none
Ned Help DHCP DNS Registration incrase Time

    Question

  • 
    Hi,
    
    we have the following Scenario:
    
    2 DC in the same Site
    Both DCs are DHCP Server
    Both DCs are in the DNSUpdateProxy Group
    On Both DHCP Server we use Credential Delegeation for dynamic update Registration on the Ipv4 Tab. 
    The Account (sa-dhcp) is only a Domain Member
    The Option 81 on the Ipv4 and on the Scope self is configured with DWORD value 23
    We have on both DHCP Server set the OpenAclOnProxyUpdates to 0
    On the DNS Zone domain.local, we have at the moment no scavenging enabled. The Zone are allowed to only secure updates
    We wont that the DHCP Server make alle the Dynamic Updates on the DNS Zone for the Clients and non Windows Device like Printer etc.
    
    We have the problem that the DHCP leases appear immediately but the dynamic dns records are written very delayed in the DNS Server. Is there a parameter to decrease the time in witch the DHCP Server update or create the dynamic DNS Records
    
    Thanks for any help.
    
    Regards Seven
    

    Thursday, November 14, 2013 7:49 AM

Answers

  • Option 081 is not an option in the scope or server, rather it's the whole DNS tab under DHCP properties.

    Did you set that part to force updates for all devices whether they ask for DHCP to dynamically register or not to do it?

    Assuming that you have two DHCP servers with an 80/20 redundant solution, this would have to be set on both DHCP servers.

    Assuming 2008 or 2008 R2:

    -

    If Windows 2003:


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Monday, November 18, 2013 6:03 PM
  • How long of a delay are you talking about? Are you viewing the DNS console at the DNS server that's first in the list, or from some other DNS that's perhaps at a different AD site? If at a different DNS, there's always a time delay before you see it replicated.

    Note: The default DS (Active Directory) replication polling interval for just the DNS data is different than for other domain objects. It takes up to 3 minutes when it looks for changes in zone data for AD integrated zones in AD, and if there are changes, then it will take two intervals, 6 minutes for a DC that previously hosted the zone within another Naming Context (NC) to start reloading it from its new location (NC). This can be forced for an immediate polling by running dnscmd /zoneupdatefromds.

    -

    Are there any performance issues on the DNS server that's listed as the first entry in Option 006?

    -

    The PTR checkbox on a host record in DNS is unchecked by default which DHCP will handle that anyway with your current settings. This was actually discussed a few weeks ago in the following discussion:

     Update PTR record is not checked in DNS for DHCP client?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, November 18, 2013 11:21 PM
  • Hmm... 20 - 40 minutes before it shows up in the console, and they're in the same site?

    Are the DCs 2008 or 2008 R2? If yes, you can run the DNS BPA.

    Best Practices Analyzer for Domain Name System
    Jan 5, 2009 ... Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with best practices ...
    http://technet.microsoft.com/en-us/library/dd391963(WS.10).aspx

    -

    Here are a list of DNS perf counters. you can watch. Look for th eDynamic update and secure dynamic update counters, for measuring registration and update activity generated by dynamic clients, and some of the others such as memory, etc.

    Monitoring DNS server performance
    http://technet.microsoft.com/en-us/library/cc778608(v=WS.10).aspx

    -

    No event log errors on any of them? 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, November 19, 2013 6:10 PM
  • Firewalls will cause problems. You can run PortQRY to determine if any necessary ports are blocked, including the ephemeral response ports.

    Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other, or you can also run it from a client to a DC. Post only errors with "NOTLISTENING," 0x00000001, and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 22, 2013 6:56 PM

All replies

  • Hi,

    It seems is the DNS Refresh internal time value is too long, please adjust the default interval renew time and monitor again.

    The related KB:

    Adjust the refresh interval for a zone

    http://technet.microsoft.com/en-us/library/cc755646(v=ws.10).aspx

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, November 18, 2013 3:30 AM
  • Option 081 is not an option in the scope or server, rather it's the whole DNS tab under DHCP properties.

    Did you set that part to force updates for all devices whether they ask for DHCP to dynamically register or not to do it?

    Assuming that you have two DHCP servers with an 80/20 redundant solution, this would have to be set on both DHCP servers.

