Discussion:
A/D Dynamic DNS Update Problems
(too old to reply)
Trevor
2009-02-11 16:43:06 UTC
Permalink
Environment:
Server 2003 SP2 DCs
2003 Functional Domain/Forest Level
Server 2003 Member Servers

Issue:
I am investigating why dynamic DNS updates aren't working correctly on our
internal network so we can enable DNS scavenging. Scavenging IS NOT
currently enabled, so my understanding is that the timestamp attribute should
be updated whenever the ipconfig /registerdns command is run. However, the
timestamp attribute is not updating - in fact, some are showing the last
update as > 2 years ago. In looking at the ACL for the DNS a record, the
host server is not on the ACL for the A record - which seems incorrect.

In my personal test domain, I can see that all the clients A records have
the client itself in the security ACL. My question is, why aren't our
production ACLs correct? Even by manually adding the correct ACL entry and
granting FULL ACCESS rights, the timestamp attribute doesn't update.

Suggestions and ideas welcome!
Jorge Silva
2009-02-11 19:05:29 UTC
Permalink
Hi
Generally DNS records for clients are registered by the DHCP server that
uses a dedicated account to register those DNS records on behalf of the
clients, that account becomes the owner of those records. One common problem
is when the dedicated account used by DHCP server expires the pw or it's
removed and invalidated, is this your case?
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Trevor
Server 2003 SP2 DCs
2003 Functional Domain/Forest Level
Server 2003 Member Servers
I am investigating why dynamic DNS updates aren't working correctly on our
internal network so we can enable DNS scavenging. Scavenging IS NOT
currently enabled, so my understanding is that the timestamp attribute should
be updated whenever the ipconfig /registerdns command is run. However, the
timestamp attribute is not updating - in fact, some are showing the last
update as > 2 years ago. In looking at the ACL for the DNS a record, the
host server is not on the ACL for the A record - which seems incorrect.
In my personal test domain, I can see that all the clients A records have
the client itself in the security ACL. My question is, why aren't our
production ACLs correct? Even by manually adding the correct ACL entry and
granting FULL ACCESS rights, the timestamp attribute doesn't update.
Suggestions and ideas welcome!
Trevor
2009-02-11 19:51:05 UTC
Permalink
My understanding was that the DHCP server only registers those records if the
client requests it - and that by default XP clients don't request the DHCP
server to do that. Am I incorrect in that assumption?

Also, the initial machine I was troubleshooting was a Windows 2003 server
that has a statically assigned IP address, so the DHCP server would be out of
the picture.

As far as the client PCs that aren't updating their timestamps, it doesn't
appear that the DHCP server is owner of any of the records I've checked, so I
don't think that an account was specified for DNS updates.
Post by Jorge Silva
Hi
Generally DNS records for clients are registered by the DHCP server that
uses a dedicated account to register those DNS records on behalf of the
clients, that account becomes the owner of those records. One common problem
is when the dedicated account used by DHCP server expires the pw or it's
removed and invalidated, is this your case?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Trevor
Server 2003 SP2 DCs
2003 Functional Domain/Forest Level
Server 2003 Member Servers
I am investigating why dynamic DNS updates aren't working correctly on our
internal network so we can enable DNS scavenging. Scavenging IS NOT
currently enabled, so my understanding is that the timestamp attribute should
be updated whenever the ipconfig /registerdns command is run. However, the
timestamp attribute is not updating - in fact, some are showing the last
update as > 2 years ago. In looking at the ACL for the DNS a record, the
host server is not on the ACL for the A record - which seems incorrect.
In my personal test domain, I can see that all the clients A records have
the client itself in the security ACL. My question is, why aren't our
production ACLs correct? Even by manually adding the correct ACL entry and
granting FULL ACCESS rights, the timestamp attribute doesn't update.
Suggestions and ideas welcome!
Jorge Silva
2009-02-11 20:41:22 UTC
Permalink
When I say DHCP clients, I don not refer to Static ip clients. By default XP
clients request IPs to an available DHCP server, and the DHCP server takes
care of the rest.

Ok, if the machine was a static IP machine then DHCP is out of question.
Make sure that the servers in question are the owners of the record. When a
DNS record is created by a new client, the NoRefresh interval is in effect.
When the client dynamically updates its DNS information in this situation,
the client's DNS time stamp is not updated until the Refresh interval takes
effect. This behavior prevents the replication of lots of DNS objects in the
Active Directory directory service. During the Refresh interval, the
client's DNS time stamp is updated. During the Scavenging interval, old DNS
resource records are automatically deleted.

If you delete the record and run from cmd ipconfig /registerdns, what
happens?

Additionally check:
http://support.microsoft.com/kb/932464
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Trevor
My understanding was that the DHCP server only registers those records if the
client requests it - and that by default XP clients don't request the DHCP
server to do that. Am I incorrect in that assumption?
Also, the initial machine I was troubleshooting was a Windows 2003 server
that has a statically assigned IP address, so the DHCP server would be out of
the picture.
As far as the client PCs that aren't updating their timestamps, it doesn't
appear that the DHCP server is owner of any of the records I've checked, so I
don't think that an account was specified for DNS updates.
Post by Jorge Silva
Hi
Generally DNS records for clients are registered by the DHCP server that
uses a dedicated account to register those DNS records on behalf of the
clients, that account becomes the owner of those records. One common problem
is when the dedicated account used by DHCP server expires the pw or it's
removed and invalidated, is this your case?
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Trevor
Server 2003 SP2 DCs
2003 Functional Domain/Forest Level
Server 2003 Member Servers
I am investigating why dynamic DNS updates aren't working correctly on our
internal network so we can enable DNS scavenging. Scavenging IS NOT
currently enabled, so my understanding is that the timestamp attribute should
be updated whenever the ipconfig /registerdns command is run. However, the
timestamp attribute is not updating - in fact, some are showing the last
update as > 2 years ago. In looking at the ACL for the DNS a record, the
host server is not on the ACL for the A record - which seems incorrect.
In my personal test domain, I can see that all the clients A records have
the client itself in the security ACL. My question is, why aren't our
production ACLs correct? Even by manually adding the correct ACL entry and
granting FULL ACCESS rights, the timestamp attribute doesn't update.
Suggestions and ideas welcome!
Loading...