Solved

Windows 2012 R2 DHCP Policies

Posted on 2016-11-04
10
64 Views
Last Modified: 2016-11-07
In Windows 2012 R2 DHCP services, is it possible to create a policy that would block an IP from attempting to be register in DNS if the client DNS suffix does not make two domain names?

In case others are wondering our scopes are set to hand out the DNS suffix name but we are running into an issue with not non-domain joined vendor appliances that have a present DNS suffix. When the devices gets an IP from our DHCP server, the server is reaching out the the remote domain ( I know this because I have a case open with MS support on this) and causes the DHCP queue to fillup out blocking other clients from registering having their DNS records updated by the DHCP server.
0
Comment
Question by:compdigit44
  • 4
  • 4
  • 2
10 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 41875212
is it possible to create a policy that would block an IP from attempting to be register in DNS if the client DNS suffix does not make two domain names?

Really unable to understand what you are trying to say

If vendor device having existing DNS suffixes, what it to do with your DHCP server? what do you mean by server is reaching out to remote domain? clients just need IP address to communicate with....
Are you saying that because of vendor devices, your scope is running out of IP addresses?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41875495
The vendor devices are getting DHCP leases from our server and all scopes are set to register records for the clients. These devices do not have our DNS suffix and the DHCP services tryes to connect to the remote domain for registration, takes to long and causes the DHCP queue to get backed up which was confirmed with MS support.

Also these  vendor devices are locked devices and can only be changed by the vendor. I have never us ed DHCP policies and was wondering if a policy could be created the would block DHCP server from trying to register an address if it was it did not match our domain name
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41875525
How about stop having DHCP server trying to register in DNS? Domain joined Windows clients will register in DNS on their own anyway.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41875539
I have thought about that...
Usually the MS best practice is to have the DHCP to the registration in DNS. What are the pros/cons of disabling this and having the clients update themselves?
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 41875852
If you turned off DNS registration by the DHCP servers, then non-Windows 2000 or better domain members wouldn't appear in DNS. Do you need non-Windows DHCP clients in DNS? For example, my IP phones are not in DNS. That's fine by me. If I need to look up the IP address of those devices, I look at my DHCP server.

I have never considered DNS registration by DHCP servers to be a best practice; certainly not a strong best practice.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41876039
OK
Thanks for explanation

Ideally you could configure DNS-DHCP advanced integration option like below:
Dynamically register dns records only if requested by DHCP clients - select this setting - by default only authenticated users group (computers in your case) can register records in DNS, unauthenticated users (vendor devices) won't force for registration of host records,
Secondly, unselect dynamically update dns records for clients that do not support dynamic updates

This two options above should suffice request

Alternatively, You can create "guest.domain.com" AD integrated DNS zone (one must be set for secure dynamic update) on DNS server and force external vendor devices to register in that specific DNS zone to avoid searching of remote domain suffixes. for that You need to create DHCP policy and need to point guest devices to guest domain
The steps are mentioned in below article
https://blogs.technet.microsoft.com/teamdhcp/2014/01/26/windows-server-2012-r2-enhancing-dhcp-policies-and-dns-registrations-in-dhcp-server/

The policy can be created for specific scope or for entire server (applicable to all scopes on that server)

Mahesh.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41876238
Thank you very much for your great feed back. Just to make sure I am understand things correctly.. Right now my scopes are set to "Always update DNS...." when selecting "Update DNS only if client request".. This means that only domain joined devices would be updated correct? My zone is set for secure and not secure updates.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41876259
Yes, that's right
Client can update own Host(A) record in DNS only if its authenticated, since workgroup / external devise can't authenticate with domain, Ideally they can't do registration

You need to ensure that zone would be set for secure dynamic update only, so that DNS mandate that client must be authenticated before it can make attempt to update /register Host (A) record in DNS

Mahesh.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41876265
Great..it sound like this would be the ideal setting to have in place regardless. So a client that is not on the domain but getting a DHCP lease would not register with the DNS server even though it is listed in the DHCP lease information.

Also what are the pros / cons of have the dHCP server handle DNS registration vs the client. What are risk of doing either one.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41876379
Yes, that will work as long as you set DNS DHCP integration option as suggested in earlier comment

You can setup DNS dynamic update as you want as long as you configure DNS zone for secure dynamic update and DNS scavenging
You may skip DNS-DHCP integration and domain joined computers continue to update their Host(A) and PTR records in DNS because of dynamic updates - this will resolve your problem quickly

By default when you install DHCP server role, DNS integration is enabled by default for clients with the setting:
Dynamically register dns records only if requested by DHCP clients - enabled
dynamically update dns records for clients that do not support dynamic updates - disabled
In addition to above you must set standard AD service account as DHCP credentials (DHCP Console\IPv4\advanced\credentials) and should add this account to DNSUpdateproxyGroup on domain controller
This will also achieve what you are trying to do.
DNS-DHCP integration works well if its configured correctly, otherwise you may face issues like clients may not able to update their records in DNS etc

One would use DNS-DHCP integration (Always dynamically register dns records setting enabled and dynamically update dns records for clients that do not support dynamic updates settings enabled) when he wanted that non domain joined clients / other devices such as non windows devices (android) etc to register their records in DNS regardless update request in addition to standard domain joined devices

Mahesh
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Microsoft Lync 2013 4 45
Group Policy Question 7 36
lync 2013 7 36
Multiple Domains 8 21
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now