none
DHCP updates which DNS?

    Question

  • On Windows 2008 in DHCP properties and DNS tab there are options for updating DNS. Whihh DNS is updated?
    Is it the first DNS servers in Scope Options?

    Also what happen if I have in DNS servers list 2 DNS and from 2 different domains? Is DHCP will update the DNS one that correspond to client domain only?

    Sunday, November 03, 2013 5:06 AM

Answers

  • This option is used to give DHCP server permission to update DNS records on behalf of clients. Actually this tab is Option 81 of DHCP server. You can read more here: http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx. If client get from DHCP option 81, then client will send requests for updating DNS records to DHCP server instead of DNS and DHCP server will update records in DNS zone. If DHCP server permissions allows to update records in zone it will update it based on client's DNS suffix.
    • Marked as answer by SAMATA Sunday, November 10, 2013 12:08 AM
    Sunday, November 03, 2013 1:10 PM
  • At first your computer's primary DNS suffix will be determined. If there is an option activated to use the connection's DNS suffix for DNS registration, then this suffix will be used in DNS registration query. At second computer will send a request to DHCP server with computer name and the DNS suffix. DHCP server will check what server is authoritative for the zone with your suffix and updates record in it.

    I have made some research with Wireshark and found that DHCP server uses for registration first server in the option 006 - DNS Servers list, in case I had two AD-integrated both authoritative zones.


    • Edited by Ko4evneG Sunday, November 03, 2013 4:41 PM
    • Marked as answer by SAMATA Sunday, November 10, 2013 12:07 AM
    Sunday, November 03, 2013 4:38 PM
  • It will choose the first DNS in the Option 006 list. It will NOT touch the others unless the first one does not respond.

    As for DHCP properties, DNS tab, as pointed out, this is actually Option 081. This is used to control how DHCP will update clients. If you configure it to control forward and reverse, with some other config settings (below), you can eliminate duplicate entries in DNS. Dupes are common issues with laptops that are constantly in and out of an office.

    -

    Just an FYI, the default DNS Dynamic Update process for any computer to register into DNS, and this applies to non-Microsoft operating systems, too, because it's based on an RFC (can't remember which):

    1. By default, a Windows 2000 and newer statically configured machines will
      register their A record (hostname) and PTR (reverse entry) into DNS.
    2. If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
      the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
      (reverse entry) record.
    3. The entity that registers the record in DNS, owns the record.

    -

    If you want to configure DHCP to fully control the forward and reverse entries to eliminate dupes and keep DNS clean, and this also applies for non-Microsoft DHCP clients and Windows clients not joined to the domain (because if set to Secure Only, it requires Kerberos to authenticate for the registration request), here's a summary of what needs to be done - and this configuration prevents duplicate host entries in DNS because if a machine gets a new IP, DHCP doesn't own the previous host record, therefore it will create a duplicate. The following will prevent this, too.

    1. Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
    2. Set DHCP to update everything, whether the clients can or cannot.
    3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    4. Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
    5. On Windows 2008 R2 or newer, DISABLE Name Protection.
    6. If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0
    7. Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    8. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    -

    More specifics with step by step screen shots:

    This blog covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by SAMATA Sunday, November 10, 2013 12:07 AM
    Thursday, November 07, 2013 4:50 AM

All replies

  • When DHCP servers issue IP on client OS (no, Only Domain ), DHCP servers automaticaly adding records in DNS 

    Sunday, November 03, 2013 6:01 AM
  • This option is used to give DHCP server permission to update DNS records on behalf of clients. Actually this tab is Option 81 of DHCP server. You can read more here: http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx. If client get from DHCP option 81, then client will send requests for updating DNS records to DHCP server instead of DNS and DHCP server will update records in DNS zone. If DHCP server permissions allows to update records in zone it will update it based on client's DNS suffix.
    • Marked as answer by SAMATA Sunday, November 10, 2013 12:08 AM
    Sunday, November 03, 2013 1:10 PM
  • My question is which DNS server will be updated first?

    Is the DNS servers configure in Scope Options? Is the DNS server that has less cost from DHCP or less cost from client? This step is not clear.

    For example:

    In DNS servers of Scope Options from DHCP I have: DNS1.domainXX.com, DN3.domainYY.com

    In client (Win7.domainYY.com) DNS used show: DNS2.domainYY.com, DNS1.domainXX.com

    Thanks

    Sunday, November 03, 2013 3:01 PM
  • At first your computer's primary DNS suffix will be determined. If there is an option activated to use the connection's DNS suffix for DNS registration, then this suffix will be used in DNS registration query. At second computer will send a request to DHCP server with computer name and the DNS suffix. DHCP server will check what server is authoritative for the zone with your suffix and updates record in it.

    I have made some research with Wireshark and found that DHCP server uses for registration first server in the option 006 - DNS Servers list, in case I had two AD-integrated both authoritative zones.


