Dynamic and Secure DHCP DNS Registraiton Question
Hello Team.
I’m hoping some DNS, DHCP masters will help to understand a bit more how Secure dynamic DNS registration works and tell me if my solution is the best approach.
Problem Description
From time to time when users are connecting to different VLAN or VPN, The DHCP Server or the Client is not creating either a A record or PTR record
Environment:
Users would use either Windows 7 or Windows 10. We don’t have any lower OS.
DHCP, DNS roles are installed on Domain Controllers. DHCP is running on 3 Windows Server 2012, and DNS is running on 3 Windows Servers 2012 and 1 Windows Server 2016.
Troubleshooting:
This issue seems to be since a long time as another IT departments from time to time where telling our team that DNS is not working proper. The problem is that when they were telling that their issue got already resolved, so we never got the opportunity to understand what the issue really was until recently where I finally got a incident and hands on a laptop where the Registration really wasn’t working. When I saw that I started to dig into that issue more details.
First I checked if the problem is not with some VPN connection but quickly with Networks team we were able to prove that VPN is not the issue as two laptops where having no issues at all getting a A and PTR record.
I started to look into the Configuration on the DHCP scopes and DNS Forward Lookup zones and discovered following:
The DHCP Server under the DNS setting has following option set:
- Always Dynamically update Discardords
- Discart A and PTR records when leased deleted
- Dynamically update DNS Records for DHCP clients that do not request updates
On the DNS Forward Lokoup Zone I found out that the Dynamic DNS Update is set to Secure Only.
I read after that following amazing article and started to understand where we probably have the gaps:
https://docs.microsoft.com
So after reading the article I checked that some of the DNS records are owned by one of the DHCP Servers, and most of them are owned by the DHCP Clients itself. I think because most of the records I owned by DHCP Clients we don’t have so many issue as we should.
After that I checked the DnsUpdateProxy Group and found out that this group is Blank and doesn’t contain any Computer Object. The second thing which I checked are the Credentials settings on the DHCP server and I could see that the Username and Domain are blank, but the password contains some dots.
To be sure if there is no account assigned I run the powershell command Get-DhcpServerDnsCredentia
So what I thing Is happening in our environment is that someone Enabled Secure Only update but didn’t configured it to the end, and whenever the owner of the DNS record is one of the DHCP server other servers don’t have access to change that records.
To fix the issue Globally I think that the only thing I need to do is to create a Domain User and set the Credentials on each DHCP Server, then maybe restart the service.
My questions are:
1. Because no user account is showing up when I run Get-DhcpServerDnsCredentia
2. Because DHCP, DNS roles are on the DC’s do I still need to add the DHCP Servers to the DnsUpdateProxy and secure the group?
3. How come I don’t see more problems in my Environment. The DHCP servers are set to Always Dynamically update DNS records so I would expect more issues where the DHCP can register a DNS. I know that on the DHCP Client under IPv4 you have the option “Register the connections address on DNS”, that’s how I understand a lot of the DNS records end up to be Owners of their own records. Does it mean that if the DHCP Servers fails to update the records it’s sending a information to the DHCP Client saying that he failed to register and the DHCP client is doing it itself.
4. And last question are the steps with setting up Credentials the right way to go.
Any help will be much appreciated it’s the first time I’m dealing with that Properties.
I’m hoping some DNS, DHCP masters will help to understand a bit more how Secure dynamic DNS registration works and tell me if my solution is the best approach.
Problem Description
From time to time when users are connecting to different VLAN or VPN, The DHCP Server or the Client is not creating either a A record or PTR record
Environment:
Users would use either Windows 7 or Windows 10. We don’t have any lower OS.
DHCP, DNS roles are installed on Domain Controllers. DHCP is running on 3 Windows Server 2012, and DNS is running on 3 Windows Servers 2012 and 1 Windows Server 2016.
Troubleshooting:
This issue seems to be since a long time as another IT departments from time to time where telling our team that DNS is not working proper. The problem is that when they were telling that their issue got already resolved, so we never got the opportunity to understand what the issue really was until recently where I finally got a incident and hands on a laptop where the Registration really wasn’t working. When I saw that I started to dig into that issue more details.
