none
(Domain Controllers) dynamic DNS updates configuration of time RRS feed

  • Question

  • Hello,

    We are facing a specific issue in our AD environment :

    We have 14 DCs that update their records in two external (linux bind) dns servers using dynamic dns updates.

    What we found is all the DCs updates their DNS at the exact same time that sometimes leads to a complete domain unavailability for a few minutes.

    Each days, the exact time of these updates seems to be 06:00, 12:00 and 18:00.

    I created a monitoring of this behavior using nagios and requesting regulary our DNS how many DCs do you have in your records.

    As you can see on the attached picture, it represents, on both DNS, how many DCs they have. Since we have 14 DCs, 28 is the max value.

    Image

    You can see here the problem that all DCs getting out of DNS system at the same time...

    I am wondering how can we configure each DC to update its dynamic dns record at specific time so we can achieve to avoid all DCs out of DNS at 6:00, 12:00 and 18:00 

    Thanks for any help

    Tuesday, June 25, 2019 2:15 PM

All replies

  • Hi,

    Do you mean that all clients can't access to DCs at the same time?

    How did you configure the DNS servers on the clients?

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, June 26, 2019 9:31 AM
    Moderator
  • Hi,

    We did not were aware of this behavior until last week, when we had many applications complaining about not being able to contact our domain.com

    So we deployed monitoring (see graphs) to check, using host command on domain.com against both our bind DNS, to check presence of A records of every DCs.

    And we found out that all DCs unregister from DNS at exact same time and register back at various times, from 15 min unavailability to almost 1h.

    This happens everyday at 06:00, 12:00 and 18:00. But not 00:00.

    Clients are configured to reach both bind DNS staticly or using DHCP, but this is not revelant to the issue. The issue is about DCs disappearing from dynamic DNS.

    I tried to disable dynamic DNS on 2 DC and add them as static records but they then disappear from our domain.com resolution permanently.

    I can't find any technical data about this behavior, especially in our case with external DNS server, I couldn't find any piece of information about tuning AD DCs dynamic DNS registration behavior :(

    Where and how to configure DCs dynamic registration into external DNS ?

    Do you see the same behavior in your environment (with or without external DNS) ?

    Thursday, June 27, 2019 7:04 AM
  • Hi,

    Thanks for your details.

    According the information, the problem is the DNS dynamic update of the DCs on bind DNS servers.

    Unfortunately, I don't have much experience on bind DNS. 

    By default, statically configured clients and remote access clients that do not rely on the DHCP server for DNS registration, will re-register their A & PTR records dynamically and periodically every 24 hours. 

    For domain controllers, due to the importance of keeping up to date and accurate SRV and other records, the Netlogon service will attempt to update these records every 60 minutes.

    You can use the following registry subkey to modify the update interval:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval

    The interval is set in seconds.

    Please Note: remember to back up the registry. Serious problems might occur if you modify the registry incorrectly.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, June 27, 2019 9:14 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.


    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, July 2, 2019 7:15 AM
    Moderator
  • Do you have scavenging enabled in bind and what is the TTL of the records set to? the records should not be deleted, only updated...
    Tuesday, July 2, 2019 7:19 AM
  • Hello,

    I think the registry you provided is for pre 2003 systems. Now its handled by GPO if I'm correct, but the value is minimum 1800s (I believe its the default value), so this setting can only increase the delay, not reduce it.

    Anyway, after deeper look with the bind dns server, it appears that this behavior is caused by a synchronization script between dynamic and static dns views. We will dig this and see what's wrong.

    Thanks for your help guys.

    Wednesday, July 3, 2019 2:05 PM
  • Hi,

    Thanks for your sharing the current situation.

    If there is anything else we can do for you, please feel free to post in the forum. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 4, 2019 6:42 AM
    Moderator
  • Hello,

    Indeed, yes.

    I would need a workarround for this as the team managing the DNS server don't know why this happen and how to fix it.

    I couldn't find any information on the web about this specific query :

    DCs, on regular basis, unregister and register back themselves on the dynamic DNS (our external BIND dns server).

    That is how it should work.

    When the bug happens, DCs don't know they have been kicked out of our domain.com resolution and register back between 5 to 90 minuts later.

    I am looking into a way on how to trigger manually the registration into dynamic dns of DCs ?

    ipconfig /registerdns is not working for this, this command only register the DC's name into the dynamic dns, like DC01.domain.com -> 192.168.1.1

    What I need is to register DC01 192.168.1.1 into domain.com dynamic dns record.

    I m sure I can do it somehow because I already noticed that disabling dynamic dns updates on the network card parameters remove the DC record from domain.com DNS record.

    So this is a local parameter.

    But how to trigger a manual DC IP register of the managed domain.com into DNS of this DC ?

    Thursday, July 11, 2019 8:13 AM
  • Hi,

    Sorry, I don't have much experience of bind DNS.

    I would suggest you post a new thread for more information.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 12, 2019 6:10 AM
    Moderator