none
Need help with DHCP, DNS and VPN Configuration RRS feed

  • Question

  • I have inaccurate entries in DNS and need to determine the best way to approach.

    Some configuration background:My DHCP server scope (192.168.x) is set the Always dynamically update DNS records, Discard A and PTR records when lease is deleted and Dynamically update DNS for DHCP clients that do not request updates.  

    NIC cards on the workstations configured to "register this connections addresses in DNS". In addition, BIOS settings to disable wireless when wired have been set when possible.

    Sophos UTM assigns IP addresses in a different subnet (10.242.x) to the VPN clients.

    What I am observing:
    Desktops DHCP and DNS entries match up.

    Laptops - If the BIOS setting doesn't disable the wireless and both wired and wireless connection are active, DHCP has 2 IPs, DNS has one (sometimes it is the wired and sometimes the wireless, not sure how it is determined). 
    VPN - If the computer is company owned, then it will register the 10.242.x address in DNS when connected to the VPN, however, it doesn't update as expected. Someone was connected to the VPN yesterday so DNS has a 10.242 address for that person, they are in the office today, DHCP is correct, but DNS didn't update, even though the machine appears to own the DNS record. In addition, someone else has the same DNS entry since they have since connected to the VPN and were given that address.

    If I uncheck the option to "register this connection in DNS" on the NIC properties, it appears that DHCP handles the registration (my standard user account owns the DNS record), but then the VPN connections don't get registered because DHCP doesn't know anything about them.

    Problems arise when I am trying send remote commands, push out software etc. 

    Is it best to have DHCP register with DNS, rather than having the machines register? If so, is there a way to uncheck that setting via a group policy? 

    My DHCP lease is currently 3 days, and scavenging is 1 day no refresh, 1 day refresh. I do not see a way to set the DHCP lease on the UTM for the VPN clients. I liked having the separate subnets so I could easily identify how people were connected. In addition, some of the remote workers are never in the office so they will never have an IP issued by the DHCP server.
    I have been through many articles and understand each configuration is different, but am wondering if anyone has a solution that has worked for them that may be helpful. Currently, it seems I have to check the UTM, DHCP and DNS to try to determine the real IP address of one of the laptops.

    In DNS, for the 192.168 scope, the owner is the Standard User account set up as the DNSUpdateProxy, but for the VPN clients, the owner is the client machine. I feel like I either need to 

    1) not use the DNSUpdateProxy and let all the clients register themselves so that if they go from 192.168 (DHCP) to the VPN pool, they will still be allowed to update the DNS record (not sure how to undo this) or

    2) uncheck the Register this connection in DNS on the client NIC adapter properties. I believe DHCP would still register if they were in the 192.168 scope, but they would not get registered if they were in the VPN pool. This may still cause problems because DNS would still have a 192.168 address for them and they would be 10.242. pool.

    Tuesday, February 5, 2019 6:23 PM

All replies

  • Hi,

    Thanks for posting in the forum.

    We recommend users configure DNS dynamic updates so they do not have to deal with the records manually.

    You can disable the feature by policy Computer Configuration / Policies / Administrative Templates / Network / DNS Client / Dynamic Updates.

    If you are in an AD environment and your DHCP server is a member of DnsUpdateProxy group, they will update the records everytime the DHCP lease is obtained or renewed successfully. When a client, which has been upgraded to windows 2000+ version, registers it's record in DNS with command ipconfig /registerdns, it will be the owner of the record and is able to update it.

    By the way, you may run ipconfig command for the real IP address of your device.

    For your reference:

    DNS Record Ownership and the DnsUpdateProxy Group

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, February 6, 2019 9:04 AM
  • Currently, if a laptop is connected in the office and gets an IP from the DHCP server, the DNSUpdateProxy Group standard user owns the record in DNS as recommended.  However, when they connect via VPN, the machine itself owns the record in DNS, which is what is causing the issues. 

    Given this situation, am I better off just allowing the machine to register DNS all the time (disable the DNSUpdateProxy Group)?  If so, what is the best way to "undo" this configuration?

    Wednesday, February 6, 2019 2:11 PM
  • Hi,

    Given this situation, there is no need to disable the DNSUpdateProxy Group since the machine can be the owner of its record when you run ipconfig /registerdns command. By this command you may also update the record of your device manually.

    I suggest you set no-refresh interval to a smaller value so the record is able to be updated.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, February 7, 2019 9:07 AM
  • If I want the machine to be the owner of the records, why would I not disable the DNSUpdateProxy Group?  I have to manually delete all the DNS entries, run the ipconfig /registerdns on each machine.  If I just disable the DNSUpdateProxy, won't the machines register themselves?  The machine can't override the existing DNS entry owned by my standard user (DNSUpdateProxy) which is causing the issue.

    I don't see the advantage of the DNSUpdateProxy group in this situation and it seems that is what is causing the inaccurate DNS entries when people move from in the office to the VPN client.

    Thursday, February 7, 2019 2:15 PM
  •  Hi,

    Thanks for your information.

    If you would like to disable DDNS and want the machine to be the owner of the records, please right click on IPv4 on the DHCP console, click on DNS tab and uncheck the following option.

    Please also remember to set no-refresh interval to a smaller value to make sure that the record can be updated.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 11, 2019 6:03 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

     

    Best Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 13, 2019 7:54 AM
  • In the DNS tab of DHCP server, I have unchecked the "Enable DNS dynamic updates according to the settings below:", under advanced, I removed the DNS dynamic update registration credentials, the DHCP server is still a member of the DNSUpdateProxy group, but the "standard user" has been removed.

    I still get inconsistent results.  Looking in DNS, some of the entries are owned by the workstation computer account and some are now owned by the DHCP server computer account.  None are the standard user account (which is as expected). 

    So if users switch from VPN to local network, the DNS still won't update properly because the machine owns the record if VPN, but the DHCP server is owner if local and they can't update each others record. 

    What am I missing?  We only have 40 workstations.  I am unable to push out software and people can't RDP into workstations because the records aren't accurate.

    Wednesday, February 13, 2019 1:53 PM
  • Hi,

    Thanks for the update.

    Did you manually delete the previous entries? I did a lab test and the machine became the owner of the record when I connected to local network.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 14, 2019 9:52 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

     

    Best Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 18, 2019 1:43 AM
  • I manually deleted the entries in DNS.  However, some machines are the owner of the new DNS record, but I still have several where the DHCP Server Machine account is the owner.

     I have modified settings so many times, here is how they currently are:

    DHCP - DNS tab - nothing checked, Advanced tab - credentials empty

    DNS - AD Integrated, Dynamic Updates are Secure Only

    DNSUpdateProxy - The DHCP server itself is listed as member, but not the "standard user" account created for this role initially.

    If I remove the DHCP server account from the DNSUpdateProxy group and manually remove the DNS entries, will this allow for the machine to reregister with DNS and become the owner?

    Tuesday, February 19, 2019 2:46 PM