compdigit44
asked on
Windows 2012 R2 DHCP Policies
In Windows 2012 R2 DHCP services, is it possible to create a policy that would block an IP from attempting to be register in DNS if the client DNS suffix does not make two domain names?
In case others are wondering our scopes are set to hand out the DNS suffix name but we are running into an issue with not non-domain joined vendor appliances that have a present DNS suffix. When the devices gets an IP from our DHCP server, the server is reaching out the the remote domain ( I know this because I have a case open with MS support on this) and causes the DHCP queue to fillup out blocking other clients from registering having their DNS records updated by the DHCP server.
In case others are wondering our scopes are set to hand out the DNS suffix name but we are running into an issue with not non-domain joined vendor appliances that have a present DNS suffix. When the devices gets an IP from our DHCP server, the server is reaching out the the remote domain ( I know this because I have a case open with MS support on this) and causes the DHCP queue to fillup out blocking other clients from registering having their DNS records updated by the DHCP server.
ASKER
The vendor devices are getting DHCP leases from our server and all scopes are set to register records for the clients. These devices do not have our DNS suffix and the DHCP services tryes to connect to the remote domain for registration, takes to long and causes the DHCP queue to get backed up which was confirmed with MS support.
Also these vendor devices are locked devices and can only be changed by the vendor. I have never us ed DHCP policies and was wondering if a policy could be created the would block DHCP server from trying to register an address if it was it did not match our domain name
Also these vendor devices are locked devices and can only be changed by the vendor. I have never us ed DHCP policies and was wondering if a policy could be created the would block DHCP server from trying to register an address if it was it did not match our domain name
How about stop having DHCP server trying to register in DNS? Domain joined Windows clients will register in DNS on their own anyway.
ASKER
I have thought about that...
Usually the MS best practice is to have the DHCP to the registration in DNS. What are the pros/cons of disabling this and having the clients update themselves?
Usually the MS best practice is to have the DHCP to the registration in DNS. What are the pros/cons of disabling this and having the clients update themselves?
If you turned off DNS registration by the DHCP servers, then non-Windows 2000 or better domain members wouldn't appear in DNS. Do you need non-Windows DHCP clients in DNS? For example, my IP phones are not in DNS. That's fine by me. If I need to look up the IP address of those devices, I look at my DHCP server.
I have never considered DNS registration by DHCP servers to be a best practice; certainly not a strong best practice.
I have never considered DNS registration by DHCP servers to be a best practice; certainly not a strong best practice.
OK
Thanks for explanation
Ideally you could configure DNS-DHCP advanced integration option like below:
Dynamically register dns records only if requested by DHCP clients - select this setting - by default only authenticated users group (computers in your case) can register records in DNS, unauthenticated users (vendor devices) won't force for registration of host records,
Secondly, unselect dynamically update dns records for clients that do not support dynamic updates
This two options above should suffice request
Alternatively, You can create "guest.domain.com" AD integrated DNS zone (one must be set for secure dynamic update) on DNS server and force external vendor devices to register in that specific DNS zone to avoid searching of remote domain suffixes. for that You need to create DHCP policy and need to point guest devices to guest domain
The steps are mentioned in below article
https://blogs.technet.microsoft.com/teamdhcp/2014/01/26/windows-server-2012-r2-enhancing-dhcp-policies-and-dns-registrations-in-dhcp-server/
The policy can be created for specific scope or for entire server (applicable to all scopes on that server)
Mahesh.
Thanks for explanation
Ideally you could configure DNS-DHCP advanced integration option like below:
Dynamically register dns records only if requested by DHCP clients - select this setting - by default only authenticated users group (computers in your case) can register records in DNS, unauthenticated users (vendor devices) won't force for registration of host records,
Secondly, unselect dynamically update dns records for clients that do not support dynamic updates
This two options above should suffice request
Alternatively, You can create "guest.domain.com" AD integrated DNS zone (one must be set for secure dynamic update) on DNS server and force external vendor devices to register in that specific DNS zone to avoid searching of remote domain suffixes. for that You need to create DHCP policy and need to point guest devices to guest domain
The steps are mentioned in below article
https://blogs.technet.microsoft.com/teamdhcp/2014/01/26/windows-server-2012-r2-enhancing-dhcp-policies-and-dns-registrations-in-dhcp-server/
The policy can be created for specific scope or for entire server (applicable to all scopes on that server)
Mahesh.
ASKER
Thank you very much for your great feed back. Just to make sure I am understand things correctly.. Right now my scopes are set to "Always update DNS...." when selecting "Update DNS only if client request".. This means that only domain joined devices would be updated correct? My zone is set for secure and not secure updates.
Yes, that's right
Client can update own Host(A) record in DNS only if its authenticated, since workgroup / external devise can't authenticate with domain, Ideally they can't do registration
You need to ensure that zone would be set for secure dynamic update only, so that DNS mandate that client must be authenticated before it can make attempt to update /register Host (A) record in DNS
Mahesh.
Client can update own Host(A) record in DNS only if its authenticated, since workgroup / external devise can't authenticate with domain, Ideally they can't do registration
You need to ensure that zone would be set for secure dynamic update only, so that DNS mandate that client must be authenticated before it can make attempt to update /register Host (A) record in DNS
Mahesh.
ASKER
Great..it sound like this would be the ideal setting to have in place regardless. So a client that is not on the domain but getting a DHCP lease would not register with the DNS server even though it is listed in the DHCP lease information.
Also what are the pros / cons of have the dHCP server handle DNS registration vs the client. What are risk of doing either one.
Also what are the pros / cons of have the dHCP server handle DNS registration vs the client. What are risk of doing either one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Really unable to understand what you are trying to say
If vendor device having existing DNS suffixes, what it to do with your DHCP server? what do you mean by server is reaching out to remote domain? clients just need IP address to communicate with....
Are you saying that because of vendor devices, your scope is running out of IP addresses?