Re: Duplicate HOST A record entries on the reverse lookup Zone


"aMIT" <aMIT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:54F4D5CE-5FF9-4167-A610-EB7D9958814F@xxxxxxxxxxxxxxxx
HI,

As suggested i did both the options

1. configure scavenging on the DNS faulty reverse lookup zones, not less
then 24 and did the manual/ start scavenging of the stale resource records
but still the duplicate ip's and name are there .

2. Used the DHCP server to update DNS records: selecting the below options.

a:) select the Dynamically update DNS A and PTR records only if requested by
the DHCP clients check box, which is located in Properties on the DNS tab on
the applicable DHCP server or on one of its scopes.

b:) Discard A and PTR records when the lease is deleted.

BUT STILL there are duplicate ip's and names .



You will need to delete any existing ones. Also you have to force DHCP to own the record it registers, otherwise it cannot update it, therefore it creates a dupe. Until you address that, the dupe issue will continue. Meinolf's second link explains this. Did you get a chance to read it?

For your convenience, the following is my blog on it. I hope it helps. I left the timestamps portion out of it. (Some of the links were already provided by Chris and Meinolf in the 'related links' section.)

==================================================================
DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the DnsProxyUpdate Group
---
By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
First compiled 4/2006
Updated 7/2009
---

Keep in mind, the entity that registers the record in DNS, owns the record.
By default, a Windows 2000 and newer statically configured machines will
register their A record (hostname) and PTR (reverse entry) into DNS.

If set to DHCP, the Windows 2000 and new machines will request DHCP so that
the machine itself will register its own A record, but DHCP will register
its PRT record.

However, you can configure DHCP to update the record for the client, no
matter what the client asks. However one problem with that, if the client
shuts down, and later on when it comes back up past the lease time, it may
get a different IP address. What happens here is a duplicate A record gets
created with the new IP. This happens even though DHCP registered the
record. This is because DHCP doesn't own the record, the client does, even
though DHCP registered it.

What we want to do to keep DNS clean without additional records
with the same name but different IP address in DNS, is to configure
DHCP to own the record, so it can keep it up to date.

The nice thing about DHCP owning the record is it will update it if DHCP
gives the machine a new IP. Otherwise you'll see multiples of the same in DNS
whether scavenging is enabled or not. I would force DHCP to own the record as
well as enable scavenging to keep it clean.

To force DHCP to own the record, you have two options: Option 1 is to add the
DHCP server to the DnsUpdateProxy group. However this is a security risk if
DHCP is on a DC. And Option 2, which is preferred, whether DHCP is on a DC or
not, is to create a user account for the sole purpose of using it as credentials
that DHCP will use to update records. This is a regular Domain User account, and
not an admin account.

Option 1:

1. Add the DHCP server to the DnsUpdateProxy Group.
2. Force DHCP to register all records, Forward and PTR, (whether a client
machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
3. Set Option 015 to the AD domain name (such as example.com).
4. Set Option 006 to only the internal DNS servers.
5. If the zone is set for Secure Updates Only, then DHCP cannot update
non-Microsoft clients and Microsoft clients that are not joined to the
domain. In this case, you will need to create and configure a user account
for use as credentials for DHCP to register such clients.

Option 2:

(Steps 1 and 2 are for Windows 2003)

1. In AD, create and configure a dedicated Domain User account to use as
credentials in DHCP. The user account does not need any elevated rights, a normal
user account is fine, however I recommend using a Strong non-expiring password on
the account.
2. In the DHCP Console, DHCP server properties, select the Advanced tab, click
the Credentials button, and provide the account's credentials.
3. If using Windows 2000, it must be done with the Netsh command. Windows 2003
and newer can also be done with the Netsh command, if you desire.

Providing DHCP credentials, or using the DnsUpdateProxy group, will also allow
DHCP to register Win9x machines, as well as non-Windows machines, such as Linux,
OSx (BIND based), and other Unix flavors.

With regards to the DnsProxyUpdate Group, as said, this is one method, but normally, for
the most part, it is not advised to use it as it weakens security including the
DC records if DHCP is on a DC. Preferably configure DHCP with an account.

Once you've implemented scavenging, you will need to wait at least a week for it to
take effect. You can quicken it up by manually deleting the incorrect records to
give yourself a head start.

Configuring credentials or using the DnsUpdateProxy group, will allevaite another
issue - If DHCP is on a DC, it will not overwrite the original host record for a
machine getting a new lease with an IP previoulsy belonging to another host.


======
Scavenging

Scavenging is a feature that will remove expired records based on their Timestamps.
Scavenging is not enabled by default.

To set aging and scavenging properties for a DNS server using the DNS Console:

1. In the DNS console, right-click the DNS server name, and choose
"Set Aging/Scavenging for All Zones.

3. Select the Scavenge stale resource records check box.

4. You can now either choose to set Scavenging for all zones, or choose No, and
manually set each zone individually. I suggest setting it for all zones.

5. It's recommended to go with the defaults of 7 days. If you choose to change it,
it should reflect and stay in line with DHCP's lease times. Now I've never found
anything specific stating this, but keeping the scavenge setting to the lease minus
one day, ensures that records will be deleted one day before lease renewal so it
will be deleted if that record were actually not in use by a client, and has
expired. If still in use, it will go through the scavenging refresh period and
scavenge lifetime until the next expiration time.

The following related links provide additional information on how it all works.

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Using DNS Aging and ScavengingAging and scavenging of stale resource records are features of Domain Name System (DNS) that are available when you deploy your server with primary zones.
http://technet.microsoft.com/en-us/library/cc757041.aspx

Microsoft Enterprise Networking Team : Don't be afraid of DNS, Mar 19, 2008
DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out in 1997.
http://blogs.technet.com/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had a discussion in the Newsgroups lately about DHCP and the DNSUpdateProxy-Group which is
used to write unsecured DNS-Entries to a DNS-Zone which only ...
http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

And from Kevin Goodnecht:
Setting up DHCP for DNS registrations
http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm

317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and DNSUpdateProxy Group:
http://support.microsoft.com/kb=317590

816592 - How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/kb/816592

Follow up discussion on the DNSUpdateProxy-Group:
http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
==================================================================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

.

Loading