Otherwise you’ll see duplicate A and PTR records in DNS, whether scavenging is enabled or not.Īlso - all of these clients are domain-joined and we do not have any RODC in our righteo - that makes sense.As long as DHCP owns the record, can keep the records in the FLZ and RLZ up to date when the client renews its lease, same IP or different IP.This is done by configuring DHCP to register all DHCP clients, whether the client supports Dynamic Updates or not. DHCP must own the record, not the client.This is part of my confusion as the information in the below article clearly states DHCP must own the DNS records, which I've seen screenshots from other posts showing where the DNS record owner is listed as DHCPSERVER$ See the below image which shows two DNS records for different clients, both have the same IP registered and their permissions show them to be the Owner of their DNS records. However, when I do look at records in DNS Manager and each of these records are owned by themselves, I would think they would have to be separate records. Otherwise, I feel like this is going to be an issue with the VPN server, possibly in conjunction with how DNS registration has been configured on the DHCP server.Įdited: Spelling wont pretend to be familiar with the AD partition on the backend or the ldp.exe tool :) Get-DnsClient | ft -AutoSize InterfaceAlias, RegisterThisConnectionsAddress, UseSuffixWhenRegistering, ConnectionSpecificSuffixĪgain, this is only relevant if the VPN client is pointing at writeable domain controllers. You should be able to check your VPN client adapter's DNS registration configuration by running: While I'm probably making myself look silly by stating the obvious, this is because the new client does not have permissions to the backing AD object - which DNS honours and DHCP behaviour varies depending on configuration.Īre the VPN clients pointing to writeable domain controllers for DNS? If so, then I am at a bit of a loss for the time being since they should be updating their own records directly - assuming the VPN adapter isn't precluded from doing so - but if not, then what you're describing does make sense. Looking at a different scenario to further explain permissions, when you have one client that's been issued the the IP address that another client had previously but didn't de-register, that new client (this is assuming it's a Windows domain-joined client pointing at a writeable domain controller, in which case the default is to perform a dynamic update) cannot update the existing record, nor does it try to create a new one. What that leads me to believe in your situation is that something is explicitly requesting the addition of the VPN-based IP address rather than the updating of any existing value, and that is something I've seen VPN products do before. Here's a quick visual example of what I'm talking about as seen via ldp.exe when looking at my DNS record, where you can see (in blue) that there's two entries held within the single AD object. What you see as two (or more) records in the DNS management console (or PowerShell) is actually just a single object within that AD partition, so from a permissions perspective, if you're seeing any kind of change at all, be that adding a new record (what you're seeing), changing an existing one, or deleting a record, then permissions aren't the issue. Happy to be wrong but I'll explain why I say that.īehind the DNS Server service, the records are stored in an Active Directory partition - which I'm sure you already know (typically, they'll be in the DC=DomainDnsZones. It doesn't necessarily sound like a permissions issue to me, to be honest. Anyone have an thoughts/suggestions to get DNS records to be properly owned by the DHCP Greg. Searched around quite a bit on this one and I'm stumped at this point. The DNS duplicate issue is still occurring, which I'm assuming is due to the DHCP server not owning the DNS records and deleting them when their lease expires or updating when the IP is reassigned. I also implemented Dynamic DNS Updates per the below MVP blog, but oddly the owner of all DNS records changed from SYSTEM as the owner to being self owned, rather than being owned by the DHCP server. This is a smaller environment with approx 1200 endpoints, so the slightly more aggressive DNS intervals is not a concern.ĭHCP lease time adjusted to 8 days from previously 1 dayĭNS scavenging adjusted to "No Refresh + Refresh" = DHCP lease - 1 dayģ days (no-refresh) + 4 days (refresh) and 1 day scavenging In an effort to correct this issue, as it appears to be occurring from DHCP not being able to update/delete DNS records due to the client being the owner of the record, the below steps have been implemented. This is specific to our VPN IP scopes, as other scopes do not appear to have this problem. Currently we are seeing duplicate DNS records for multiple DNS zones.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |