Link to home
Start Free TrialLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

DNS and DHCP Interaction

DNS and DHCP Interaction

Recently we had to replace old  computers with new ones but we kept the same hostname , the new computers get different IP address than the old ones from DHCP.

Example :

Old ComputerA  replaced and named  the same ComputerA
Old ComputerA IP address: 10.10.10.10
New ComputerA IP address: 20.20.20.20

What I have noticed after replacement:
If I login locally to New ComputerA, and run Ipconfig, I will see 20.20.20.20  which is correct.
If Remotely I ping by hostname the ComputerA,  I get 10.10.10.10 with Destination Host Unreachable. [you can see it looks for old IP address]
if Remotely I ping Reverse lookup : Ping -a 20.20.20.20 , it will Reply properly and shows ComputerA  with IP 20.20.20.20


So the problem seems to be the DNS A record does not get update quickly,  I said Quickly because after sometime, if I go and ping by hostname ,ie : Ping ComputerA, I get a proper Reply with 20.20.20.20

My question is I do not understand why Reverse Ping [Ping -a <IP address>] will Reply quickly and Ping Hostname did not Reply until later time....

Any clarification will be very much appreciated.

Thank you
Avatar of masnrock
masnrock
Flag of United States of America image

Can we assume that you have a Windows server handling both DHCP and DNS?

What are the settings on your DNS server? Such as having scavenging turned on or the amount of time that DNS records are valid for. You could lower the TTL for DNS to a lower threshold. Scavenging should be turned on to get rid of stale records. However, remember that DNS is not inherently instantaneous. It takes time for actions to occur that would give proper cause to update records.

My question is I do not understand why Reverse Ping [Ping -a <IP address>] will Reply quickly and Ping Hostname did not Reply until later time....
Because it's new. Updates of old records do take a bit of time. If you want to get through it all faster, you can also delete the DNS records when you're replacing the machines...
Avatar of noci
noci

It can also be multicast DNS (mDNS)   you need to change the name of the old computerA to computerAA for example.
(mDNS uses port 5353 in stead of port 53).
Hello,
The first part is to check if the DNS zone is configured for "Secure Updates" specific to dynamic updates. If thats true, then I suspect the below is your issue.

DNS records for DHCP clients can be updated using two different methods.

1) Use the client to be responsible for updating the dynamic DNS Records from clients.
This option is commonly used however needs the below consideration.
* Client is responsible for creating/updating the DNS record
* Client Computer object will have the rights the update the respective DNS record
* In the scenario of replacing a computer (new hardware, swapping) with the same name, AD Object is deleted and the new machine with the same computer name is getting added back to the domain - which will break the permission of the DNS record created by the old computer.

I suspect this as a potential issue in your scenario, but you need to validate if you did the same sequence as I mentioned.

2) Instead of client being responsible for updating the DNS records, make DHCP responsible for updating the records.
* DHCP will be responsible for creating/updating the DNS record as and when new IP is assigned to clients
* DNS record will be created by a service account configured on the DHCP Server configuration

If this was your configuration, this issue would never happen for you. Because the DNS record are created by the service account, which infact delegates the update rights on the DNS record. So if you change the physical hardware of a client computer and re-use the same IP address, DHCP will still update the new IP address as the DHCP service account is still having the permission to update the record. In short, this approach will decouple the individual computer AD object permission with the DNS record.

If your scenario is exactly as what I told,  Either one of the below should happen for the new DNS record to get created with the correct IP address.

* Existing DNS Records will get cleared of if savaging is configured
OR
* Existing DNS Records needs an additional delegated right for the service account if you plan to setup a service account on DHCP Server
OR
* An Administrator needs to delete the DNS record

These are from my memory based on an issue which I worked in relation with Citrix VDIs 3 years back.
Refer the below technet wiki to be double sure.

https://social.technet.microsoft.com/wiki/contents/articles/51810.windows-server-integration-between-dns-and-dhcp.aspx

Cheers !
Shaba
Avatar of jskfan

ASKER

What I do not understand why the issue was just with A Record and not PTR Record.
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan

ASKER

Thank you Guys
Will come back to this topic another time