none
DHCP/DNS issue with laptops constantly moving between multiple scopes

    Question

  • We are experiencing an issue with laptops which move between our wired and wireless networks, and between sites.  Each site has its own subnet/dhcp scope, and the sites with wireless have a separate scope for it (one wired and one wireless).  The dhcp server is a DC running Windows Server 2003, the server's machine account is in the DNSUpdateProxy security group, and credentials are configured for DNS updates.  DHCP lease times are the default 8 days, DNS refresh and norefresh intervals are both 7 days, and scavenging is enabled.

    Laptops that change networks get new dhcp addresses on their new subnet, as expected.  However, they can change between networks multiple times a day, and in the case of some of our execs who move around the country, can be in multiple offices within one week.  The DNS entries for these laptops are not being updated reliably, resulting in problems when our helpdesk has to support them, as they are unable to connect to them by DNS name.  We are also in the process of configuring SCCM 2012, and it is causing issues with this as well.  There are also multiple DHCP leases for these machines, one per scope they've been in during the last 8 days.  I can see from the DHCP logs that DHCP is sending DNS Update Requests for all of these leases, and getting DNS Update Failed.

    I've read http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx and a number of other articles and forum posts, but nothing seems to cover this scenario.  I've considered lowering the DHCP lease time to a day, and the NoRefresh interval to an hour, with the Refresh interval at 1 day, but I'm not sure what will happen due to the multiple leases.  Will these overwrite each other, until they expire?  What is the best configuration for this scenario?


    Nigel Benfell B.Sc. MCSA

    Wednesday, July 31, 2013 4:49 AM

All replies

  • Hi,

    A DHCP server can enable dynamic updates in the DNS namespace for any one of its clients that support these updates. Scope clients can use the DNS dynamic update protocol to update their host name-to-address mapping information whenever changes occur to their DHCP-assigned address. (This mapping information is stored in zones on the DNS server.) A DHCP server can perform updates on behalf of its DHCP clients to any DNS server, but it must first supply proper credentials.

    Quote from:
    DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
    http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx

    Some related KB:
    Chttp://technet.microsoft.com/en-us/library/cc775839(v=ws.10).aspxonfigure DNS dynamic update credentials

    Hope this helps

     


    Alex Lv

    Monday, August 05, 2013 3:33 AM
    Moderator
  • Thanks for the effort Alex, but I mentioned in my original post, the dhcp server is already configured with credentials for DNS updates.

    Nigel Benfell B.Sc. MCSA

    Monday, August 05, 2013 4:14 AM
  • Could you post some related DHCP and DNS debug log when the issue occur.

    The related KB:

    Monitoring DNS

    http://technet.microsoft.com/en-us/library/cc786430(v=ws.10).aspx

    Thanks.


    Alex Lv

    Tuesday, August 06, 2013 2:16 AM
    Moderator
  • Laptops that change networks get new dhcp addresses on their new subnet, as expected

    Just want to ask, you only have one DHCP and DNS server that control multiple subnets?

    Can give an example of your network config like:

    Just give dummy data.

    Like, Scenario 1:

    PC 1 - in subnet 1

    Please give IP Address, DNS IP Address, Gateway

    Scenario 2:

    PC1 - moves to subnet 2

    Please give IP Address, DNS IP Address, Gateway

    Scenario 3:

    PC1 - moves to subnet 3

    Please give IP Address, DNS IP Address, Gateway


    Every second counts..make use of it.


    • Edited by cguan Tuesday, August 06, 2013 9:12 AM edit
    Tuesday, August 06, 2013 9:11 AM
  • Just one DHCP server active (we have a standby DHCP server which isn't authorised, for quick failover should the existing one fail), multiple DNS servers which are all Domain Controllers.  The DHCP server is a DC also.  The routers on each site have ip helpers configured to forward DHCP requests to the DHCP server.

    PC1 - Office 1 - Wired.

    172.21.1.1, gw 172.21.1.254

    Moves to wireless in the same office

    172.21.2.1 gw 172.21.2.254

    Flies to another city, in another office.

