Are the DNS setting's in DHCP creating duplicates A and PTR records in my DNS?

rivkamak
rivkamak used Ask the Experts™
on
Hi,

Could someone please explain the practical difference between these two dns settings in DHCP?
DHCP-DNS-config.PNG
I am currently set to "Dynamically update DNS records only if requested by DHCP" but I have read that best practice is to use "Always dynamically update DNS and PTR records"

 Why should I do this? I do see many duplicate/old A records in my DNS. Will changing the setting to "always" stop these duplicate records?
old-duplicate-dns-records.PNG
Thank you very much
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
You have not enabled scavenging

It is enabled by default on default domain.com dns zone but until you enable it on any one DC server in domain (PDC preferably), it won't delete stale records

https://www.dell.com/support/article/in/en/indhs1/sln290798/windows-server-how-to-configure-dns-aging-and-scavenging?lang=en

You can keep any setting for DHCP / DNS integration as long as It is configured correctly

U need to set one account as dhcp credentials and add this account to DNSUPDATEPROXY group on domain controller
MaheshArchitect
Distinguished Expert 2018

Commented:
dynamically update dns records only if requested by client works perfectly as long as dhcp credentials are configured and account is added to dnsupdateproxy group on domain controller

configure it as per below post and ensure you enable scavenging
https://community.spiceworks.com/topic/366912-dnsupdateproxy-group-not-working-broken-in-server-2012
Top Expert 2014

Commented:
By default, (Windows) clients will create their own A records, while the DHCP server will create the PTR records.  When you select "Always dynamically update DNS and PTR records", the DHCP server will create both records.  For zones that only allow secure dynamic updates, this affects the owner and permissions of the created DNS record(s).

When a record is owned by a client, another client won't be able to change that record.  You will run into this more with the setting "Dynamically update DNS records only if requested by DHCP".

With the setting "Always dynamically update DNS and PTR records", the records are owned by the DHCP server, and there will be no problem with it updating records it owns.

That's the basic intro.  Now, this is a complex subject as there are many factors that can come into play, such as DnsUpdateProxy, clients refreshing their record after it's created, credentials used by DHCP for DNS, etc.  So it's not like, "configure this setting and all your stale DNS problems will be solved!"  Scavenging is really needed to help with stale records so that they don't hang around for a long time.  However, my experience is that if you have clients that switch back and forth between wired and wireless connections, you will never have a situation where your DNS records are all correct, all the time.  By the way, the link I always point to for scavenging (Microsoft recently changed their site, and I haven't found the new location, so all I can point to now is a cached copy) - https://webcache.googleusercontent.com/search?q=cache:LYE_y3KBKK8J:https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/+&cd=1&hl=en&ct=clnk&gl=us
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MichelangeloSystem Administrator / Postmaster

Commented:
i do not fully agree with the above
"Always update.."means the DHCP server Will update related dns records even if  a non Windows client has obtained the DHCP lease

reference :https://serverfault.com/questions/634684/is-there-a-downside-to-always-updating-dns-from-dhcp

to delete stale records use scavenging. the Google webcache article cited in a previous answer is the best i've found on the subject.
MichelangeloSystem Administrator / Postmaster

Commented:
note: update does not mean delete. to actually delete records You have to enable scavenging.
MaheshArchitect
Distinguished Expert 2018

Commented:
No, its not.

"Always dynamically update DNS and PTR records" : Meaning is If you select this option, DHCP server would update A and PTR records immediately when assigns an IP address to client and regardless of client request for update, and become the owner of record, hence client can no more update record in dns unless you set static IP to client or force dns registration by ipconfig /registerdns
I believe in that case once record is updated / created by DHCP during lease, it will remain as is until DHCP refresh lease next time

Non windows client (clients who don't support dynamic update) is totally separate point and regardless of what you select with earlier options, it will work if selected

Author

Commented:
Let me just explain my current settings. My dhcp server is on the domain controlle. The dns config is set to use secure and non secure DNS dynamic updates. Also my dns dynamic update registration credentials in DHCP settings is set to use a domain admin account. I do not have this account in my dnsupdateProxy group.

As far as I understand, if my config is set to allow secure and non secure dynamic updates, then the only reason to create a separate account for dhcp in the update proxy group is for dhcp server failover. No?

I do see this reason given by technet but I do not understand it.
"Upgraded clients can update their own records: The first user who is not a member of the DnsUpdateProxy group to modify the set of records that is associated with a DNS name becomes its owner, so when earlier version clients are upgraded they can take ownership of their name records at the DNS server."
MaheshArchitect
Distinguished Expert 2018

Commented:
Set zone only for secure dynamic updates
Dhcp credentials should be standard account else it can elevate ownership

Author

Commented:
I was told that the reason we had it set to secure and non secure update was in order to allow non domain clients, like phones/laptops to obtain ip address. Does this make sense?
MaheshArchitect
Distinguished Expert 2018

Commented:
No this is not true
In order to register dns records in ad integrated zone, device must be registered / joined to domain
Non secure allow dns records to be registered and updated by domain joined clients who don't have ability to update records like nt4, domain joined mac or Linux boxes
Workgroup clients cannot register records to ad integrated zone no matter what you do
Top Expert 2014

Commented:
I was told that the reason we had it set to secure and non secure update was in order to allow non domain clients, like phones/laptops to obtain ip address. Does this make sense?
No.  Clients will be able to get an IP address regardless of any of the settings discussed.  Whether a DNS record gets created for them is another matter which is affected by a combination of factors.

