Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD 2008 DNS and DHCP not in sync

Posted on 2014-12-17
13
Medium Priority
?
248 Views
Last Modified: 2014-12-23
I have a Windows 2008 Active Directory environment. I have 2 domain controllers. Often the IP address which a machine has been given through DHCP is not updated in DNS. For example I checked now in the DHCP for a particular machine has a new IP address but in DNS it still shows the old IP address. Not sure which settings to look at to see why the DNS is not getting updated.

My lease duration is set to 1 day on my DHCP

I have attached a screen shot of my DNS settings under the DHCP scope properties

Thanks,
0
Comment
Question by:swenger7
  • 7
  • 5
13 Comments
 
LVL 41

Expert Comment

by:footech
ID: 40506572
There's nothing attached to your post.

The problem is likely due to the ownership of the record not allowing it to be overwritten.  Also, do you have DNS scavenging enabled on the zone?  If so, what are the refresh and no-refresh intervals set to?
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40506843
No of things to check
1st check if your AD integrated domain dns zone (domain.com) is set to secure dynamic update, if not set it in zone properties

Then in DHCP advanced DNS properties ensure that "always update host(A) and PTR records" is selected
Ensure that discard A and PTR records when lease expires is selected

Also on general tab set credentials, this would be standard domain account, this is required
Also note that while entering account credentials enter it correctly, DHCP will not throw any errors, however then it will refuse dynamic dns update

Add DHCP server in DNS Update Proxy group on domain controller
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

Set DNS scavenging as per below post based on your dhcp lease duration, ensure that scavenging will be setup on any one DNS server under server and zone level both, other wise it won't work
Scavenging will help you to keep your dns clean and healthy
http://think-like-a-computer.com/2012/04/27/dns-scavenging/
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx
0
 

Author Comment

by:swenger7
ID: 40506991
Sorry here is the attachment I forgot
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:swenger7
ID: 40506993
0
 

Author Comment

by:swenger7
ID: 40507136
1. Was already set to Secure
2. Was set to first option "Dynamically update...only if requested by DHCP clients". Changed this to second option "Always...."
3. The scavenging properties were set except for the "Enable automatic scavenging of stale records" which I now checked. This was only on one of my DC. The other one had it checked.

Now that I made these changes I will check the server for the next 7-10 days to see if it is working now as it should
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40507186
Have you set credentials and added DHCP server in dnsupdate proxy group on DC

also check earlier articles to figure out scavenging period based on your dhcp scope lease duration
0
 

Author Comment

by:swenger7
ID: 40507282
It seems that you want me to enable DHCP name protection as in attached screenshot. Is that correct? Is there any down side to this?

Also I always had 1 zone for my computers which I split a couple of months to 2 zones. I had created a second zone in the Forward but not in the reverse. Should I add this second zone to the reverse as well?

Thanks,
Capture.JPG
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40507501
No,
There is General tab besides DNS tab
There one option called credentials at bottom,
There u need to setup standard domain user account (service account) as dhcp record registration account
Then restart DHCP server service once to make it effect
Also add DHCP server account in AD to dnsupdateproxy group on domain controller

What do you mean by split zone, sorry I don't understand
Ur computer accounts host(A) records will be registered only in main domain.com dns zone, also you have to have AD integrated reverse lookup zones for all computer subnets so that DHCP can register PTR records there.
No need to split zones, at least I am not aware with zone split concept,
0
 

Author Comment

by:swenger7
ID: 40507510
Sorry for the confusion.

I set the credentials. The article also mentions that with 2008 R2, you can also set the DHCP name protection which I did. I was wondering if there was a down side to this.

What I meant by split zones was that I have 2 Vlans. one is 192.168.1.x and the other is 192.168.20.x which I added recently. At the time of the adding of the Vlan on my network I added the zone for this to the forward zone in DNS but forgot to add the reverse for this zone which I now added.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40507572
Not sure how you add dns zone pointing to subnets in forward lookup zone

The zone for subnets can only be added into reverse lookup zones only

your domain.com forward lookup zone can handle all subnet without any problems and configuration
No need to create any extra forward lookup zones
0
 

Author Comment

by:swenger7
ID: 40507588
Sorry. That is correct. I didn't add the zone to the Forward. I added the zone as a scope to DHCP but didn't add the reverse Zone to DNS which I have now done.

Back to my other question is there any downside to setting the DHCP Name Protection on?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 40507922
You can enable name protection
It is mechanism to secure DNS records against duplication meaning once record registered successfully in dns for one host, another host cannot register the same host record

Name protection behavior:
http://blogs.technet.com/b/teamdhcp/archive/2009/01/29/what-is-name-protection.aspx
0
 

Author Comment

by:swenger7
ID: 40515482
So doesn't seem like this is working.
In my forward zone, I have a computer name which has a time stamp of Dec 18 with IP 192.168.20.157
There is another computer name which has a time stamp of Dec 22 with the same IP.

The reverse zone only has the first name so if I ping the second name or use remote access tools with the second name, I end up getting the computer of the first name.

I have also enabled Name Protection thinking it should have prevented this.

Not sure how to stop this from happening
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question