Solved

AD 2008 DNS and DHCP not in sync

Posted on 2014-12-17
13
182 Views
Last Modified: 2014-12-23
I have a Windows 2008 Active Directory environment. I have 2 domain controllers. Often the IP address which a machine has been given through DHCP is not updated in DNS. For example I checked now in the DHCP for a particular machine has a new IP address but in DNS it still shows the old IP address. Not sure which settings to look at to see why the DNS is not getting updated.

My lease duration is set to 1 day on my DHCP

I have attached a screen shot of my DNS settings under the DHCP scope properties

Thanks,
0
Comment
Question by:swenger7
  • 7
  • 5
13 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40506572
There's nothing attached to your post.

The problem is likely due to the ownership of the record not allowing it to be overwritten.  Also, do you have DNS scavenging enabled on the zone?  If so, what are the refresh and no-refresh intervals set to?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40506843
No of things to check
1st check if your AD integrated domain dns zone (domain.com) is set to secure dynamic update, if not set it in zone properties

Then in DHCP advanced DNS properties ensure that "always update host(A) and PTR records" is selected
Ensure that discard A and PTR records when lease expires is selected

Also on general tab set credentials, this would be standard domain account, this is required
Also note that while entering account credentials enter it correctly, DHCP will not throw any errors, however then it will refuse dynamic dns update

Add DHCP server in DNS Update Proxy group on domain controller
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

Set DNS scavenging as per below post based on your dhcp lease duration, ensure that scavenging will be setup on any one DNS server under server and zone level both, other wise it won't work
Scavenging will help you to keep your dns clean and healthy
http://think-like-a-computer.com/2012/04/27/dns-scavenging/
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx
0
 

Author Comment

by:swenger7
ID: 40506991
Sorry here is the attachment I forgot
0
 

Author Comment

by:swenger7
ID: 40506993
0
 

Author Comment

by:swenger7
ID: 40507136
1. Was already set to Secure
2. Was set to first option "Dynamically update...only if requested by DHCP clients". Changed this to second option "Always...."
3. The scavenging properties were set except for the "Enable automatic scavenging of stale records" which I now checked. This was only on one of my DC. The other one had it checked.

Now that I made these changes I will check the server for the next 7-10 days to see if it is working now as it should
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40507186
Have you set credentials and added DHCP server in dnsupdate proxy group on DC

also check earlier articles to figure out scavenging period based on your dhcp scope lease duration
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:swenger7
ID: 40507282
It seems that you want me to enable DHCP name protection as in attached screenshot. Is that correct? Is there any down side to this?

Also I always had 1 zone for my computers which I split a couple of months to 2 zones. I had created a second zone in the Forward but not in the reverse. Should I add this second zone to the reverse as well?

Thanks,
Capture.JPG
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40507501
No,
There is General tab besides DNS tab
There one option called credentials at bottom,
There u need to setup standard domain user account (service account) as dhcp record registration account
Then restart DHCP server service once to make it effect
Also add DHCP server account in AD to dnsupdateproxy group on domain controller

What do you mean by split zone, sorry I don't understand
Ur computer accounts host(A) records will be registered only in main domain.com dns zone, also you have to have AD integrated reverse lookup zones for all computer subnets so that DHCP can register PTR records there.
No need to split zones, at least I am not aware with zone split concept,
0
 

Author Comment

by:swenger7
ID: 40507510
Sorry for the confusion.

I set the credentials. The article also mentions that with 2008 R2, you can also set the DHCP name protection which I did. I was wondering if there was a down side to this.

What I meant by split zones was that I have 2 Vlans. one is 192.168.1.x and the other is 192.168.20.x which I added recently. At the time of the adding of the Vlan on my network I added the zone for this to the forward zone in DNS but forgot to add the reverse for this zone which I now added.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40507572
Not sure how you add dns zone pointing to subnets in forward lookup zone

The zone for subnets can only be added into reverse lookup zones only

your domain.com forward lookup zone can handle all subnet without any problems and configuration
No need to create any extra forward lookup zones
0
 

Author Comment

by:swenger7
ID: 40507588
Sorry. That is correct. I didn't add the zone to the Forward. I added the zone as a scope to DHCP but didn't add the reverse Zone to DNS which I have now done.

Back to my other question is there any downside to setting the DHCP Name Protection on?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40507922
You can enable name protection
It is mechanism to secure DNS records against duplication meaning once record registered successfully in dns for one host, another host cannot register the same host record

Name protection behavior:
http://blogs.technet.com/b/teamdhcp/archive/2009/01/29/what-is-name-protection.aspx
0
 

Author Comment

by:swenger7
ID: 40515482
So doesn't seem like this is working.
In my forward zone, I have a computer name which has a time stamp of Dec 18 with IP 192.168.20.157
There is another computer name which has a time stamp of Dec 22 with the same IP.

The reverse zone only has the first name so if I ping the second name or use remote access tools with the second name, I end up getting the computer of the first name.

I have also enabled Name Protection thinking it should have prevented this.

Not sure how to stop this from happening
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Recently, I was asked to look into SCCM 2007 by my employer, having a degree of experience of earlier versions of SMS and some previous SCCM knowledge I didn't expect the procedure to involve to much time. I read a number of guides concerning it…
OfficeMate Freezes on login or does not load after login credentials are input.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now