locked
DNS "Dynamic Updates" - Secure only vs Nonsecure and secure RRS feed

  • Question

  • We have a 2003 AD DC.  I see that most of our DNS zones are set for Nonsecure and secure.  We have domain PCs, workgroup PCs, and wireless devices such as phones connecting to access points.  We mainly use DHCP but our servers are hard-coded.  I just came on-board with this company and I am wondering why it would be set up this way.  Is it because the workgroup machines and wireless devices?

    Monday, April 22, 2013 8:52 PM

Answers

  • Yes, if Secure DDNS were selected only domain members would have the ability to update their DNS records:

    Secure DDNS


    MCITP-EA | "You don't understand anything until you learn it more than one way" | Hope This Helps!

    Tuesday, April 23, 2013 1:57 AM
  • Don't forget to create and configure credentials.

    Yes, lower them to 4+4, because they total to 8, equal to or greater than 7. I just haven't updated it yet.

    More notes:

    Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

    -

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/
     
    For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, April 26, 2013 3:14 AM

All replies

  • Yes, if Secure DDNS were selected only domain members would have the ability to update their DNS records:

    Secure DDNS


    MCITP-EA | "You don't understand anything until you learn it more than one way" | Hope This Helps!

    Tuesday, April 23, 2013 1:57 AM
  • I concur with Ryan.

    That's up to allow non-domain joined devices register into your DNS zones. You can set it to Secure only, but if you setup DHCP with credentials, forcing it to update everything, etc, then they will register, in which case to stop them, you can do all that, but just set DHCP to allow clients to update themselves (default).

    It depends on what you want or what the company's requirements are.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, April 23, 2013 4:48 AM
  • I do have DHCP setup with credentials and "Always dynamically update."  With these settings, is it better to set the zones now to Secure only or would it just be a wash since I am using credentials and "Always dynamically update?"

    Tuesday, April 23, 2013 2:42 PM
  • Absolutely. Also to make sure it works, the requirement is to add the DHCP server's computer account (not the DHCP credentials or any other account), into the DnsUpdateProxy group.

    More on it here:

    This link covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 24, 2013 2:54 AM
  • Nice blog.  Thanks.  DHCP is installed on our only DC so I guess I have no option but to add it to the DnsUpdateProxy group.  Another interesting point is the Scavenge settings.  The blogs mentions the default 7 & 7 works well with the default lease time of 8 days.  I read several other articles that suggest lowering the 7 & 7 to 4 & 4 if using the default 8 day lease (lowering each one to half of what the default lease is).  What are your thoughts on this? 
    • Edited by MIS Admin Thursday, April 25, 2013 2:24 PM
    Thursday, April 25, 2013 1:31 PM
  • Don't forget to create and configure credentials.

    Yes, lower them to 4+4, because they total to 8, equal to or greater than 7. I just haven't updated it yet.

    More notes:

    Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

    -

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/
     
    For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, April 26, 2013 3:14 AM