Having the DHCP server do all the dynamic registrations allows Mac and Linux clients to have records created for them, even on zones set to secure only.

Author

Commented:
Thank you both. My one concern about switching dynamic updates to secure only would be because of this technet article

https://social.technet.microsoft.com/wiki/contents/articles/51810.windows-server-integration-between-dns-and-dhcp.aspx

"Since current dynamic update settings are: Allow Nonsecure and Secure update, there is no ACL associated with any of these dynamic records and all records have inherited ACL (permission) from the parent DNS zone.

The moment we will change the zone type from non-secure to secure, ACL will come into the picture and it will NOT allow updating any of these dynamic records because there will be no matching entry (ACE) found with appropriate permission to modify the record.

Changing the zone type may not cause an immediate outage, as all records will not be updated at the same time. However, over the time, as and when system will get new IP addresses and will try to update corresponding DNS records, those attempts would not be successful which will cause a big issue and would make the entire environment unstable."  


He then gives some powershell commands. Is this neccesary? Am I able to check myself manually if the above would really be a problem?
Architect
Distinguished Expert 2018
Commented:
Ok

I did some testing on TechNet blog you posted:

If below conditions are true, you should not face any issues:
Configure DHCP - DNS integration as below
DNS-DHCP IntegrationBasically allow DHCP to update records all the time and also allow him to update records for clients who don't support dynamic update
You configured standard domain user account as DHCP credentials on all DHCP servers and added this account to DNSUPDATEPROXY group in AD
Now you can switch from non secure to secure without any issues
I have tested the behaviour for domain joined machine and workgroup machine and as soon as I changed dynamic update from "secure and non secure" to secure and restarted machine, as long as same IP lease is there, there is no change in ACL
However if that lease / IP is not available (I put already leased IP in exclusion under DHCP scope before reboot), DHCP overwrite existing record with new ACL (dhcp credential account) and update record as well with new IP

Microsoft article is correct upto stage that with "secure and non secure" dynamic updates, ACL is generic and do not contains dhcp credential or authenticated users, however after that what it states is not correct

I tested this on 2012 R2 DHCP server, most probably DNSUPDATEPROXY is making this possible
So, in short, with DHCP as top authority (always update) to update records for dynamic update supported / non supported clients, You should not face any issue and DHCP will update existing record for domain joined \ workgroup based \ Linux based \ MAC based clients if existing IP is not available

Test it yourself
Top Expert 2014

Commented:
Something to note - if you have scavenging enabled any issues with records will be limited in duration.
 - clients with static records - will not be affected by the dynamic updates setting (nor scavenging).
 - clients configured with a static IP, but which maintain their own record - if the ACL changes and they are not able to update their record, in time it will be scavenged and then the client will re-register the record on it's own (but either way the record will point at the correct IP).
 - clients configured with dynamic IP, registering their own record - may not be able to update their after changing to "secure only" dynamic updates, record could be correct or incorrect, but will be scavenged if incorrect and then it will get re-registered.
 - clients configured with dynamic IP, DHCP registering the record - I haven't run through every variable, but often the DHCP will still be able to update the record after the change to "secure only".  For those records that can't be updated, again it will be limited in duration with scavenging.

Author

Commented:
Thank you Mahesh, I really appreciate your time. Thank you footech also.

I am understanding things better after your comments plus research. One thing I am still not understanding is what to put in the DnsUpdateProxy group.  My DHCP server is on my server 2008R2 DC. Some articles say that the dhcp server computer name be put into the group, which in my case is my domain controller computer object. If that is the case  they says to run dnscmd /config /OpenAclOnProxyUpdates 0  on the DC. Others say to not put computer object and just put the same domain user accout that you confugred DHCP into the dnsproxy group. I know you (Mahesh) say to put the domain user account.

What are your opinions/experience with this?
MaheshArchitect
Distinguished Expert 2018
Commented:
I never added dhcp server account in dnsupdate proxy group

if dhcp is configured to update records always, then whatever IP it leases it automatically update those records in DNS and becomes owner of record, this sound very good however it creates issues when you have multiple dhcp servers
Now if original dhcp server having record ownership if gone down, other DHCP server can't take that record ownership and cannot update that record when there is change in IP. Hence Microsoft suggesting to add dhcp servers in dns update proxy group. This group is special group which can elevate permissions and allow member dhcp servers to update and take ownership of record
However adding dhcp credential account to dnsupdate proxy group will grant record update rights to that account and still solve your purpose, basically account ownership goes to dhcp credential account and it removes dhcp dependency
Why avoiding addition of DHCP servers in dns update proxy group is that it may grant more elevated permissions to DHCP on entire DNS zones specially when dhcp is deployed on domain controllers, it should be avoided by using dhcp credential as alternate method
The article you posted I believe already explained all this
Top Expert 2014

Commented:
Here's my recommendation.
Enter the credentials of a domain account without admin privileges in the DHCP setting "DNS dynamic update registration credentials".  Add the server account to the DnsUpdateProxy group.  And since your DHCP is located on your DC, use the setting you mentioned -
dnscmd /config /OpenAclOnProxyUpdates 0

Here's a good guide - https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

Author

Commented:
when you say server account you mean the dc's computer object?
Top Expert 2014

Commented:
Yes, and that's why the dnscmd command should be run as well.

Author

Commented:
Thank you all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial