none
Replacement Machines - DNS Record not updating RRS feed

  • Question

  • Hello Everyone,

    Consider the following situation:

    1. Machine named 'Desktop01' is going to be replaced
    2. Machine is imaged and called 'DesktopNew'
    3. Machine 'Desktop01' is removed from the network and deleted from Active Directory
    4. Machine 'DesktopNew' is put in it's place and re-named 'Desktop01'
    5. Machine gets an IP and appears to function normally but the DNS record does not update.  After deleting the record, doing a FlushDNS and RegisterDNS, machine appears to be fine going forward

    I never had to do these steps in the past in other environments.  Anything I could be missing?

    Thanks!

    Tuesday, November 14, 2017 11:15 PM

Answers


  • Hi Petrucci914,

    >>Is the recommendation to add the DHCP Servers to 'DnsUpdateProxy?'

    It's a good idea to use DnsUpdateProxy security group. 

    When you have enabled dynamic updates that means in practice is the following:

    - The host will register its own A (host) record, which is logical because the host owns its name and should own its host record.
    - The DHCP server will register the PTR (reverse-looking) record, which is logical because the DHCP server owns the IP address.

    This means the DHCP server computer account will own certain records in DNS, such as the PTR records and even some A records for older hosts.This can cause the following  two problems:

    - If you have multiple DHCP servers—even in a cluster—and perhaps your primary DHCP server fails and you have to move the scope to a second DHCP server, that second DHCP server wouldn't have rights to change the DNS records created by the primary DHCP server, which is a problem.

    - If you did have NT 4.0 hosts that are now upgraded to a newer operating system, those newer operating systems wouldn't have permission to update the host records that were previously registered on their behalf by the DHCP server.

    For this reason, DHCP servers could be added to a group called DnsUpdateProxy. When a DHCP server is added to the DnsUpdateProxy group, its records aren't secured, meaning that other DHCP servers can update the records. In addition, hosts can change the records and then become the owner of the record. (The first update to a record that isn't a member of DnsUpdateProxy becomes the owner.) This is very dangerous if a DHCP server is also a domain controller because it means that all the Active Directory records for that domain controller are written with no security and can therefore be overwritten by other hosts.

    There's a better solution, however, which also solves the issue of DHCP running on a domain controller. This solution is to specify credentials for the DNS dynamic update, which is set on the Advanced tab's IPv4 properties.

    As Ace Fekay said ,you still need to configure Credentials and add the server to the DnsUpdateProxy group.

    https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Petrucci914 Tuesday, November 21, 2017 1:18 PM
    Tuesday, November 21, 2017 2:44 AM

All replies

  • Hi ,

    When you rename a computer that is a member of an Active Directory domain, the computer will attempt to re-register itself in DNS, and remove the old DNS entry.
    Are you using nslookup? if so, you might be seeing cached results.
    Does nslookup yourServer actually resolve? If so, you will find that ipconfig /flushdns (or a little patience) is all that you need to clear the old name from your DNS queries.

    If you didn't enable dynamic updates on your DNS server, you will need to update the DNS records manually with deleting the out of date DNS A Record.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 15, 2017 7:02 AM
  • Hi ,

    When you rename a computer that is a member of an Active Directory domain, the computer will attempt to re-register itself in DNS, and remove the old DNS entry.
    Are you using nslookup? if so, you might be seeing cached results.
    Does nslookup yourServer actually resolve? If so, you will find that ipconfig /flushdns (or a little patience) is all that you need to clear the old name from your DNS queries.

    If you didn't enable dynamic updates on your DNS server, you will need to update the DNS records manually with deleting the out of date DNS A Record.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks!

    In this situation I would get the IP of the new re-named machine, verify it shows correctly in DHCP, and then look in DNS and that record does not match the IP.

    We do have Dynamic Updates enabled on that Forward Lookup Zone.  It is currently set to 'Secure Only'

    Let me know your thoughts.

    Thanks again.

    Wednesday, November 15, 2017 2:44 PM
  • Hi Petrucci914,

    If you choose" Dymanically update DNS record only if quested by the DHCP clients", they will automatically register in DNS and will update themselves on a regular basis.

    According to that blog post, "Windows clients will attempt to dynamically update DNS every 24 hours."

    https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/


    If you choose “always dynamically update DNS records”,you still need to configure Credentials and add the server to the DnsUpdateProxy group.

    There is a checklist for you:

    1 You should ONLY use the internal DNS servers on all machines. Any ISP's addresses will cause it to fail
    2 If any of the DCs are multihomed (multi NICs, multi IPs, and/or RRAS is installed, will more than likely fail, as well as cause other significant problems)
    3 The Primary DNS Suffix MUST match the zonename in DNS
    4 The zone in DNS MUST be allowed updates
    5 If the zone updates are set to Secure Only, the machines MUST be joined to work, otherwise, the DHCP server must be configured with Credentials or the DHCP server object must be added to theDnsProxyUpdate group
    6 The AD DNS zone name cannot be a single label name ("DOMAIN" = bad, "domain.com" = good)

    For your reference:

    https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 9:04 AM
  • Hi Petrucci914,

    If you choose" Dymanically update DNS record only if quested by the DHCP clients", they will automatically register in DNS and will update themselves on a regular basis.

    According to that blog post, "Windows clients will attempt to dynamically update DNS every 24 hours."

    https://blogs.technet.microsoft.com/networking/2008/03/19/dont-be-afraid-of-dns-scavenging-just-be-patient/


    If you choose “always dynamically update DNS records”,you still need to configure Credentials and add the server to the DnsUpdateProxy group.

