none
Dynamic DNS Registration Issue RRS feed

  • Question

  • I recently started having a problem with DNS on my Server 2008 R2 Active Directory domain. This situation is that users with laptops that roam between different offices are no longer updating their DNS A or PTR records. There DNS records simply stay the same as obtained at our primary office where the Windows DHCP and 2 DNS servers reside. We only have two domain controllers which are also DNS servers at the primary location. This was not my decision as I adopted this setup. 

    When the roaming users go to a branch office their DNS entry does not update with the new address. The branch offices are setup using local DHCP servers running on the firewall at the site and point the DNS to the Windows DNS servers at the primary office. 

    Manually running "ipconfig /registerdns" will update the forward A record as expected. I waited until both DNS servers at the primary site replicated the new entry. However an hour late I check back and the DNS record has reverted back to the entry from the primary location. I am puzzled as to why the DNS record changes back when the machine/host did not register it as its at a different location on a different subnet.

    We do have a 3rd DNS server setup on the branch offices just in case the link were to go down to the primary Site these offices can still browse the internet using the 3rd public DNS server. Removing the 3rd DNS server from the DHCP settings did not help.

    I noticed that the machines at the branch offices are not creating PTR records however when the laptops are at the primary office they do create it.  

    Any suggestions at this point would be greatly appreciated. 


    Wednesday, October 24, 2018 5:45 PM

All replies

  • Hello,

    On your main office who is responsible to create/update DNS record (is it the DHCP or the client) ?

    On your branch office who is responsible to create/update DNS record (is it the local appliance or the client) ?

    Do you have aging/scavenging configured on the zone where your clients register DNS ?

    Best Regards,

    Thursday, October 25, 2018 8:08 AM
  • Hi,

    Thanks for your question.

    According to your description, you described that "However an hour late I check back and the DNS record has reverted back to the entry from the primary location."

    You can configure eventsentry to get the audit of DNS server changes.

    https://www.eventsentry.com/blog/2017/11/auditing-dns-server-changes-on-windows-20082008r22012-with-eventsentry.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Please configure this and tell us "who" delete the DNS record.

    Please feel free to let me know if you need any help.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 25, 2018 8:33 AM
  • Main office > DHCP is configured to update the DNS when clients obtain an address.

    Branch office > the client would be required to update the DNS as the Fortigate firewalls wont update the records.

    Yes, Aging/Scavenging is enabled on the zones with 7 and 7. 

    Thursday, October 25, 2018 1:48 PM
  • Ok so you have 2 issues :

    • Owner of the record

    Since DHCP is configured to update DNS record, this computer is the owner of your record so in order to allow your client to update their DNS record you should configure it to update dns records only if requested by the dhcp client

    • No-refresh / Refresh

    Since you have this configuration basically what it is saying is that for 7 days you won't allow your client to update their DNS records. Normally at half of the lease period DHCP client will try to renew the lease and at the same try to refresh their DNS record (For Windows client every 24 hours by default they will try to update their DNS record).

    So depending on your lease period and how often your users roam you should adjust the No-refresh/ refresh interval.

    If for example a user is in the main office the morning and in the branch office the afternoon you can define a no-refresh to 2 hours and a refresh to 6 hours and adjust the lease period to 8 hours in order for you to release the IP he had in the main office and allow him to update his record when he will be in the branch office

    Below an article regarding aging and scavenging :

    https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/

    https://blogs.technet.microsoft.com/askpfe/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate/

    Best Regards,

    Thursday, October 25, 2018 2:28 PM
  • After reading the articles and examining my setup. I had my zones configured with Aging/Scavenging but neither server was enable to actually scavenge. 

    Im not ready to actually enable scavenge at this point because of my current setup. Our entire primary office exists in one subnet Servers/PCs/equipment. To make matters worse whom ever setup the environment the importance of DHCP scopes and created a scope for the entire subnet. The admin responsible decided to use reservations for static IP addresss instead of properly configured the scopes. Because of this more than half of my static servers have active timestamps for DNS rather than static. So until i cleanup up DHCP and DNS records Im not ready to proceed. 

    I am just perplexed as to why my situation simply started a few months ago and not an issue from day 1. 

    Thursday, October 25, 2018 4:00 PM
  • Maybe you had the issue before but it was not visible.

    Normally you start to see these issues when Help Desk try to connect on a computer but they connect to the wrong one or when you try to print and the printer do a reverse lookup and you don't have your printing, etc...

    Best Regards,

    Friday, October 26, 2018 6:23 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 26, 2018 8:23 AM