locked
DNS aging and DHCP lease RRS feed

  • Question

  • Hi all,

    I have AD integrated DNS server. Need advise how to set DNS aging\scavenging based on DHCP lease time. I know how the process works. Found couple of articles where is written "DHCP lease duration should match the “no-refresh + refresh” interval."

    Why should DHCP lease be equal to the sum of non-refresh and refresh interval? From my point of view DHCP lease time should be more than DNS non-refresh interval (and less then non-refresh + refresh interval) so DNS clients are able to register new DHCP assigned IP address to DNS within refresh period, right?

    Are there any "rules" which tells me what's the best set up of all this timers?

    Tomas

    Monday, February 16, 2015 10:22 AM

Answers

  • Hi all,

    Why should DHCP lease be equal to the sum of non-refresh and refresh interval? 

    Because when Non-refresh and Refresh interval expires and the record is not updated it is considered as inactive as Ahmed said. My environment is based on (NonRef+Ref) = Lease and works correctly. Just do not try to scavenge records on AD Integrated zones if DHCP lease is something like 2-3 days. Yo will end up in a confusion state with a lot of false positives which are considered as inactive but actually they are not inactives!

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by Susie Long Sunday, February 22, 2015 8:38 AM
    • Marked as answer by tomas.kukan Monday, February 23, 2015 8:50 AM
    Monday, February 16, 2015 2:30 PM

All replies

  • I believe that the recommendation comes from the fact that a DNS record is considered as obsolete if the No Refresh and the Refresh periods were exceeded without updating the record. By making your DHCP lease period equal the No Refresh and the Refresh periods then the DNS record is considered as obsolete when has its DHCP lease expired without renewing its DNS registration.

    This is just a recommendation: I am managing an environment where DHCP leases are lower than the No-Refresh and Refresh periods with no problems. Of course, we have many DNS records that become obsolete after a long time while the client is no longer connected to the Network but this is not a problem for us.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Mahdi Tehrani Monday, February 16, 2015 2:30 PM
    Monday, February 16, 2015 10:36 AM
  • I understand if DHCP lease is lower then non-refresh + refresh interval. That makes sense.

    DHCP default lease time is 8 days and DNS default refresh and non-refresh interval is 7 days.

    But if you need to change this intervals (for some reason) what's the best way? Is there any article from MS? Something like best practice?

    Monday, February 16, 2015 10:50 AM
  • I understand if DHCP lease is lower then non-refresh + refresh interval. That makes sense.

    DHCP default lease time is 8 days and DNS default refresh and non-refresh interval is 7 days.

    But if you need to change this intervals (for some reason) what's the best way? Is there any article from MS? Something like best practice?

    I do not see a best way. I tried multiple combinations but never had a problem. You just need to keep in mind what I already mentioned to avoid "confusions".

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, February 16, 2015 10:51 AM
  • This recommendation helps to avoid registration of multiple client names with the same IP in DNS. When DNS update is handled by the client, DHCP server does not remove client's DNS records when lease expires. If lease time is shorter than no-refresh + refresh period, then the lease may expire and a new client may recieve the same IP before old client's dns records are removed by scanvenger. So you end up with two clients registered with the same IP address, which is OK for DNS, but may cause quite a few problems for other services (such as kerberos).

    Basically, there are two ways to avoid this issue:

    1. Adjust lease time or record aging parameters and make sure that lease does not expire before it can be scanvenged.

    2. Let DHCP server handle DNS updates on behalf of the client. This will grant DHCP server access to clients' DNS records and let it remove clients' records on lease expiration.


    Gleb.

    Monday, February 16, 2015 11:10 AM
  • This recommendation helps to avoid registration of multiple client names with the same IP in DNS. When DNS update is handled by the client, DHCP server does not remove client's DNS records when lease expires. If lease time is shorter than no-refresh + refresh period, then the lease may expire and a new client may recieve the same IP before old client's dns records are removed by scanvenger. So you end up with two clients registered with the same IP address, which is OK for DNS, but may cause quite a few problems for other services (such as kerberos).

    Basically, there are two ways to avoid this issue:

    1. Adjust lease time or record aging parameters and make sure that lease does not expire before it can be scanvenged.

    2. Let DHCP server handle DNS updates on behalf of the client. This will grant DHCP server access to clients' DNS records and let it remove clients' records on lease expiration.


    Gleb.

    So the DHCP lease time should be greater then sum of non-refresh + refresh interval?
    Monday, February 16, 2015 11:47 AM
  • Yes, lease time should be greater than the sum of non-refresh + refresh interval in order to avoid multiple client registeration with same IP. Personally I prefer the second option: configuring DHCP to update DNS.

    In general, there is no single "best-practice value" for refresh and no-refresh periods. The rule is that the client must be given enough time in refresh period so that it can refresh the record before it becomes eligable for removal. Addresses are refreshed at startup and then once a day by default. DHCP clients start renewal prosess at 50% of lease time and refresh record upon renewal.

    Decide how long your dns clients (static as well as dynamic IP) should be able to remain off-line (or off corporate net) without losing their DNS records, then add a day or two: this is your refresh-period. No-refresh period is basically a filter that helps to avoid excessive replication caused by refresh of DNS records (updates that do not change IP). In DHCP scenario, decreasing no-refresh period will allow you to shorten the lease time, while giving both static and dynamic clients enough time to refresh the record.

     


    Gleb.


    • Edited by Gleb F.NG Monday, February 16, 2015 12:03 PM typo
    Monday, February 16, 2015 11:58 AM
  • Now I'm confused. Take a look here. 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/bb556cfb-3217-4dcf-af4f-460366faa1b8/best-practices-configuration-for-dns-server-on-windows-2008-r2-server-agingscavenging-etc?forum=winserverNIS

    Monday, February 16, 2015 12:04 PM
  • what's confusing there? It does state that "NoRefresh and Refresh combined should be equal to or less than the DHCP lease.", which means that the lease time should be equal or greater to refresh+non-refresh. It's up to you what you choose to adjust - lease time or scanvenging parameters.

    Gleb.

    Monday, February 16, 2015 12:09 PM
  • There is also written "Make the No-reresh and Refresh each half the lease, so combined, they are equal or greather then the lease".

    If default values for non-refresh and refresh interval are 7 days and default DHCP lease is 8 days this default configuration is wrong? Refresh+non-refresh is 14 days and DHCP lease is 8 days. This means refresh+non-refresh is greater then DHCP lease.  

    Maybe I missed something?

    Monday, February 16, 2015 1:10 PM
  • Hi all,

    Why should DHCP lease be equal to the sum of non-refresh and refresh interval? 

    Because when Non-refresh and Refresh interval expires and the record is not updated it is considered as inactive as Ahmed said. My environment is based on (NonRef+Ref) = Lease and works correctly. Just do not try to scavenge records on AD Integrated zones if DHCP lease is something like 2-3 days. Yo will end up in a confusion state with a lot of false positives which are considered as inactive but actually they are not inactives!

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by Susie Long Sunday, February 22, 2015 8:38 AM
    • Marked as answer by tomas.kukan Monday, February 23, 2015 8:50 AM
    Monday, February 16, 2015 2:30 PM