jskfan
asked on
DNS and DHCP Interaction
DNS and DHCP Interaction
Recently we had to replace old computers with new ones but we kept the same hostname , the new computers get different IP address than the old ones from DHCP.
Example :
Old ComputerA replaced and named the same ComputerA
Old ComputerA IP address: 10.10.10.10
New ComputerA IP address: 20.20.20.20
What I have noticed after replacement:
If I login locally to New ComputerA, and run Ipconfig, I will see 20.20.20.20 which is correct.
If Remotely I ping by hostname the ComputerA, I get 10.10.10.10 with Destination Host Unreachable. [you can see it looks for old IP address]
if Remotely I ping Reverse lookup : Ping -a 20.20.20.20 , it will Reply properly and shows ComputerA with IP 20.20.20.20
So the problem seems to be the DNS A record does not get update quickly, I said Quickly because after sometime, if I go and ping by hostname ,ie : Ping ComputerA, I get a proper Reply with 20.20.20.20
My question is I do not understand why Reverse Ping [Ping -a <IP address>] will Reply quickly and Ping Hostname did not Reply until later time....
Any clarification will be very much appreciated.
Thank you
Recently we had to replace old computers with new ones but we kept the same hostname , the new computers get different IP address than the old ones from DHCP.
Example :
Old ComputerA replaced and named the same ComputerA
Old ComputerA IP address: 10.10.10.10
New ComputerA IP address: 20.20.20.20
What I have noticed after replacement:
If I login locally to New ComputerA, and run Ipconfig, I will see 20.20.20.20 which is correct.
If Remotely I ping by hostname the ComputerA, I get 10.10.10.10 with Destination Host Unreachable. [you can see it looks for old IP address]
if Remotely I ping Reverse lookup : Ping -a 20.20.20.20 , it will Reply properly and shows ComputerA with IP 20.20.20.20
So the problem seems to be the DNS A record does not get update quickly, I said Quickly because after sometime, if I go and ping by hostname ,ie : Ping ComputerA, I get a proper Reply with 20.20.20.20
My question is I do not understand why Reverse Ping [Ping -a <IP address>] will Reply quickly and Ping Hostname did not Reply until later time....
Any clarification will be very much appreciated.
Thank you
It can also be multicast DNS (mDNS) you need to change the name of the old computerA to computerAA for example.
(mDNS uses port 5353 in stead of port 53).
(mDNS uses port 5353 in stead of port 53).
Hello,
The first part is to check if the DNS zone is configured for "Secure Updates" specific to dynamic updates. If thats true, then I suspect the below is your issue.
DNS records for DHCP clients can be updated using two different methods.
1) Use the client to be responsible for updating the dynamic DNS Records from clients.
This option is commonly used however needs the below consideration.
* Client is responsible for creating/updating the DNS record
* Client Computer object will have the rights the update the respective DNS record
* In the scenario of replacing a computer (new hardware, swapping) with the same name, AD Object is deleted and the new machine with the same computer name is getting added back to the domain - which will break the permission of the DNS record created by the old computer.
I suspect this as a potential issue in your scenario, but you need to validate if you did the same sequence as I mentioned.
2) Instead of client being responsible for updating the DNS records, make DHCP responsible for updating the records.
* DHCP will be responsible for creating/updating the DNS record as and when new IP is assigned to clients
* DNS record will be created by a service account configured on the DHCP Server configuration
If this was your configuration, this issue would never happen for you. Because the DNS record are created by the service account, which infact delegates the update rights on the DNS record. So if you change the physical hardware of a client computer and re-use the same IP address, DHCP will still update the new IP address as the DHCP service account is still having the permission to update the record. In short, this approach will decouple the individual computer AD object permission with the DNS record.
If your scenario is exactly as what I told, Either one of the below should happen for the new DNS record to get created with the correct IP address.
* Existing DNS Records will get cleared of if savaging is configured
OR
* Existing DNS Records needs an additional delegated right for the service account if you plan to setup a service account on DHCP Server
OR
* An Administrator needs to delete the DNS record
These are from my memory based on an issue which I worked in relation with Citrix VDIs 3 years back.
Refer the below technet wiki to be double sure.
https://social.technet.microsoft.com/wiki/contents/articles/51810.windows-server-integration-between-dns-and-dhcp.aspx
Cheers !
Shaba
The first part is to check if the DNS zone is configured for "Secure Updates" specific to dynamic updates. If thats true, then I suspect the below is your issue.
DNS records for DHCP clients can be updated using two different methods.
1) Use the client to be responsible for updating the dynamic DNS Records from clients.
This option is commonly used however needs the below consideration.
* Client is responsible for creating/updating the DNS record
* Client Computer object will have the rights the update the respective DNS record
* In the scenario of replacing a computer (new hardware, swapping) with the same name, AD Object is deleted and the new machine with the same computer name is getting added back to the domain - which will break the permission of the DNS record created by the old computer.
I suspect this as a potential issue in your scenario, but you need to validate if you did the same sequence as I mentioned.
2) Instead of client being responsible for updating the DNS records, make DHCP responsible for updating the records.
* DHCP will be responsible for creating/updating the DNS record as and when new IP is assigned to clients
* DNS record will be created by a service account configured on the DHCP Server configuration
If this was your configuration, this issue would never happen for you. Because the DNS record are created by the service account, which infact delegates the update rights on the DNS record. So if you change the physical hardware of a client computer and re-use the same IP address, DHCP will still update the new IP address as the DHCP service account is still having the permission to update the record. In short, this approach will decouple the individual computer AD object permission with the DNS record.
If your scenario is exactly as what I told, Either one of the below should happen for the new DNS record to get created with the correct IP address.
* Existing DNS Records will get cleared of if savaging is configured
OR
* Existing DNS Records needs an additional delegated right for the service account if you plan to setup a service account on DHCP Server
OR
* An Administrator needs to delete the DNS record
These are from my memory based on an issue which I worked in relation with Citrix VDIs 3 years back.
Refer the below technet wiki to be double sure.
https://social.technet.microsoft.com/wiki/contents/articles/51810.windows-server-integration-between-dns-and-dhcp.aspx
Cheers !
Shaba
ASKER
What I do not understand why the issue was just with A Record and not PTR Record.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Guys
Will come back to this topic another time
Will come back to this topic another time
What are the settings on your DNS server? Such as having scavenging turned on or the amount of time that DNS records are valid for. You could lower the TTL for DNS to a lower threshold. Scavenging should be turned on to get rid of stale records. However, remember that DNS is not inherently instantaneous. It takes time for actions to occur that would give proper cause to update records.
Because it's new. Updates of old records do take a bit of time. If you want to get through it all faster, you can also delete the DNS records when you're replacing the machines...