none
Troubleshoot DNS Time Stamps

    Question

  • Hi,

    I work in an environment where we have multiple AD sites, each site has 2 DHCP servers. Most of our leases are 1 day leases. Our DHCP servers are set to update DNS A and PTR records “Dynamically update DNS A and PTR records only if requested by the DHCP clients”, most of our clients are Windows XP and Windows 7. We work in a Windows 2003 & 2008 server estate.

    I often find myself manually deleting valid host A entries from DNS where server time stamps are several months old and then doing an ipconfig /registerdns on the server to get the time stamp to update properly.

    I suspect the permissions on the DNS record for some of the servers is not correct, but I’m not certain – for example some currently active servers have time stamps 2 months old, I’d do a “ipconfig /registerdns” on the server and the time stamp of the record would not update, but at the same time I don’t receive any errors on warnings in the event or DNS logs on the DNS client or server. Am I correct in thinking:

    1. If a windows Xp, 7, 2003 or 2008 computer has a “register this connection in dns” checked, the server will attempt to register\refresh its DNS entry every reboot
    2. These clients will also attempt to refresh their DNS time stamp at least once every 24 hours
    3. A DHCP client will try to refresh its time stamp at half life (and failing that, at ¾ life)

    I’m struggling to know why servers configured with a static IP that have been on for several months have timestamps that are several months old (despite being rebooted). The security ownership of most of the DNS records points to “system”

    Currently DHCP servers do not use a DHCP service account, but a domain admin account. The DHCP servers are not DCs and neither the domain admin account or the servers are part of the DNS update proxy group (which ‘m looking to add them to)

    Any advice is appreciated.

    Thanks

    Wednesday, November 20, 2013 10:40 PM

Answers

  • Sorry, I thought I made it clear that only the DHCP server computer object is in the DnsUpdateProxy group. No user accounts, group accounts, or anything else is in that group, or it will not work.

    Whatever account the service is running under is not related to the DHCP Credential account. The DHCP credentials account should only be a plain-Jane, Domain User account.

    If your DHCP server is a DC, and it's 2008 and newer, run the following (as I've indicated in my previous posts):

    If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0

    -

    I hope that clears things up and removes any ambiguity.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by EuroTechie2013 Tuesday, November 26, 2013 8:15 AM
    Monday, November 25, 2013 7:30 PM

All replies

  • I suggest changing it so DHCP updates everything whether the client asks or not, configure credentials, add the DHCP servers computer object to the DnsUpdateProxy group, and enable scavenging. This way DHCP owns the record and will update them as they change, and scavenge records that have met their timestamps, otherwise you will get dupes and old stuff laying around. To kick it off, you may have to manually delete the old stuff, unless you want to wait for the scavenging cycle to kick it.

    In summary:
    Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
    Set DHCP to update everything, whether the clients can or cannot.
    Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
    On Windows 2008 R2 or newer, DISABLE Name Protection.
    If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0
    Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    -

    Specifics:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 22, 2013 1:16 AM
  • Thanks for the reply Ace.

     Can you tell me if the user account which is used to register DHCP clients should be in the dnsupdate proxy group?

    I have multiple servers in my environment, some DHCP servers are DCs, some are not (I'm gradually separating the roles...).

    Currently the domain admin account is used by the DHCP service, but I plan to change this to a standard user account

    Monday, November 25, 2013 6:25 PM
  • Sorry, I thought I made it clear that only the DHCP server computer object is in the DnsUpdateProxy group. No user accounts, group accounts, or anything else is in that group, or it will not work.

    Whatever account the service is running under is not related to the DHCP Credential account. The DHCP credentials account should only be a plain-Jane, Domain User account.

    If your DHCP server is a DC, and it's 2008 and newer, run the following (as I've indicated in my previous posts):

    If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0

    -

    I hope that clears things up and removes any ambiguity.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by EuroTechie2013 Tuesday, November 26, 2013 8:15 AM
    Monday, November 25, 2013 7:30 PM