none
How Dynamic DNS behaves with multiple DHCP servers on the same Domain? RRS feed

  • Question

  • I have a question that I cant find any documentation on or easily test in my environment.

    Here is the scenario:

    2 separate DHCP servers at 2 separate sites (DHCP Server A, DHCP Server B), each with their own scope but share the same DNS domain.

    Dynamic DNS is turned on and set to Always Dynamically update DNS A and PTR records, as well as Discard A and PTR records when lease is deleted

    Dynamic DNS is also set to use a service account, and each DHCP server has it's own service account.

    The question:

    Client A registers with DHCP Server A and gets a 7 day lease.  DHCP Server A registers the A and PTR records in DNS for Client A.  2 days later, Client A leaves the site and goes to the other site.  Client A now gets a DHCP lease from DHCP Server B. 

    Will DHCP Server A be notified that Client A just received a new DHCP address from DHCP Server B and thus delete the old (old because they were registered by DHCP Server A) A and PTR records from the DNS server, or will this result in multiple DNS entries (one registered by DHCP Server A and the other by DHCP Server B) for the same client?

    Side question: If DHCP Server A does not get notified and does not clean up the record, does using the same service account on both DHCP servers rectify that issue?  Is there a better way to approach Dynamic DNS in this scenario?

    Thursday, January 31, 2013 9:36 PM

Answers

  • Either way, you must use the DnsUpdateProxy group, or it won't work.

    This link covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

    .

    In a nutshell (a big nutshell!):

    ===
    Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
    Make sure ALL other servers are not in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs should be in it. They must be removed or it won't work.
    Configure DHCP Credentials.
    DISABLE Name Protection.
    If DHCP is co-located on a Windows 2008 R2 DC, you can and must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0
    Configure Scavenging one one DNS server. What it scavenges will replicate to others anyway.

    .

    ===
    Orphaned Scavengeing DNS server in the infrastructure:

    If there is an old scavenging DNS server specified, which may not allow a new DNS server that scanvenging has been set on, to scavenge records, then running the following command will clear the old scavenging server's IP and allow the scavenging of the zone:

    To see if a DNS server has been specifically assigned to scavenge a zone:
    dnscmd /zoneinfo <zonename>   -- you will see something like "Scavenge Servers  Addr Count = 1   Server[0] => <IP>
    dnscmd /zoneresetscavengeservers <zonename>   --This will clear that IP from above, allowing any/all scavenging servers to scavenge this zone.

    Ref:
    Thread: "DNS scavenging zone, but leaving old non static records"
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a18c5a85-c5a1-4c29-b4d5-4c320100c598/

    .

    ======
    DNS Scavenging

    (From a thread post, but I don't have the thread link)

    The three following preconditions are necessary for scavenging to complete
    • Scavenging is enabled for both the server and the zone.
    • The zone is started.
    • The resource records have a time stamp.
    So, If You don't enable  Scavenging  on the other Zone, Scavenging not happen and you can Use
    "dnscmd [<ServerName>] /startscavenging" to force only of the zones that  scavenging is enabled.
    http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx#BKMK_18

    ===
    Scavenging time and guidelines:

    If you have more than one DHCP server in different locations or sites, it's advised to make the lease lengths the same so these settings properly work, or you will see unexpected results.

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/
     
    For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in. Here's a chart showing a 3 day refresh/norefresh setting:


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 7, 2013 12:19 AM
  • I forgot about that thread. I just updated it:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279

    That was confirmed a few months back through our MVP private group by a Microsoft engineer. It was updated in a

    DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv4 scope
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    How to configure DNS dynamic updates in Windows Server 2003
    http://support.microsoft.com/kb/816592

    .

    Basically, from my old notes:

    According to the BPA rules, a secure update will actually fail if DHCP is running on a DC. This could be caused by the failure to send option 81, which is something that the DHCP server has to include in order to update a DNS record on behalf of a client. The BPA rule doesn’t go into much detail about exactly why registrations fail, it just says they will fail. To prevent it from failing, DHCP credentials and adding the DHCP Server itself into the DnsUpdateProxy group will allow it. Of course, you still want to run dnscmd /config /OpenAclOnProxyUpdates 0 to protect the DC from unauthorized access by the DHCP Credentials used with weak passwords. Either way, you will want to run that command to protect it.

    http://technet.microsoft.com/en-us/library/ee941181(WS.10).aspx
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    .

