Dynamic and Secure DHCP DNS Registraiton Question

Krzysztof Kubiak
Krzysztof Kubiak used Ask the Experts™
on
Hello Team.
I’m hoping some DNS, DHCP masters will help to understand a bit more how Secure dynamic DNS registration works and tell me if my solution is the best approach.

Problem Description
From time to time when users are connecting to different VLAN or VPN, The DHCP Server or the Client is not creating either a A record or PTR record

Environment:

Users would use either Windows 7 or Windows 10. We don’t have any lower OS.
DHCP, DNS roles are installed on Domain Controllers. DHCP is running on 3 Windows Server 2012, and DNS is running on 3 Windows Servers 2012 and 1 Windows Server 2016.

Troubleshooting:
This issue seems to be since a long time as another IT departments from time to time where telling our team that DNS is not working proper. The problem is that when they were telling that their issue got already resolved, so we never got the opportunity to understand what the issue really was until recently where I finally got a incident and hands on a laptop where the Registration really wasn’t working. When I saw that I started to dig into that issue more details.
First I checked if the problem is not with some VPN connection but quickly with Networks team we were able to prove that VPN is not the issue as two laptops where having no issues at all getting a A and PTR record.
I started to look into the Configuration on the DHCP scopes and DNS Forward Lookup zones and discovered following:
The DHCP Server under the DNS setting has following option set:
-      Always Dynamically update Discardords
-      Discart A and PTR records when leased deleted
-      Dynamically update DNS Records for DHCP clients that do not request updates
On the DNS Forward Lokoup Zone I found out that the Dynamic DNS Update is set to Secure Only.
I read after that following amazing article and started to understand where we probably have the gaps:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145315(v=ws.10)

So after reading the article I checked that some of the DNS records are owned by one of the DHCP Servers, and most of them are owned by the DHCP Clients itself. I think because most of the records I owned by DHCP Clients we don’t have so many issue as we should.

After that I checked the DnsUpdateProxy Group and found out that this group is Blank and doesn’t contain any Computer Object. The second thing which I checked are the Credentials settings on the DHCP server and I could see that the Username and Domain are blank, but the password contains some dots.

To be sure if there is no account assigned I run the powershell command Get-DhcpServerDnsCredential on one of the domain controllers and couldn’t see any username account.
So what I thing Is happening in our environment is that someone Enabled Secure Only update but didn’t configured it to the end, and whenever the owner of the DNS record is one of the DHCP server other servers don’t have access to change that records.

To fix the issue Globally I think that the only thing I need to do is to create a Domain User and set the Credentials on each DHCP Server, then maybe restart the service.
My questions are:

1.      Because no user account is showing up when I run Get-DhcpServerDnsCredential,  and I don’t see any username in the Credentials option is that sufficient enough to say that there is no account set? I just don’t want to end up in a situation that a account was setup years ago when the DC was still a Server2003 and it’s somewhere hidden in a attribute.
2.      Because DHCP, DNS roles are on the DC’s do I still need to add the DHCP Servers to the DnsUpdateProxy and secure the group?
3.      How come I don’t see more problems in my Environment. The DHCP servers are set to Always Dynamically update DNS records so I would expect more issues where the DHCP can register a DNS. I know that on the DHCP Client under IPv4 you have the option “Register the connections address on DNS”, that’s how I understand a lot of the DNS records end up to be Owners of their own records. Does it mean that if the DHCP Servers fails to update the records it’s sending a information to the DHCP Client saying that he failed to register and the DHCP client is doing it itself.
4.      And last question are the steps with setting up Credentials the right way to go.


Any help will be much appreciated it’s the first time I’m dealing with that Properties.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
1. Yes should be applicable. Can try the netsh to show the dnscredential. E.g Run “netsh dhcp server show dnscredentials” to find any credentials are configured on DHCP server.

https://support.microsoft.com/en-us/help/282001/event-id-1056-is-logged-after-installing-dhcp?ez_cid=CLIENT_ID(AMP_ECID_EZOIC)%3Fez_cid%3DCLIENT_ID(AMP_ECID_EZOIC)

2. Not necessary. The important thing is have a new credential of user privilege as mentioned in (1).  if you are registering only Windows domain joined clients , netlogon will register the client name and IP in DNS. Usually is to create a new user for DHCP-DNS update and add the user to the zone.

That said, it has its advantage. E.g Secure DNS updates can work with multiple DHCP servers: If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of a server that fails can be updated by another server.

Catch more below.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)

3. Valid concern and more of on resiliency of the servers.

Client will likely still use whatever is in the existing IP addresses which is undesirable and unpredictable. Connection issue will still exist. DHCP will still get the update from the   DNS server pool if the former are not able to assign the IP addresses dynamically,  there can be delay in response by DHCP to client. Hence a direct IP address to DNS may be needed to  prevent failing updates and delayed pending updates, specify DNS servers that support dynamic updates at the appropriate level. Applicsble for 2008 and above. Catch this to understand more.

https://support.microsoft.com/en-sg/help/3069564/dhcp-dynamic-updates-of-dns-registrations-are-delayed-or-not-processed

It also stated and good to know
At least one administrator has reported successfully preventing a delay in DNS updates registration by selecting the Always dynamically update DNS A and PTR records option on the DHCP server. We do not consider this action to be a viable workaround, and we have not determined why it might be effective

4. Yes. You can try.
From a command prompt, type netsh, and then press ENTER.

From the netsh prompt, type dhcp server
ipaddress (where
ipaddress is the IP address of the DHCP server that you want to configure), and then press ENTER.

Type set dnscredentials username domain password (where username domain password is the user account information for the account under which you want the DHCP Server to run), and then press ENTER. You can use any valid existing user account for this, such as a Domain User account. The account should not be set to expire or have any other restrictions.

Type quit, and then press ENTER to exit.
MaheshArchitect
Distinguished Expert 2018
Commented:
Krzysztof KubiakSenior Windows Server Intel Administrator

Author

Commented:
Thank you for the Comments. I will start playing with the Settings on a Test Environment first and will see if all will work fine.

Whatever option we choose to go I will post here.
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

Krzysztof KubiakSenior Windows Server Intel Administrator

Author

Commented:
Hello Experts

Two Questions regarding the DNS Credentials more:
1. What will happen if for some reason the account i use for DNS Dynamic update will get locked.  
Will the machines still be able to register in DNS if no record is assigned?
2. Do you know if Manage Service Accounts work?
MaheshArchitect
Distinguished Expert 2018
Commented:
If account gets locked, it will stop registering or updating records moat probably, pl test, not tested myself
However if we enter wrong password, account did not worked

Managed service account will not work, that for sure
btanExec Consultant
Distinguished Expert 2018
Commented:
1. back to fall back plan using whatever the client is having
2. not that I know of. password change is not made know to the DDNS
Krzysztof KubiakSenior Windows Server Intel Administrator

Author

Commented:
Thanks. Found out that one of the DHCP Servers used by VPN is a non domain joined server so as part of my investigation I will try to find out if the checkpoint VPN can use a domain accounts to register DNS or it can use a Windows DHCP for address leases.

What partly fixed my issue at the moment  is that I set Dynamically Update to Updated DNS whenever a DHCP Client request that so at least new records will be always owned by th Computer Object rather then a DHCP Server.

But I already waiting for my account to be creaser so I can use DHCP Credentials for the PTR and then I will switch back to Dynamically Updated records whenever I figure out how to include the Checkpoint DHCP server.

So far thank you for all your help. It's getting Abit more clear for me how the Integration work and where I need to be careful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial