locked
DNS record registration by Windows clients RRS feed

  • Question

  • Hi everyone,

    I have a Windows 2016 server with the DNS and DHCP role running. I've configured the DHCP to use a service account to update the DNS records securely. It seems to work for non-Windows based, where the records are being registered by this service account.

    However, it does not seem to work for Windows clients (I've tested with 2012 and 2016). This leaves some stale records in the environment when these Windows clients are retired. The only way to force this seems to require going into each network interface on the Windows clients and uncheck the 'register dns' option.

    The problem with this method is that when the new machines are provisioned, they would automatically already have this option enabled and register it on the DNS. I've been trying to find some documents that would tell me exactly what ACLs are required in the DNS to allow only the service account and DNS administrators, or other authorized users to create this record.

    By any chance, does anyone know what this might be or if it is even possible?

    Thanks in advance.

    Regards,

    Shaun

    Wednesday, September 27, 2017 2:42 PM

All replies

  • Hi,

    >>The only way to force this seems to require going into each network interface on the Windows clients and uncheck the 'register dns' option.

    It is not recommended that you disable the option.It works with Dynamic update to change DNS records when your clients move.

    I suppose  Aging and Scavenging is a solution for you to scavenge the stale records.

    There are some misconceptions prompting fears that Scavenging will remove everything in your zone, includind servers. Please understand, the main thing that scavenging works on is the timestamp. If there is no timestamp, such as a manually created, static record, it will not get scavenged. Also, if all servers, including DCs, are automatically updating their own record, then there is no fear of losing their records, because for one, their records (timestamps) are current, therefore scavenging won’t touch them, and two, Windows Servers by default will update their records every 24 hours, with the exception of domain controllers at every 60 minutes. Therefore, even if they were to scavenge these records, assuming the time stamp has ever been reached, the machines will refresh themselves anyway!

    More information about Aging and Scavenging ,DNS record ownership,  please refer to the following article:

    https://technet.microsoft.com/en-us/library/cc771677(v=ws.11).aspx

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/b17c798c-c4b2-4624-926c-4d2676e68279/dns-record-ownership-and-the-dnsupdateproxy-group?forum=winserverNIS



    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, September 28, 2017 3:14 AM
  • Thanks for your reply Frank.

    Yes, I am aware of the scavenging but as you mentioned, it might take some time before scavenging kicks in. I wanted to see if there was a way to just maintain the DNS  cleanly through the DNS proxy updater method, forcing all clients, no matter whether it is Windows or Linux, to be updated only by the DHCP server or some other administrator for static addresses.

    I'll have a look at the links you sent.

    Thank you.

    Thursday, September 28, 2017 12:22 PM

  • Hi,
    Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.
    Sorry for the inconvenience and thank you for your understanding and patience.

    Best Regards,
    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 2, 2017 8:59 AM