    .

    Just to mention, I hope this wasn't clear as mud. However, you can test it by looking at the ownership on the A record. It should be the DHCP Credentials. I believe you'll find that if the DHCP server is not in the DnsUpdateGroup, you won't see the DHCP credential as the owner.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 8, 2013 2:20 AM

All replies

  • Hi JJ,

    Since the registering DHCP Server is the Owner of the DDNS record in the DNS-Zone file it is technically the only one that can delete it.

    And "NO" it will not get notified by the other DHCP Server.

    however there is abuilt-in Group in AD DS that is designed exactly for this Scenario: Add both DHCP server's Computer accounts to the " DnsUpdate-Proxy " global security Group and they should be able to delete the old Client DDNS records that the other Server made when they issue a new lease to a client.


    J. Philipp, MCT, MCITP, usw... http://www.archimatrix.com/jphilipp/indexDE.html

    Friday, February 1, 2013 1:41 AM
  • Thanks Unit-Y.

    The registering DHCP server is not the owner of the DDNS record in this case, the service account is the owner.  If both DHCP servers use the same service account, will they then be able to clean up after each other?

    I do not want to use the DNSUpdateProxy group because that will result in the DHCP servers that are members of that group creating DNS records that have no security on them. 

    It seems to me that if both servers were members of the DNSUpdateProxy group and could clean up after each other, the same would occur if both servers used the same service account. DNSUpdateProxy group would simply allow any DHCP server (and anything else on the domain) to delete an old DNS entry, so as long as one of the DHCP servers actually attempts to clean up the record, it should work because they would both have permissions to the record through acting as the same service account.  The only scenario I can see in which DNSUpdateProxy would work and using the service account not work is if it is actually the client that goes out and deletes its own old DDNS record.

    My goal is to set it up so that there are never any stale DNS records (because they get cleaned up immediately by DHCP when a lease expires and don't depend on scavenging) even after one machine moves to another site and gets a DHCP address from a different DHCP server.



    • Edited by jjharrison Friday, February 1, 2013 2:45 PM
    Friday, February 1, 2013 2:44 PM
  • Hi JJ,

    just to understand your setup a little better:

    • You have two DHCP Servers that currently use different alternate credentials (service accounts) to register DDNS records (A and PTR) on behalf of the clients
      (something like: "netsh.exe dhcp server \\servername set dnscredentials username domainname Password" for each DHCP Server)
    • The Clients are set-up to let DHCP register the DDNS and not to do it themselves
    • They are all writing to the same DNS-Zone (I assume it is an AD integrated zine set to 'only secure dynamic updates')

    You want to set the DHCP Servers to both use the same Service account to avoid stale records.

    Is that correct?


    J. Philipp, MCT, MCITP, usw... http://www.archimatrix.com/jphilipp/indexDE.html

    Friday, February 1, 2013 5:50 PM
  • Thanks again Unit-Y - I appreciate your helpful responses.

    • You have two DHCP Servers that currently use different alternate credentials (service accounts) to register DDNS records (A and PTR) on behalf of the clients
      (something like: "netsh.exe dhcp server \\servername set dnscredentialsusername domainname Password" for each DHCP Server)

    Yes - although I haven't configured the second service account just yet.

    • The Clients are set-up to let DHCP register the DDNS and not to do it themselves

    Yes, although I am not opposed to allowing the client to do the update (assuming the client still uses the service account assigned in the DHCP server settings)

    • They are all writing to the same DNS-Zone (I assume it is an AD integrated zine set to 'only secure dynamic updates')

    Yes, they are all writing to the same AD integrated zone and on dynamic updates are set to "secure only"

    If I understand the DHCP client processes correctly, the following should happen.

