none
DHCP Not Updating DNS Records

    Question

  • We are having a problem where DHCP is not updating DNS entries for Windows 7 clients that have been moved to a new subnet, unless we manually remove the existing DNS entry first. Once we have removed the existing entry and reboot the client the new address gets registered. We have AD integrated DNS running on 2008 R2 servers, and our DHCP servers are a mix of 2003 and 2008 R2 DCs. Both our DNS and DHCP settings are correct to allow dynamic updates, and all of the DHCP servers are members of the DNSUpdateProxy group, and we have a specifc account configured for DNS registrations. IPv6 is disabled on the client NICs, and a group policy setting prevents the clients from doing their own DNS registrations. Any help would be appreciated.

    Thanks,

    Michelle


    Michelle Garrah

    Tuesday, October 08, 2013 12:53 PM

Answers

  • I posted this issue on the NIS forum and thanks to Brian Busse (Brian / ChevyNovaLN) have discovered the problem. The security on the A records for the affected PCs was different from our other A records. (I had already checked the zone security but not the specific A record security) The account used by DHCP to register DNS was not listed. Once I added the account to the specific record everything worked fine. There must be something about the Windows imaging process that sets the permissions differently.

    Michelle Garrah

    Wednesday, October 16, 2013 8:14 PM

All replies

  • Hi,

    Run the following commands:

    Ipconfig /Flushdns

    Ipconfig /Registerdns (Elevated Command Prompt)

    Hope this helps.

    Tuesday, October 08, 2013 1:34 PM
  • We have tried that. On the client PC that actually isn't possible because our group policy setting prevents them from registering DNS. I also just noticed that in DHCP one of the affected PCs is listed twice, with two IP addresses in separate subnets.

    Michelle Garrah

    Tuesday, October 08, 2013 2:48 PM
  • Hi,

    I recommend you to check the owner of the records.

    Make sure records were created by the DHCP server which is trying to modify the records.

    So DHCP server have rights to modify them.

    If it doesn’t work, please provide you network topology.

    I want to know how did you set up your DHCP servers.

    I also just noticed that in DHCP one of the affected PCs is listed twice, with two IP addresses in separate subnets.

    DHCP entries will exit until they are expired.

    Since the client is moved to another subnet, they should have no interaction.

    Hope this helps.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Wednesday, October 09, 2013 9:42 AM
  • Thanks for the input. I have already ruled out the record ownership issue by forcing the client to IP release and renew, and verifiying that the group policy setting preventing the client from registering its own DNS is applying. Also, our DHCP servers are members of the DNSUpdateProxy group, so they should be able to update records owned by the client PC. After more testing I now see that DHCP is successfully updating DNS (based on the DHCP logs, which show the client's request for the new IP address, the assignment of the new IP address and the successful DNS update) but DNS is not showing the new record. I have also verfied that the new record is not appearing on any of our DNS servers so it doesn't seem to be a replication problem. The only way the new DNS entry will appear is if we manually delete the old record.

    Michelle Garrah

    Wednesday, October 09, 2013 1:06 PM
  • More testing on this shows that the PTR records are being created just not the A records. So, for the affected PC there are two PTR records and one invalid A record. Since this is happening on PCs that have just been re-imaged and re-joined to the domain, I tried resetting the computer account (normally we delete the computer account from AD before re-imaging it) and rejoined the domain, but the A record still does not update. I verified that the security on the zones is set correctly. Our DNS is AD integrated and allows for secure dynamic updates only.

    Michelle Garrah

    Wednesday, October 09, 2013 5:51 PM
  • Hi Michelle,

    As a method of last resort, you may wish to consider enabling directory service auditing on the DNS partition(s) for failures. That will at least clarify whether you're dealing with a permissions issue, as opposed to a configuration issue.

    As a reminder, directory service auditing involves enabling it via group policy as well as specifying the SACL on the directory partition itself.

    Cheers,
    Lain

    Thursday, October 10, 2013 1:46 AM
  • Hi ,

    Can you install wireshark / netmon and run a trace from client to server , later do ipconfig /release and /renew to capture the traffic for analysis ?

    Also any event logs on client and server would be helpful.

    Thursday, October 10, 2013 1:48 AM
  • Thank you for the suggestions. I ran a Wireshark capture on one of the affected PCs and did an IP release/renew, and didn't see any obvious errors related to it. There are also no errors related to this issue on either the workstation or the servers. The DHCP logs show that the new IP address was successfully updated in DNS. The PTR record's timestamp updated but the A record for this station remains unchanged, still showing the PC's original IP address from another subnet.

    Michelle Garrah

    Friday, October 11, 2013 4:34 PM
  • Hi

    PC correctly joined to the domain ? I would only think he can't update the record. For a small lapse of time if you set the DNS to unsecure, does it work ? 


    Regards, Philippe

    Saturday, October 12, 2013 2:32 AM
  • just a suggestion, but the NIS forum is where lots of DHCP/DNS MVPs hangout:
    http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverNIS

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, October 12, 2013 7:08 AM
  • Thank you all for your input. I have ruled out a problem with the PC not being correctly joined to the domain. Removing it/rejoining it to the domain did not help. At this point I will try the NIS forum you suggested and may open a support ticket with Microsoft. The problem seems to be limited to those PCs that were recently re-imaged, so it may be an issue with the WIM process itself.

    Michelle Garrah

    Tuesday, October 15, 2013 1:56 PM
  • I posted this issue on the NIS forum and thanks to Brian Busse (Brian / ChevyNovaLN) have discovered the problem. The security on the A records for the affected PCs was different from our other A records. (I had already checked the zone security but not the specific A record security) The account used by DHCP to register DNS was not listed. Once I added the account to the specific record everything worked fine. There must be something about the Windows imaging process that sets the permissions differently.

    Michelle Garrah

    Wednesday, October 16, 2013 8:14 PM