none
Split Scope DHCP causing multiple DNS entries?

    Question

  • Have two domain controllers running DHCP/DNS on them, both 2008 R2.

    Having issues with multiple hostnames pointing to same IP in DNS.  Looking at the reverse arpa zones, there are multiple entries in there as well.  This is causing some very odd things to happen.. like Kaspersky thinking that AV is not installed, when it is, because it thinks its another pc.

    As I was deploying AV to a machine today, it also injects its own network driver (NDIS) into the stack.  When this happened, I lost connection to the machine, and when it came back up, it had a totally new IP address that it got from DHCP server #2.  Looking at DHCP leases under server #1, it still had the old one listed.  So now theres two leases. I think the same thing happens in DNS as well, it ends up with two entries with same hostname pointing to different IPs.  Same thing in ARPA zone.

    How do I set this up properly? This should work, right?

    Thanks

    Tuesday, March 13, 2012 8:46 PM

Answers

  • That is actually a common side effect when DHCP hasn't been configured to use Credentials to update into DNS. On top of that, you would configure DHCP under the DNS tab to force register all machines. THis way it has control of all DHCP registered records for all clients. You would configure the same credentials on both DHCP server, so no matter which one enter it, it will be able to update it when an IP change occurs.

    The following has more details. Note: There are two options, either using Credentials or putting the DHCP servers in the DnsUpdateProxy group. However, in a split scope scenario, or if DHCP is on a DC, we would rather use credentials. If a DC, this group is actually a security concern, so for all practical purposes, whenever I set up DHCP, whether split scope or not, or if on a DC or not, I always use credentials.

    Also - I would recommend to enable scavenging. It's in the following blog, too.

    .

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Wednesday, March 14, 2012 12:11 AM - spelling
    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 12:09 AM
  • To add about it being grayed out, for Name Protection to work, the feature automatically sets the "force" registration, so it can assign the DHCPID to each lease so it can tell whether a dupe name from a non-Windows machine is attempting an overwrite.

    And why you may ask just for non-Windows with a duplicate name and not a Windows machine? Well, you can get away with dupe names with non-Windows. :-)

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 2:36 AM
  • Ace,

    its this part where you mention selecting the scope properties. "In the DHCP Console, in Windows 2003, select the DHCP server properties or in Windows 2008 and 2008 R2, select Scope properties , select the Advanced tab, click the Credentials button, and provide the account's credentials. "

    One last question, I hope.. If I set the Name Protection etc at the IPV4 level, do I have to set it on all the scopes that already exist manually too? I notice each scope has the Name Protection option in its DNS tab as well.

    Thank you for pointing that out. I wish more folks did this. :-)

    I corrected it, and actually to make it a little clearer, I bulleted the selections. Take a look and let me know if it makes more sense now.

    .

    Yes, if you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.  If you don't want it to apply to all scopes, you can selectively disable the setting under each scope, or don't enable it at the IPv4 level, and selectively enable it on a per scope basis.

    You can optionally select it on IPv6, too. No harm done, whether you have scopes or not.

    I added the above info, and a screenshot, showing this in my blog.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 11:00 PM

All replies

  • That is actually a common side effect when DHCP hasn't been configured to use Credentials to update into DNS. On top of that, you would configure DHCP under the DNS tab to force register all machines. THis way it has control of all DHCP registered records for all clients. You would configure the same credentials on both DHCP server, so no matter which one enter it, it will be able to update it when an IP change occurs.

    The following has more details. Note: There are two options, either using Credentials or putting the DHCP servers in the DnsUpdateProxy group. However, in a split scope scenario, or if DHCP is on a DC, we would rather use credentials. If a DC, this group is actually a security concern, so for all practical purposes, whenever I set up DHCP, whether split scope or not, or if on a DC or not, I always use credentials.

    Also - I would recommend to enable scavenging. It's in the following blog, too.

    .

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT]MVP Wednesday, March 14, 2012 12:11 AM - spelling
    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 12:09 AM
  • Ace,

    thanks for the reply.  Can you be a little more specific regarding that article? its very long and want to make sure I'm incorporating the right sections.  For example, what about the option 81? do I want to do that as well?

    and in the article, it mentions for 2008 you right click on the SCOPE and go to properties>advanced>credentials, but you actually get there by going to properties on the "IPV4" option.. from what I can tell.  Didnt see advanced>credentials on the scope. 

    Is there a way to do this unsecurely? Obviously not recommended but just curious.

    On the "DNS" tab of "IPV4" I have it set to "enable dns dynamic updates" with "always dynamically update dns a and ptr records" set, also "discard A and PTR records when lease is deleted" is checked. Are you saying I should enable Name Protection as well?