    1. Client A powers on at Site A and does a DHCP discover and gets a DHCP Offer from DHCP Server A 

    2. DHCP A responds with a DHCPOffer

    3. Client A accepts DHCP offer and responds with a DHCPRequest

    4. DHCP A responds with DHCPAck and a lease is granted.  DHCP A updates DNS A and PTR records on behalf of client

    5. Client A powers off and moves to Site B (Where DHCP Server B's scope resides)

    6. Client A powers on at Site B

    7. Client A attempts to renew lease by sending DHCPRequest to DHCP Server A

    8. DHCP Server A does not respond

    9. Client A attempts to ping the default gateway provided by DHCP Server A

    10. Gateway IP does not respond

    11.  Client A sends out DHCP Discover packet

    12. DHCP Server B responds with a DHCP Offer

    13. Client A accepts DHCP offer

    14. DHCP Server B Grants lease to Client A.  DHCP Server B goes to add Client A's DNS record (DHCP Server B adds the new address to DNS, but will it clean up the stale DNS record in this step if it has permission?)

    Thanks again!


    • Edited by jjharrison Friday, February 1, 2013 9:30 PM
    Friday, February 1, 2013 9:24 PM
  • Any input from Microsoft technet team?

    Thanks in advance.

    Wednesday, February 6, 2013 7:11 PM
  • Either way, you must use the DnsUpdateProxy group, or it won't work.

    This link covers the following:
    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

    .

    In a nutshell (a big nutshell!):

    ===
    Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
    Make sure ALL other servers are not in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs should be in it. They must be removed or it won't work.
    Configure DHCP Credentials.
    DISABLE Name Protection.
    If DHCP is co-located on a Windows 2008 R2 DC, you can and must secure the DnsUpdateProxy group by running the following:
    dnscmd /config /OpenAclOnProxyUpdates 0
    Configure Scavenging one one DNS server. What it scavenges will replicate to others anyway.

    .

    ===
    Orphaned Scavengeing DNS server in the infrastructure:

    If there is an old scavenging DNS server specified, which may not allow a new DNS server that scanvenging has been set on, to scavenge records, then running the following command will clear the old scavenging server's IP and allow the scavenging of the zone:

    To see if a DNS server has been specifically assigned to scavenge a zone:
    dnscmd /zoneinfo <zonename>   -- you will see something like "Scavenge Servers  Addr Count = 1   Server[0] => <IP>
    dnscmd /zoneresetscavengeservers <zonename>   --This will clear that IP from above, allowing any/all scavenging servers to scavenge this zone.

    Ref:
    Thread: "DNS scavenging zone, but leaving old non static records"
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a18c5a85-c5a1-4c29-b4d5-4c320100c598/

    .

    ======
    DNS Scavenging

    (From a thread post, but I don't have the thread link)

    The three following preconditions are necessary for scavenging to complete
    • Scavenging is enabled for both the server and the zone.
    • The zone is started.
    • The resource records have a time stamp.
    So, If You don't enable  Scavenging  on the other Zone, Scavenging not happen and you can Use
    "dnscmd [<ServerName>] /startscavenging" to force only of the zones that  scavenging is enabled.
    http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx#BKMK_18

    ===
    Scavenging time and guidelines:

    If you have more than one DHCP server in different locations or sites, it's advised to make the lease lengths the same so these settings properly work, or you will see unexpected results.

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/
     
    For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in. Here's a chart showing a 3 day refresh/norefresh setting:


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 7, 2013 12:19 AM
  • Thanks Ace.

    Question - why exactly is it that I must use the DNSUpdateProxy group if I am using the service account?  That is the aspect that is most confusing to me.

    If both DHCP servers update records on behalf of the same service account that owns those records, what property of the DNSUpdateProxy group is facilitating the second DHCP server to update the record?  Isn't the problem of not being able to update the record caused by the fact that it doesn't own it solved by using the same service account on both DHCP servers?  I would think that the problem of not owning the record would be solved by simply by making both DHCP servers owners the record by way of acting as the service account that owns the record.

    I'm also confused because I read this other technet thread before posting:  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279

    The knowledgeable MVP ( You in this case :) ) responded that if you used both the DNSUpdateProxy group and the service account, that it would default to using just the service account.  

    Thanks again for the info, I appreciate your responses.