First I checked if the problem is not with some VPN connection but quickly with Networks team we were able to prove that VPN is not the issue as two laptops where having no issues at all getting a A and PTR record.
I started to look into the Configuration on the DHCP scopes and DNS Forward Lookup zones and discovered following:
The DHCP Server under the DNS setting has following option set:
- Always Dynamically update Discardords
- Discart A and PTR records when leased deleted
- Dynamically update DNS Records for DHCP clients that do not request updates
On the DNS Forward Lokoup Zone I found out that the Dynamic DNS Update is set to Secure Only.
I read after that following amazing article and started to understand where we probably have the gaps:
https://docs.microsoft.com
So after reading the article I checked that some of the DNS records are owned by one of the DHCP Servers, and most of them are owned by the DHCP Clients itself. I think because most of the records I owned by DHCP Clients we don’t have so many issue as we should.
After that I checked the DnsUpdateProxy Group and found out that this group is Blank and doesn’t contain any Computer Object. The second thing which I checked are the Credentials settings on the DHCP server and I could see that the Username and Domain are blank, but the password contains some dots.
To be sure if there is no account assigned I run the powershell command Get-DhcpServerDnsCredentia
So what I thing Is happening in our environment is that someone Enabled Secure Only update but didn’t configured it to the end, and whenever the owner of the DNS record is one of the DHCP server other servers don’t have access to change that records.
To fix the issue Globally I think that the only thing I need to do is to create a Domain User and set the Credentials on each DHCP Server, then maybe restart the service.
My questions are:
1. Because no user account is showing up when I run Get-DhcpServerDnsCredentia
2. Because DHCP, DNS roles are on the DC’s do I still need to add the DHCP Servers to the DnsUpdateProxy and secure the group?
3. How come I don’t see more problems in my Environment. The DHCP servers are set to Always Dynamically update DNS records so I would expect more issues where the DHCP can register a DNS. I know that on the DHCP Client under IPv4 you have the option “Register the connections address on DNS”, that’s how I understand a lot of the DNS records end up to be Owners of their own records. Does it mean that if the DHCP Servers fails to update the records it’s sending a information to the DHCP Client saying that he failed to register and the DHCP client is doing it itself.
4. And last question are the steps with setting up Credentials the right way to go.
Any help will be much appreciated it’s the first time I’m dealing with that Properties.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Experts
Two Questions regarding the DNS Credentials more:
1. What will happen if for some reason the account i use for DNS Dynamic update will get locked.
Will the machines still be able to register in DNS if no record is assigned?
2. Do you know if Manage Service Accounts work?
Two Questions regarding the DNS Credentials more:
1. What will happen if for some reason the account i use for DNS Dynamic update will get locked.
Will the machines still be able to register in DNS if no record is assigned?
2. Do you know if Manage Service Accounts work?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Found out that one of the DHCP Servers used by VPN is a non domain joined server so as part of my investigation I will try to find out if the checkpoint VPN can use a domain accounts to register DNS or it can use a Windows DHCP for address leases.
What partly fixed my issue at the moment is that I set Dynamically Update to Updated DNS whenever a DHCP Client request that so at least new records will be always owned by th Computer Object rather then a DHCP Server.
But I already waiting for my account to be creaser so I can use DHCP Credentials for the PTR and then I will switch back to Dynamically Updated records whenever I figure out how to include the Checkpoint DHCP server.
So far thank you for all your help. It's getting Abit more clear for me how the Integration work and where I need to be careful.
What partly fixed my issue at the moment is that I set Dynamically Update to Updated DNS whenever a DHCP Client request that so at least new records will be always owned by th Computer Object rather then a DHCP Server.
But I already waiting for my account to be creaser so I can use DHCP Credentials for the PTR and then I will switch back to Dynamically Updated records whenever I figure out how to include the Checkpoint DHCP server.
So far thank you for all your help. It's getting Abit more clear for me how the Integration work and where I need to be careful.
ASKER
Whatever option we choose to go I will post here.