Re: DNS Scavenged all my Service records!

Kevin,

I made the changes to our DHCP scope as per your suggestions below, and I
tested a few clients but none have an A record in DNS. Any suggestions?



"Kevin D. Goodknecht Sr. [MVP]" wrote:

Read inline please.

In news:8219e176e0e6e@uwe,
fixitchris via WinServerKB.com <u28526@uwe> typed:
I have 2 DCs (DC1 and DC2) which are also GCs, DHCP servers and DNS
servers...


I think it is set to 4 days, I turned off scavenging for now.

Good, in most cases, I see DNS scavenging as an unnecessary process, if the
DHCP clients are properly configured.


DHCP server is configured to dynamically update DNS....
I have been tuning the DNS permissions lately. I still have a few MS
whitepapers to read on the subject. I had a problem where clients in
DHCP were awaiting DNS registration and that was because the existing
record for a client included that COMPUTER$ principal to write to DNS
and the new dynamic update user configured through DHCP was not.

So this tells me that as of now any domain COMPUTER$ accounts are NOT
permitted to update the DNS database.
I have also removed DC1$ and DC2$ from updating DNS databases (I did
this because I read that if the local server runs both DHCP and DNS
then they should not be in the DnsUpdateProxy group.)

You need a dedicated user account, that is used solely for making DNS
updates, and configure both DHCP servers with these credentials. I would
also recommend this account have a extremely complex non-expiring password,
to reduce the chance of someone Hijacking and misusing the account. Since
the account is dedicated, there will be nobody to tell you if there is a
problem, it may be too late before you discover it.


It is not necessary to reconfigure permissions, and you should be very
careful about how you use Deny permissions, you could end up denying
yourself access due to Group Memberships.



So am I right in assuming that 'ipconfig /registerdns' causes the
DHCP server to register with the DNS and not the client the command
is executed on?

The command causes the DHCP Client service to register in DNS according to
the settings on your TCP/IP configuration.


Are you saying that if I configure DHCP to register in DNS and not
allow clients to do so then I can turn off scavenging?

All I can tell you is that in the 20 or so networks I manage, not one has
scavenging turned on, and none have a problem with stale records because I
have DNS registrations turned off on all DHCP clients in a GPO and are in
their own OU, only clients that have static addresses have DDNS enabled.
Most of the Clients that are "Static" are DHCP Clients using reserved DHCP
IP addresses.

Here is an excerpt from a post I recently made:
In addition to using the DNSUpdateProxy group, you should create a new
dedicated user account with a non-expiring password and configure those
credentials on the Advanced tab of the DHCP server properties ***. This
account needs no special or elevated privileges, a normal user is fine.

How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816592

If you have DHCP properly configured, it will update DNS for all clients,
and allow the DHCP server to remove records for expired or deleted leases.
This is the only way to go for laptops because those users, rarely, if ever,
release their IP lease before disconnecting from the network. Then you end
up with a bunch of records left in DNS. PTRs are the worse, because of
ownership issues, one client cannot update or remove a PTR created by
another client. If you let DHCP register all the records, since it created
the records, it can remove them.

Here is a great article explaining how DHCP and DNS interact, and tells why
you can disable DDNS on DHCP clients, you are basically making them act like
Pre-Windows 2000 clients that cannot register in DNS.

Using DNS servers with DHCP:
http://technet2.microsoft.com/WindowsServer/en/library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=trueOn all networks I manage, I have cleared the "Register this connection'saddresses in DNS" check box on all DHCP addressed clients, and configuredDHCP to register for the clients.Here are the recommended DHCP options I use.In addition to Options, 003 (router), 006 (DNS Server), 044 (WINS Servers)046 (Node type 0x8) 015 (DNS Domain Name)I have these:1. Microsoft Windows 2000 option 001 (0x0)2. Microsoft Windows 2000 option 002 (0x1)On the DNS tab of the DHCP server properties ***:3. Enable DNS updates according to the settings below:4. Always dynamically update DNS A and PTR records5. Discard A and PTR records when lease is deleted.6. Dynamically update DNS A and PTR records for DHCP clients that do notrequest updates (for example, clients running Windows NT4.0)This final setting is what allows clients that have DNS registrationsdisabled in TCP/IP on the DNS tab, to be
registered in DNS.These settings even allow my son's Xbox and my DirecTV HR20 DVR which runsLinux to be registered in DNS. (For whatever use it is, it just proves thatDHCP can register for Linux servers)--Best regards,Kevin D. Goodknecht Sr. [MVP]Hope This Helps===================================When responding to posts, please "Reply to Group"via your newsreader so that others may learn andbenefit from your issue, to respond directly tome remove the nospam. from my email address.===================================http://www.lonestaramerica.com/http://support.wftx.us/http://message.wftx.us/===================================Use Outlook Express?... Get OE_Quotefix:It will strip signature out and morehttp://home.in.tum.de/~jain/software/oe-quotefix/===================================Keep a back up of your OE settings and folderswith OEBackup:http://www.oehelp.com/OEBackup/Default.aspx===================================


.