    Thursday, February 7, 2013 10:16 PM
  • I forgot about that thread. I just updated it:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279

    That was confirmed a few months back through our MVP private group by a Microsoft engineer. It was updated in a

    DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv4 scope
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    How to configure DNS dynamic updates in Windows Server 2003
    http://support.microsoft.com/kb/816592

    .

    Basically, from my old notes:

    According to the BPA rules, a secure update will actually fail if DHCP is running on a DC. This could be caused by the failure to send option 81, which is something that the DHCP server has to include in order to update a DNS record on behalf of a client. The BPA rule doesn’t go into much detail about exactly why registrations fail, it just says they will fail. To prevent it from failing, DHCP credentials and adding the DHCP Server itself into the DnsUpdateProxy group will allow it. Of course, you still want to run dnscmd /config /OpenAclOnProxyUpdates 0 to protect the DC from unauthorized access by the DHCP Credentials used with weak passwords. Either way, you will want to run that command to protect it.

    http://technet.microsoft.com/en-us/library/ee941181(WS.10).aspx
    http://technet.microsoft.com/en-us/library/ee941099(WS.10).aspx

    .

    .

    Just to mention, I hope this wasn't clear as mud. However, you can test it by looking at the ownership on the A record. It should be the DHCP Credentials. I believe you'll find that if the DHCP server is not in the DnsUpdateGroup, you won't see the DHCP credential as the owner.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 8, 2013 2:20 AM
  • Thanks again for the clarification Ace.

    The one DHCP server that I do have configured to use a service account is registering things properly as the service account without being in DNSUpdateProxy, but that could be because my DHCP server is not a domain controller and I am not using Name Protection (some DHCP servers and DCs are still not on 2008 R2 yet) which sound like the cases in which it doesn't work.

    What exactly does the command dnscmd /config /openaclonproxyupdates 0 do for me in this scenario in which the DHCP servers are set to do all of the Dynamic updates?  According to documentation, it seems that setting it to 1 allows clients to update records created by the server and vice versa and setting it to 0 prevents the server from updating records created by clients and vice versa.  Is it just a precaution to make sure that clients don't have the power to overwrite entries created by servers in the event that you are using the DNSUpdateProxy group which would set DNS ACLS with no security?

    It sounds like I'll have to find a way to test this behavior in my specific scenario, but I would certainly welcome further input.

     

    Friday, February 8, 2013 3:50 PM
  • I couldn't have said it better.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, February 8, 2013 7:08 PM
  • I wanted to add more info guidelines for scavenging settings that I forgot to earlier.

    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, February 9, 2013 2:34 AM
  • Man this is quite the confusing topic...

    Why is it that the DHCP computer accounts need to be members of the DHCPUpdateProxy group and use a Service account?  The latter makes sense because the record is created with the service account is the owner,  and using the service account across all DHCP servers allows them all to update.  That makes sense.  But what is adding the servers to the DHCPUpdateProxy group bringing to the table?

    Reason I ask is because I have issues with some of my clients not updating their PTR records,  and I'm pretty sure it's an issue with security.  However all records are correctly set with the owner as the DHCP Service Account (I have not added the DHCP Servers to the DNSUpdateProxyGroup at this point) they are co-lo'd with ADDS and DNS.

    Thanks and sorry for dragging up such a long thread!

    Monday, March 18, 2013 5:30 PM
  • The group is called the DnsUpdateProxy group, NOT the DHCPUpdateProxy group.

    And it's based on the way the service was designed. If your DHCP are on 2008 R2 DCs, simply run dnscmd /config /OpenAclOnProxyUpdates 0 to secure it from anyone that may have the ability to add a user account to that group to gain access to the DCs. Otherwise, you can still add the DHCP server to the group, but better and recommended to upgrade the DCs.

    And if you think the PTR is not updating due to security, then something must have been changed from the defaults.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, March 18, 2013 7:07 PM
  • Hi Ace,  sorry I did mean the DNSUpdateProxyGroup.

    I was just wondering what you thought the techincal reason was for needing BOTH of these options set, as it kind of sounds like they are different ways of acheving the same outcome.  That is:  Making all DHCP Servers capable of updating records in all zones, by giving them a shared user account or group. 