    Will keep reading your article, but those questions jumped out at me. Thanks! 

    Wednesday, March 14, 2012 12:24 AM
  • Option 081 is actually the DNS tab in DHCP properties. That's where you setup DHCP to force register everything.

    Thanks, I'll correct that in my blog. In the screenshots (if you looked at them), I do have it showing to go to IPv4 properties, but I may have mistyped that in the text portion.

    .

    Not sure what you mean by unsecurely. Can you clarify?

    .

    Yes, enable Name protection, too. Here's more info on it:

    DHCP Step-by-Step Guide: Demonstrate DHCP Name Protection
    "Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a computer running a Windows® operating system. The use of Name Protection in the Windows Server® 2008 R2 operating system prevents name squatting by non-Windows-based computers. "
    http://technet.microsoft.com/en-us/library/ee404786(v=ws.10).aspx

    Configuring Name Protection
    http://echnet.microsoft.com/en-us/library/dd759188.aspx 

    .

    Let me know if you have any other questions.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, March 14, 2012 12:43 AM
  • Regarding unsecure/secure.. I saw on the DNS Manager, under properties of the domain/zone, on the General tab, there is "Dynamic Updates" with Secure, Nonsecure and Secure, and None options.  Anything to mess with there? its currently set to Secure. 

    On 2008 R2 when I enabled Name Protection, it greyed out all of the Option 81 tab stuff. That ok?

    Also, is a Split Scope created by the wizard okay in your opinion or should I set it up differently? I also just enabled a 1000ms delay for DHCP Server #2, hoping having server 1 handle everything unless theres a problem. 

    Wednesday, March 14, 2012 1:03 AM
  • Leave it as Secure only. That means a client must authenticate using Kerberos to register. Non-Windows clients (phones, unbound *nix, etc), won't be able to, but using DHCP Credentials, DHCP can for the client.

    .

    If using 2008 R2, yes, you can use Name Protection in lieu of setting up the DNS tab settings, since it does the same thing, but adds an extra feature to avoid a non-registering client taking owner of a record that another client owns, such as when someone else names a computer with the same name that's already has a lease and DNS registration. It will give the duplicate named client an IP, but it won't register it.

    .

    Yea, the wizard works!

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, March 14, 2012 2:03 AM
  • Also, looking at my blog, you said that I stated to right click the server properties to confgure credentials? I have two screenshots, one for 2003 that says right click the servername to set credentials, and one for 2008/2008 R2 which says right click IPv4, choose properties.

    .

    Or are you talking about some other place in the blog?


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, March 14, 2012 2:06 AM
  • To add about it being grayed out, for Name Protection to work, the feature automatically sets the "force" registration, so it can assign the DHCPID to each lease so it can tell whether a dupe name from a non-Windows machine is attempting an overwrite.

    And why you may ask just for non-Windows with a duplicate name and not a Windows machine? Well, you can get away with dupe names with non-Windows. :-)

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 2:36 AM
  • Ace,

    its this part where you mention selecting the scope properties. "In the DHCP Console, in Windows 2003, select the DHCP server properties or in Windows 2008 and 2008 R2, select Scope properties , select the Advanced tab, click the Credentials button, and provide the account's credentials. "

    One last question, I hope.. If I set the Name Protection etc at the IPV4 level, do I have to set it on all the scopes that already exist manually too? I notice each scope has the Name Protection option in its DNS tab as well.

    Wednesday, March 14, 2012 8:22 PM
  • Ace,

    its this part where you mention selecting the scope properties. "In the DHCP Console, in Windows 2003, select the DHCP server properties or in Windows 2008 and 2008 R2, select Scope properties , select the Advanced tab, click the Credentials button, and provide the account's credentials. "

    One last question, I hope.. If I set the Name Protection etc at the IPV4 level, do I have to set it on all the scopes that already exist manually too? I notice each scope has the Name Protection option in its DNS tab as well.

    Thank you for pointing that out. I wish more folks did this. :-)

    I corrected it, and actually to make it a little clearer, I bulleted the selections. Take a look and let me know if it makes more sense now.

    .

    Yes, if you have multiple IPv4 scopes, once set at the IPv4 level, it will apply to all IPv4 scopes.  If you don't want it to apply to all scopes, you can selectively disable the setting under each scope, or don't enable it at the IPv4 level, and selectively enable it on a per scope basis.

    You can optionally select it on IPv6, too. No harm done, whether you have scopes or not.

    I added the above info, and a screenshot, showing this in my blog.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Tiger Li Monday, March 19, 2012 7:28 AM
    Wednesday, March 14, 2012 11:00 PM