I’m hoping some DNS, DHCP masters will help to understand a bit more how Secure dynamic DNS registration works and tell me if my solution is the best approach.
From time to time when users are connecting to different VLAN or VPN, The DHCP Server or the Client is not creating either a A record or PTR record
Users would use either Windows 7 or Windows 10. We don’t have any lower OS.
DHCP, DNS roles are installed on Domain Controllers. DHCP is running on 3 Windows Server 2012, and DNS is running on 3 Windows Servers 2012 and 1 Windows Server 2016.
This issue seems to be since a long time as another IT departments from time to time where telling our team that DNS is not working proper. The problem is that when they were telling that their issue got already resolved, so we never got the opportunity to understand what the issue really was until recently where I finally got a incident and hands on a laptop where the Registration really wasn’t working. When I saw that I started to dig into that issue more details.
First I checked if the problem is not with some VPN connection but quickly with Networks team we were able to prove that VPN is not the issue as two laptops where having no issues at all getting a A and PTR record.
I started to look into the Configuration on the DHCP scopes and DNS Forward Lookup zones and discovered following:
The DHCP Server under the DNS setting has following option set:
- Always Dynamically update Discardords
- Discart A and PTR records when leased deleted
- Dynamically update DNS Records for DHCP clients that do not request updates
On the DNS Forward Lokoup Zone I found out that the Dynamic DNS Update is set to Secure Only.
I read after that following amazing article and started to understand where we probably have the gaps:
So after reading the article I checked that some of the DNS records are owned by one of the DHCP Servers, and most of them are owned by the DHCP Clients itself. I think because most of the records I owned by DHCP Clients we don’t have so many issue as we should.
After that I checked the DnsUpdateProxy Group and found out that this group is Blank and doesn’t contain any Computer Object. The second thing which I checked are the Credentials settings on the DHCP server and I could see that the Username and Domain are blank, but the password contains some dots.
To be sure if there is no account assigned I run the powershell command Get-DhcpServerDnsCredentia
l on one of the domain controllers and couldn’t see any username account.
So what I thing Is happening in our environment is that someone Enabled Secure Only update but didn’t configured it to the end, and whenever the owner of the DNS record is one of the DHCP server other servers don’t have access to change that records.
To fix the issue Globally I think that the only thing I need to do is to create a Domain User and set the Credentials on each DHCP Server, then maybe restart the service.
My questions are:
1. Because no user account is showing up when I run Get-DhcpServerDnsCredentia
l, and I don’t see any username in the Credentials option is that sufficient enough to say that there is no account set? I just don’t want to end up in a situation that a account was setup years ago when the DC was still a Server2003 and it’s somewhere hidden in a attribute.
2. Because DHCP, DNS roles are on the DC’s do I still need to add the DHCP Servers to the DnsUpdateProxy and secure the group?
3. How come I don’t see more problems in my Environment. The DHCP servers are set to Always Dynamically update DNS records so I would expect more issues where the DHCP can register a DNS. I know that on the DHCP Client under IPv4 you have the option “Register the connections address on DNS”, that’s how I understand a lot of the DNS records end up to be Owners of their own records. Does it mean that if the DHCP Servers fails to update the records it’s sending a information to the DHCP Client saying that he failed to register and the DHCP client is doing it itself.
4. And last question are the steps with setting up Credentials the right way to go.
Any help will be much appreciated it’s the first time I’m dealing with that Properties.