    When you use DHCP Credntials, that service account is made the owner of the record.  I am guessing if you don't use credentials and you add the DHCP servers to the DNSUpdateProxy group then the DNSUpdateProxyGroup is made owner of the records?

    In my own setup I have 'Alwas Dynamically update DNS A and PTR records' and I use a Service Account for DHCP Creds. I have not added servers to the DNSUpdateProxy group.

    After doing a bit of playing around with this this evening,  this does all seem to be working just fine.  My issue was the we were using a /22 DHCP scope but had a "flat" reverse lookup zone that did not carry across the whole range. i.e the DHCP Scope is 192.168.28.0 - 192.168.31.x.  But the reverse zone was only "28.168.192" So, clients getting IPs from 192.168.16.28.1-  192.168.28.254 were registering everything correctly, but 192.168.29.xx and above were not. 

    So, everything is all working fine now, without the use of the DNSUpdateProxyGroup.  If this is all working fine, can you explain why?  If you need to have both as you have said?  Not trying to be a smart guy, I am just curious,  like I said, confusing topic and seems to be a lot of misinformation about it.  I'm not saying you are emphatically wrong, just it is clearly incorrct to say you HAVE to have both options set for DDNS to work correctly.

    Cheers



    • Edited by MJT NZ Monday, March 18, 2013 7:50 PM
    Monday, March 18, 2013 7:40 PM
  • The technical reason is twofold:

    DnsUpdateProxy:
    Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.

    DHCP Credentials:
    Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.

    Otherwise, the default process is:

    1. By default, a Windows 2000 and newer statically configured machines will
      register their A record (hostname) and PTR (reverse entry) into DNS.
    2. If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
      the machine itself to register its own A record, but DHCP will register its PTR
      (reverse entry) record.
    3. The entity that registers the record in DNS, owns the record.

    -

    -

    DNS Record Ownership and the DnsUpdateProxy Group
    http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx

    Secure Dynamic Update
    http://technet.microsoft.com/en-us/library/cc961412.aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, March 18, 2013 9:49 PM
  • I'm guessing then that my setup works without issue without the need for the servers being in the DNSUpdateProxyGroup because my DHCP servers are also DNS and AD then?  Therefore I don't beleive adding DHCP servers to this group is required if they are also DC/DNS?

    Edit:  just read the last KB you posted:

    "

    If you have installed the DHCP service on a domain controller, be absolutely certain not to make that server a member of the DNS Update Proxy group. Doing so would give any user or computer full control of the DNS records corresponding to the domain controllers, unless you manually modified the corresponding ACL. Moreover, if a DHCP server that is running on a domain controller is configured to perform dynamic updates on behalf of its clients, that DHCP server is able to take ownership of any record, even in the zones that are configured to allow only secure dynamic update. This is because a DHCP server runs under the computer account, so if it is installed on a domain controller it has full control over DNS objects stored in the Active Directory."

    Like I said, there's a lot of conflicting information, even within Microsoft's own KB articles...

    In my experince, you do not need to add a DHCP server that is also a DC to the DNSUpdateProxy.  But you should add a DHCP cred so that records can be updated by any DHCP server for your zone.

    Adding a DHCP server that is also a DC/DNS server just means you have to change more things for no benefit.

    • Edited by MJT NZ Monday, March 18, 2013 11:12 PM
    Monday, March 18, 2013 10:57 PM
  • I'm not going to dispute or argue that if one scenario works without any problems for an installation that's not setup based on the manufacturer's recommendations. If it works for your infrastructure, that is awesome.

    My normal recommendations to everyone are follow the intended manufacturer's configurations based on the their design of their product. After all, they designed it and should know.

    Some of the info conflicts, and I have not updated that article with that statement. Matter of fact, I can't update my blog because that server has been archived.

    The information I gave you is based on what I found from me speaking with the Microsoft group/owners that handles this whole process, it's supposed to be setup as I mentioned.

    I will republish my blog  on my new blog site with the current info and the KBs and Technet articles that have been updated due to my questions to the group, but I haven't got around to it.

    But it's up to you if you want to follow the recommendations or not.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, March 20, 2013 6:17 AM