    Assuming 2008 or 2008 R2:

    -

    If Windows 2003:


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Monday, November 18, 2013 6:03 PM
  • Hi Ace Fekay,

    thanks for your Replay. I read your Best Practices Guid on your Blog and we configure all Settings like your guidence. With option 81 and the DWORD Value i mean the output of the netsh dhcp Command. DWORD Value 23 mean exactly like your Printscreen above or on your Post (DHCP Scope to force updates for all devices whether they ask for DHCP to dynamically register or not to do it). We have this configuration on other Domains well in Place. But on this Domain (Single Domain Forest) with 2 DHCP Servers 70/30 Split Scope Configuration the things are strange. First of all we found that the DNS Record are createt very delayed on the DNS Server. The DNS Record have the right owner on the Secruity tab (eq to the DHCP Credential Tab). But the checkbox for update the PTR Record are not checked. At the moment i am out of ideas what we can do or how we can monitor this things. I have enabled the Auditing on the ForestWide DNS AD Zone to view the changes. But all that the logs show are normal entries.

    What can we do to force quicker update of the DNS Records for the Dynamic DHCP Entries? How we can change the scope that the PTR Record checkbox are olso checked?

    Thanks for Answer

    Regards Steven. 

    Monday, November 18, 2013 7:11 PM
  • How long of a delay are you talking about? Are you viewing the DNS console at the DNS server that's first in the list, or from some other DNS that's perhaps at a different AD site? If at a different DNS, there's always a time delay before you see it replicated.

    Note: The default DS (Active Directory) replication polling interval for just the DNS data is different than for other domain objects. It takes up to 3 minutes when it looks for changes in zone data for AD integrated zones in AD, and if there are changes, then it will take two intervals, 6 minutes for a DC that previously hosted the zone within another Naming Context (NC) to start reloading it from its new location (NC). This can be forced for an immediate polling by running dnscmd /zoneupdatefromds.

    -

    Are there any performance issues on the DNS server that's listed as the first entry in Option 006?

    -

    The PTR checkbox on a host record in DNS is unchecked by default which DHCP will handle that anyway with your current settings. This was actually discussed a few weeks ago in the following discussion:

     Update PTR record is not checked in DNS for DHCP client?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, November 18, 2013 11:21 PM
  • Hi,

    The delay are from 20min to 40min. Be this customer we have only 2 DCs in the Same Site. The DNS Console was always bind to one ouf oure DCs. The DNS Zones are in the Forest Partition not in the Domain Partition, but i think the Interval are the Same on a Single Domain Forest.

    Performance issues? I changed the 006 Option for testing to the second DC in the Site. Is there a specific Perfmon Counter to check whether the DNS Server is on haevy load?

    Regards Steven

    Tuesday, November 19, 2013 7:40 AM
  • Hmm... 20 - 40 minutes before it shows up in the console, and they're in the same site?

    Are the DCs 2008 or 2008 R2? If yes, you can run the DNS BPA.

    Best Practices Analyzer for Domain Name System
    Jan 5, 2009 ... Topics in this section can help you bring DNS running on Windows Server® 2008 or Windows Server® 2008 R2 into compliance with best practices ...
    http://technet.microsoft.com/en-us/library/dd391963(WS.10).aspx

    -

    Here are a list of DNS perf counters. you can watch. Look for th eDynamic update and secure dynamic update counters, for measuring registration and update activity generated by dynamic clients, and some of the others such as memory, etc.

    Monitoring DNS server performance
    http://technet.microsoft.com/en-us/library/cc778608(v=WS.10).aspx

    -

    No event log errors on any of them? 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, November 19, 2013 6:10 PM
  • Hi Ace,

    yes 20...40 min are strange... I will rund the BPA and Show the perfmon Counters on the both DC. I think i must open me search Windows. The Customer have a very restrective Network compartment that restrict all Network Access with Firewalls. My by this can the Problem, but tu prove thats the Network FW are in this game are very difficult. The DCs have both roles DNS and DHCP and i think no Network Traffic is on the wire if the DHCP create a Dynamic DNS Record Job. But may by.

    If you have any idees that i can test it, pleas feel free to write it. :-)

    Regards Steven

    Wednesday, November 20, 2013 7:45 AM
  • Firewalls will cause problems. You can run PortQRY to determine if any necessary ports are blocked, including the ephemeral response ports.

    Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other, or you can also run it from a client to a DC. Post only errors with "NOTLISTENING," 0x00000001, and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see TCP 42 errors, that just means WINS is not running on the target server.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 22, 2013 6:56 PM