay there.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39940121
but the remote clients (10. range) aren't managed by DHCP...
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39940123
sorry, aren't managed by the windows DHCP server, the IPs are allocated by the firewall.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39940143
Those Ips which are not assigned by DHCP will not be updated by DHCP, it will be updated by DNS clients who gets IP from firewall through dynamic update DNS feature

You need to ensure that dynamic update is enabled on dns zone properties to secure only


Also even if you trigger scavenging manually it won't delete any records that are not eligible for scavenging

Scavenging trigger will delete only those records which are older than (total of refresh interval+no refresh interval)
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39942609
dynamic is enabled.

ideas why these ips arent updating then?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39943285
Can you please check who has got ownership of those reverse records please

In DNS console go to reverse look up zone and go to properties of PTR record that is created by Firewall and check security tab and check advanced \ owner

May be you need to enable advanced view in DNS console on view menu
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39949925
COnnected from 2x of my laptops to both sites (different networks) and both records are owned by the computer/host.

The PTR details on one record is showing 'delete this record when it becomes stale', with tick box and time stamp & TTL field.  
The other record doesn't show this (not that i think this is the problem)...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39949989
Those records which don't show up above info are probably manually created PTR records

Also those records which ownership is associated with computers \ host, they won't be updated by DHCP since you have setup "Always update Host(A) records and PTR records"
and those records are not updated because of respective computers may be not in network
May be those records are there before you changed DHCP settings

The best way to update these records are manually delete them once (Except  manually created records) and then check if next time they are updating properly

Also have you added your DHCP server to DNSUpdateProxy group on domain Controller ?

Also if your DHCP server is running 2008 R2 then run below command on Domain Controller
Dnscmd /Config /OpenACLOnProxyUpdates 0

Then restart DHCP server service once.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39949998
No they were created earlier today when i connected over VPn.

I had manually deleted the records over the weekend, so no entries there until today.

Yes, added the DCs to proxy group.

Not ran the command as yet...
Will restart them too..
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39956190
I think the problem isnt actually realted to the scavenging side of things.

looking through logs i see netlogon id:5807 http://support.microsoft.com/kb/2668820
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40050525
is is possible to update/scavenge the DNS records for my remote clients in the reverse lookup zone?
As, currently when the machines connect into the 2x sites over remote VPN and/or physically attached to the 2x LANs the DNS records are wrong and the clients cannot communicate with the remote sites correctly.
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40098276
so add to the resolution, i have setup scavenging on the 2x remote zones to hours, which is looking good.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Trasfering FSMO roles 8 80
Split DNS 3 24
ACTIVE DIRECTORY 3 29
DNS Woes 7 15
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now