    • Edited by Ko4evneG Sunday, November 03, 2013 4:41 PM
    • Marked as answer by SAMATA Sunday, November 10, 2013 12:07 AM
    Sunday, November 03, 2013 4:38 PM
  • If DHCP update first DNS server in option 006 what happen after for the others DNS servers? They will be updated by AD replication?
    Monday, November 04, 2013 4:36 AM
  • It depends of your DNS configuration. You should read how DNS works i think. In brief, if each of your DNS servers are domain members and hold the zone for your domain then yes - they will be updating using AD replication. In case some of your DNS servers are not domain members, DNS replication will take place. But I strongly recommend you to read some DNS whitepapers to get good understanding of DNS.
    Monday, November 04, 2013 7:26 AM
  • Ok there is also DNS replication. I though there is just AD replication.
    Wednesday, November 06, 2013 6:07 AM
  • It will choose the first DNS in the Option 006 list. It will NOT touch the others unless the first one does not respond.

    As for DHCP properties, DNS tab, as pointed out, this is actually Option 081. This is used to control how DHCP will update clients. If you configure it to control forward and reverse, with some other config settings (below), you can eliminate duplicate entries in DNS. Dupes are common issues with laptops that are constantly in and out of an office.

    -

    Just an FYI, the default DNS Dynamic Update process for any computer to register into DNS, and this applies to non-Microsoft operating systems, too, because it's based on an RFC (can't remember which):

    1. By default, a Windows 2000 and newer statically configured machines will
      register their A record (hostname) and PTR (reverse entry) into DNS.
    2. If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
      the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
      (reverse entry) record.
    3. The entity that registers the record in DNS, owns the record.

    -

    If you want to configure DHCP to fully control the forward and reverse entries to eliminate dupes and keep DNS clean, and this also applies for non-Microsoft DHCP clients and Windows clients not joined to the domain (because if set to Secure Only, it requires Kerberos to authenticate for the registration request), here's a summary of what needs to be done - and this configuration prevents duplicate host entries in DNS because if a machine gets a new IP, DHCP doesn't own the previous host record, therefore it will create a duplicate. The following will prevent this, too.

    1. Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
    2. Set DHCP to update everything, whether the clients can or cannot.
    3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    4. Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
    5. On Windows 2008 R2 or newer, DISABLE Name Protection.
    6. If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0
    7. Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    8. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    -

    More specifics with step by step screen shots:

    This blog covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by SAMATA Sunday, November 10, 2013 12:07 AM
    Thursday, November 07, 2013 4:50 AM
  • 1- If enable dynamic update is not check what happen to DNS and PTR record?
    Will both be updated by client or just DNS will be updated by client?

    2- When you said:
    "If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
    the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
    (reverse entry) record. "

    Do you mean even if we check "enable dynamic update" the client will register his own DNS? If yes why we need to check that option then?
    Thursday, November 07, 2013 6:31 AM
  • 1. If unchecked (altering default functionality), it will not register.

    2. By default it's checked. And if it's a DHCP client, it will ask DHCP to register but the client will register its own PTR.

    -

    The default settings on all machines work fine. There is no reason to alter that. So I am not totally sure what you're trying to do??

    Can you elaborate? Are the default settings not acceptable for your organization? What are you trying to achieve? 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, November 08, 2013 3:09 PM
  • Hi Ace you said:

    "2. By default it's checked. And if it's a DHCP client, it will ask DHCP to register but the client will register its own PTR."

    You mean client will register its own A record not PRT right?

    Friday, November 08, 2013 9:33 PM
  • Hi Ace you said:

    "2. By default it's checked. And if it's a DHCP client, it will ask DHCP to register but the client will register its own PTR."

    You mean client will register its own A record not PRT right?

    Noooo...

    By default, the client will ASK DHCP to register its A (host) record.

    But DHCP register its own PTR.

    And that's default.

    -

    I'm not sure how to state that or express that any clearer.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, November 09, 2013 5:19 AM
  • Sorry I'm confused because you said this before:

    If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
    the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
    (reverse entry) record.


    • Edited by SAMATA Saturday, November 09, 2013 6:09 AM
    Saturday, November 09, 2013 6:08 AM
  • My original statement in my original post I first made is correct. 

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, November 09, 2013 2:16 PM
  • Are you sure this time?:-) I'm joking...thanks to confirm.
    Sunday, November 10, 2013 12:07 AM
  • Thanks everybody for you help and explanations!
    Sunday, November 10, 2013 12:10 AM
  • Are you sure this time?:-) I'm joking...thanks to confirm.

    Yes! LOL!

    For more information, besides my blog, you can refer to the links below:

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Using DNS servers with DHCP (Contains information on the DnsUpdateProxy group
    and its usage)
    http://technet.microsoft.com/en-us/library/cc787034
    (WS.10).aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, November 10, 2013 6:19 PM