    There is a checklist for you:

    1 You should ONLY use the internal DNS servers on all machines. Any ISP's addresses will cause it to fail
    2 If any of the DCs are multihomed (multi NICs, multi IPs, and/or RRAS is installed, will more than likely fail, as well as cause other significant problems)
    3 The Primary DNS Suffix MUST match the zonename in DNS
    4 The zone in DNS MUST be allowed updates
    5 If the zone updates are set to Secure Only, the machines MUST be joined to work, otherwise, the DHCP server must be configured with Credentials or the DHCP server object must be added to theDnsProxyUpdate group
    6 The AD DNS zone name cannot be a single label name ("DOMAIN" = bad, "domain.com" = good)

    For your reference:

    https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks.  I will look over those settings.  See the attached settings for what we currently have.  We are not using the DnsUpdateProxy but we are using the DHCP Credentials.

    I reached out to Microsoft as part of an older DFS case we had and they said we should un-join the machines from the Domain first instead of just deleting it from AD.  This didn't sound correct to me....


    Thursday, November 16, 2017 4:48 PM
  • Hi ,

    Thanks for your updating.

    When you choose" Dymanically update DNS record only if quested by the DHCP clients", they will automatically register in DNS and will update themselves on a regular basis.

    As I said before, when you rename a computer that is a member of an Active Directory domain, the computer will attempt to re-register itself in DNS, and remove the old DNS entry.

    You might be seeing cached results if you are use nslookup at that time.

    It will take some time to clear the old name from your DNS queries. Did you wait for a period of time?

    >> After deleting the record, doing a FlushDNS and RegisterDNS, machine appears to be fine going forward

    If you did not wait for a period of time, you could manually register DNS record as you did.

    >>I reached out to Microsoft as part of an older DFS case we had and they said we should un-join the machines from the Domain first instead of just deleting it from AD.

    It seems no related with un-join the machines from domain since there is no conflict in your environment.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 17, 2017 2:44 AM
  • Hi Petrucci914,

    Just to check if the above reply could be of help, if yes, you may mark useful reply as answer, if you have other concerns, welcome to feedback.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 20, 2017 9:31 AM
  • Hi Petrucci914,

    Just to check if the above reply could be of help, if yes, you may mark useful reply as answer, if you have other concerns, welcome to feedback.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thanks.

    I did find out that 'Scavenging' wasn't even enabled - only Aging was.  So I configured that and will see going forward.

    Is the recommendation to add the DHCP Servers to 'DnsUpdateProxy?'

    Monday, November 20, 2017 4:25 PM

  • Hi Petrucci914,

    >>Is the recommendation to add the DHCP Servers to 'DnsUpdateProxy?'

    It's a good idea to use DnsUpdateProxy security group. 

    When you have enabled dynamic updates that means in practice is the following:

    - The host will register its own A (host) record, which is logical because the host owns its name and should own its host record.
    - The DHCP server will register the PTR (reverse-looking) record, which is logical because the DHCP server owns the IP address.

    This means the DHCP server computer account will own certain records in DNS, such as the PTR records and even some A records for older hosts.This can cause the following  two problems:

    - If you have multiple DHCP servers—even in a cluster—and perhaps your primary DHCP server fails and you have to move the scope to a second DHCP server, that second DHCP server wouldn't have rights to change the DNS records created by the primary DHCP server, which is a problem.

    - If you did have NT 4.0 hosts that are now upgraded to a newer operating system, those newer operating systems wouldn't have permission to update the host records that were previously registered on their behalf by the DHCP server.

    For this reason, DHCP servers could be added to a group called DnsUpdateProxy. When a DHCP server is added to the DnsUpdateProxy group, its records aren't secured, meaning that other DHCP servers can update the records. In addition, hosts can change the records and then become the owner of the record. (The first update to a record that isn't a member of DnsUpdateProxy becomes the owner.) This is very dangerous if a DHCP server is also a domain controller because it means that all the Active Directory records for that domain controller are written with no security and can therefore be overwritten by other hosts.

    There's a better solution, however, which also solves the issue of DHCP running on a domain controller. This solution is to specify credentials for the DNS dynamic update, which is set on the Advanced tab's IPv4 properties.

    As Ace Fekay said ,you still need to configure Credentials and add the server to the DnsUpdateProxy group.

    https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Petrucci914 Tuesday, November 21, 2017 1:18 PM
    Tuesday, November 21, 2017 2:44 AM
  • Hello,

    I did as I discussed above and today I had issues with several machines not processing Group Policy and accessing Network Resources without doing a reboot or two.  This seems to be in a specific area right now but until I got to the bottom of it, I disabled 'Scavenging' just in case.  The follow-up question I would have is:

    If I'm allowing DHCP to already Register Dynamic DNS Records, I have Dynamic Update Registration Credentials entered, and I have our two stand-alone DHCP servers a part of the 'DnsUpdateProxy' group, do I need to do ANYTHING regarding Aging/Scavenging?  Basically, is it one or the other?  If I fully configure Scavenging in this scenario, can there be adverse effects?

    Thanks!

    Tuesday, November 28, 2017 11:10 PM
  • Hi ,

    If you have new question, I would suggest you post it in a new thread, it would make others easier to focus on one question in one single thread and it will benefit other community members who stuck with the same question.

    Many thanks for your post and all the efforts so far.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 29, 2017 7:18 AM