none
DHCP Dynamic DNS and Scavenging RRS feed

  • Question

  • Hi There,

    We have 20 DHCP servers in our environment running on Windows 2012R2 with Dynamic DNS update enabled. Currently clients initite the registation of their DNS records based on their FQDN, I want to change this to DHCP, so DHCP servers will take the responsibility of manging and updating clients A records with DNS server in future. At present Scavening set to 7 days (3 days non-refresh+2 days Refresh). We have following DHCP scopes on each DHCP server.

    Scope 1 (Wired PCs) - Lease duration 8 days 

    Scope 2 (Wifi Managed Clients) - Lease duration 4 days

    Scope 3 (Wifi Guest devices) - Lease duration 8 Hours

    Question1:

    I want to add one more scope for Printers with lease duration of 180 days, and want the printer DNS A records to be managed by DHCP. 

    Cosidering the current scavenging period, and all clients in scope 1,2 and 4 register their A record in same forward lookup zone, what happens to Printer DNS record when DNS scavenging runs on 7th day? does it delete printer A record although I have valid 170+days left for lease to expire in DHCP? 

    Question 2:

    What are the changes that I need to make in Windows 2012 R2 environment for DHCP to take care of client DNS A and PTR record registration.

    Question 3:

    What are the pro's and con's of enabling DDNS update with DHCP in this scenario with multiple scopes with different lease duration.

    I request your answer and suggestion, kindly do not just paste a reference URL to a blog.

    Thanks

    Mahi



    Mahi




    • Edited by mahi Blr Wednesday, July 12, 2017 1:23 PM
    Wednesday, July 12, 2017 1:13 PM

All replies

  • Question 1:

    I want to add one more scope for Printers with lease duration of 180 days, and want the printer DNS A records to be managed by DHCP. 

    Cosidering the current scavenging period, and all clients in scope 1,2 and 4 register their A record in same forward lookup zone, what happens to Printer DNS record when DNS scavenging runs on 7th day? does it delete printer A record although I have valid 170+days left for lease to expire in DHCP? 

    Well, in your current environment, does the printers are able to create their own DNS A record or is it a static record ?

    Static record mean that DNS scavenging will never scavenge those records
    Dynamic records mean that scavenging will remove obselete records based on the aging / scavenging settings

    Question 2:

    What are the changes that I need to make in Windows 2012 R2 environment for DHCP to take care of client DNS A and PTR record registration

    In the DHCP management console, in the properties of the IPv4 in the DNS tab, be sure to have these settings:

    - Enable DNS dynamic update DNS records only if requested by the DHCP clients (Check box)
    - Always dynamically update DNS records (radio button)
    - Discard A and PTR records when lease is deleted (check box)
    - Dynamically update DNS records for DHCP clients that do not request updates (radio button)

    Question 3:

    What are the pro's and con's of enabling DDNS update with DHCP in this scenario with multiple scopes with different lease duration.

    I would say it depend on your environment.  Let say you have an office where lot of peoples are travelling to but for 1 or 2 days max.  In that case, you don't want to have a 8 or 16 days of DHCP lease otherwise you may have a lack of ip address for that site.

    In other cases, some network admins like to have a different ip scopes for printers / WI-FI / servers and many other things.  Printers and servers may not change their ip address frequently but the Wi-Fi network may change each day or more than a time per day.

    So i would say... it depends ;)

    hth


    This posting is provided AS IS without warranty of any kind

    Thursday, July 13, 2017 2:03 AM
  • Thanks for your answers Cthivierge!

    Regarding question, Is it required to make all DHCP servers member of 'active directory dns proxy' group and have a service account with permission to create A records?


    Mahi

    Thursday, July 13, 2017 7:10 AM
  • This article gives you more informations...

    https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx

    The DNS server can end up with stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients using dynamic update. The following example sequence shows how this can happen:

        • A Windows Server 2008 DHCP server performs a dynamic update on behalf of a DHCP client.
        • The DHCP server creates the client’s DNS name and becomes the owner of that name.
        • Now only the DHCP server itself can update the DNS records for the client’s name.
        • The original server fails and a second backup DHCP server comes online; now the second server cannot update the client name because it is not the name’s owner.

    To solve this problem, you can use a built-in security group called DnsUpdateProxy. However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.

    You must create a dedicated user account and configure the DHCP servers with its credentials under the following circumstances:

    • The DHCP server is configured to perform DNS dynamic updates on behalf of DHCP clients.
    • A domain controller is configured to function as a DHCP server. Without the dedicated user account, secure updates will not work.
    • The DNS zones to be updated by the DHCP server are configured to allow only secure dynamic updates.

    Use of the DnsUpdateProxy group offers the following advantages and disadvantages:

    Advantages        

    The advantages of using the DnsUpdateProxy group include:

    • Secure DNS updates can work with multiple DHCP servers: If all DHCP servers are added as members of the DnsUpdateProxy group, then the records of a server that fails can be updated by another server.
  • Upgraded clients can update their own records: The first user who is not a member of the DnsUpdateProxy group to modify the set of records that is associated with a DNS name becomes its owner, so when earlier version clients are upgraded they can take ownership of their name records at the DNS server.

    Disadvantages        

    The disadvantage of using the DnsUpdateProxy group is that it requires a dedicated user account for security. DNS domain names that are registered by the DHCP server are not secure by default when the DHCP server is a member of the DnsUpdateProxy group. To use this group in an Active Directory-integrated zone that allows only secure dynamic updates, you should create a DNS dynamic updates registration user account. When you specify credentials on the DHCP server, DNS records will be secure.

    If the DHCP server is collocated on a domain controller, secure dynamic updates might fail if credentials are not configured.


  • This posting is provided AS IS without warranty of any kind

Thursday, July 13, 2017 6:52 PM
  • Also, How do I make DHCP server to register DNS records in respective domain's DNS servers when I have clients coming from 2 different domains?

    Mahi

    Monday, July 17, 2017 3:17 PM