    172.20.1.1, gw 172.20.1.254

    All of the DHCP scopes are configured with the same 4 DNS servers in the same order.

    172.20.5.1, 172.20.5.2, 172.20.6.1, 172.20.6.2

    All appropriate routes exist.

    Edit : Will gather logs today as time allows.


    Nigel Benfell B.Sc. MCSA


    Tuesday, August 06, 2013 8:52 PM
  • have you tried to put in statically the DNS servers on a roaming laptop, like:

    172.20.5.1, 172.20.5.2, 172.20.6.1, 172.20.6.2 then add in 4.2.2.2


    Every second counts..make use of it.

    Tuesday, August 06, 2013 10:42 PM
  • Why?  This wouldn't change anything.  They have these DNS addresses already, and we don't want them having an external DNS server to fallback to (they wouldn't be able to talk to it anyway, due to the company firewall).


    Nigel Benfell B.Sc. MCSA

    Tuesday, August 06, 2013 11:42 PM
    • Edited by cguan Wednesday, August 07, 2013 6:45 AM edit
    Wednesday, August 07, 2013 6:12 AM
  • After a bunch of testing and changes yesterday, I seem to have found a partial solution, although not an answer to my questions.

    Deleting the existing DNS and PTR entries for my 2 test machines, and unselecting "Register this connection's address in DNS" in the Advanced TCP/IP Settings for both wired and wireless nics, so that DHCP will create the record, and only DHCP will update it, seems to fix the issue.  Multiple changes from wired to wireless and back were correctly updated in DNS.  I'm currently testing a GPO with the following settings:

    Computer Configuration\Policies\Administrative Templates\Network\DNS Client:

    Dynamic update - Disabled

    Register PTR records - Enabled - Do not register

    This should have the same effect as unticking the "Register this connection's address in DNS" on all adapters.


    Nigel Benfell B.Sc. MCSA

    • Proposed as answer by dubwize Thursday, August 22, 2013 8:29 AM
    • Unproposed as answer by dubwize Thursday, August 22, 2013 8:29 AM
    • Proposed as answer by Ace Fekay [MCT]MVP Friday, August 23, 2013 3:17 PM
    Thursday, August 08, 2013 3:47 AM
  • Hi we also have these issues with duplicate records and roaming clients. I have enabled DHCP Name Protection to cope with these duplicate records. Seems to solve the issue on our DNS. 

    http://technet.microsoft.com/en-us/library/dd759188.aspx

    Thursday, August 22, 2013 8:32 AM
  • Name Protection isn't an option for us as our DHCP server is Server 2003.  We will eventually move to a Server 2012 DHCP server, but this is still some months away.

    My above workaround has created another issue, in that I need some machines to register their own records, as machines connected via DirectAccess or our Citrix VPN don't talk to the DHCP server.  I've settled for removing the aforementioned GPO, reducing the lease time on our wireless subnets to 1 day, left the scavenging as it was, and (most importantly), found our primary forward lookup zone was set to allow non-secure updates, changed that to secure updates only.  Will still have the occasional issue with machines that switch between wired and wireless multiple times a day, but this seems to have resolved the problem for the majority of the network.  Some records have needed to be deleted, then recreated by the DHCP server, after which all has been well.  Am continuing to monitor this.


    Nigel Benfell B.Sc. MCSA

    Friday, August 23, 2013 12:42 AM
  • Interesting you had to configure is this way. What I would suggested are the following, if nothing else, just to make sure things are configured properly.

    • Make sure the credentials account, or anything else, is not part of the DnsUpdateProxy group. Only DHCP servers' objects should be there (you would be surprised how many get this wrong - and if there is anything in there other than just DHCP servers, it won't work).
    • The credentials should be a plain-Jane, Domain User account, with no admin privileges.
    • The NoREFRESH and REFRESH days added together should be equal to or less than the DHCP lease. Your settings are 7 days each, totaling 14. It should be ideally set to 4 days each. More info on this below.

    -

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan [MSFT]:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/

    -

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, August 23, 2013 3:24 PM