DNS is not updating some DHCP leases

We have a small (~100 users/~150 computers) Windows Server 2008 functional level domain with three DC's which are also DNS servers.  The Primary is also a DHCP server.

Whats happening is I am getting both old DNS records that don't reflect the most recent DHCP leases, and some REALLY old records (months old). DHCP scope is 120 ip's and the leases are set for 1 day.  I don't have scavenging set because I'm basically afraid of it...  
No event obvious events in the DNS event log.

Any suggestions?
mchad65Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:
Examine the output of dcidag /v /c
For troubleshooting, use DNSLint and event logs of the server.
run repadmin /replsummary to verify your dcs replication is good
0
mchad65Author Commented:
Here are the errors DCDIAG identfied: (Masked some info)
To state the obvious:
PDC=Primary Domain Controller, BDC1=1st backup, BDC2=2nd backup

*****************************************************************************

Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC PDC.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=DomainDnsZones,DC=DOMAIN,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=DOMAIN,DC=com
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=DOMAIN,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=DOMAIN,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=DOMAIN,DC=com
            (Domain,Version 3)
         ......................... PDC failed test NCSecDesc

*******************************************************************************
      Starting test: VerifyEnterpriseReferences

         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of

         latency in replication.  So follow up to resolve the following

         problems, only if the same problem is reported on all DCs for a given

         domain or if  the problem persists after replication has had

         reasonable time to replicate changes.
            [1] Problem: Missing Expected Value

             Base Object: CN=BDC1,OU=Domain Controllers,DC=DOMAIN,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [2] Problem: Missing Expected Value

             Base Object: CN=BDC2,OU=Domain Controllers,DC=DOMAIN,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [3] Problem: Missing Expected Value

             Base Object: CN=PDC,OU=Domain Controllers,DC=DOMAIN,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            LDAP Error 0x5e (94) - No result present in message.
         ......................... PDC failed test VerifyEnterpriseReferences
**************************************************************************************
       Starting test: VerifyReplicas

         This NC (DC=ForestDnsZones,DC=DOMAIN,DC=com) is supposed to be

         replicated to this server, but has not been replicated yet. This could

         be because the replica set changes haven't replicated here yet.  If

         this problem persists, check replication of the Configuration

         Partition to this server.
         ......................... PDC failed test VerifyReplicas
**************************************************************************************
         Summary of test results for DNS servers used by the above domain

         controllers:

         

            DNS server: <IP MASKED> (PDC)

               All tests passed on this DNS server

               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
               
            DNS server: <IP MASKED> (BDC1)

               All tests passed on this DNS server

               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
               
            DNS server: <IP MASKED> (<name unavailable>)

               All tests passed on this DNS server

               
            DNS server: <IP MASKED> (<name unavailable>)

               All tests passed on this DNS server

               
         Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: DOMAIN.com

               PDC                          PASS PASS PASS PASS PASS PASS n/a  
         
         ......................... DOMAIN.com passed test DNS
**************************************************************************************
Here is the repadmin result


Source DSA          largest delta    fails/total %%   error
 BDC1                      06m:01s    0 /   8    0
 BDC2                      06m:01s    0 /   8    0
 PDC                   02h:57m:51s    0 /  12    0


Destination DSA     largest delta    fails/total %%   error
 BDC1                      03m:20s    0 /   8    0
 BDC2                  02h:03m:23s    0 /  12    0
 PDC                       06m:02s    0 /   8    0

The delta seems excessively large, doesn't it?
0
footechCommented:
The delta does seem large.  All DCs are in the same site?  However, I don't think that's contributing to your DNS issue.

What settings do you have in DHCP in regards to DNS?
I suggest this as a good read for configuring settings.
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

A big factor in the problem is the ownership of a record (assuming you're only allowing secure dynamic updates).  A machine can't update a record if it's owned by someone else.  We start to work around that by having DHCP create all the records (for dynamic clients) so that it is the common owner.  But you also have the interplay of machines that try to refresh their record.

I think scavenging is necessary as I haven't seen any group of settings which will keep things perfectly up-to-date, and so you will end up with records that are invalid.  To help you get a handle on scavenging, read this.
http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

If you have users that are switching between wired and wireless, I know of no way to have it "all good all the time".  But by adjusting settings as in the first link, and turning on scavenging you keep those bad records from always growing.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.