DNS update : DHCP or Client

Hi,
I would like to know in the case where a PC is configured to use dhcp but to
update it's A record in DNS (Register this connection's addresses in DNS)
and at the same time DHCP is configured to (Always dynamically update DNS A &
PTR record).
Which one of them (PC or dhcp) will actually update the A record ?
Note : DNS is AD integrated and Secure Only.

Thanks for assistance,
Luca

Hi Luca,

The DHCP Server updates the record in that instance. It takes precedence
over any client settings.

Only if you told the DHCP server not to update would the DHCP Client
service perform the update.

Chris

Luca wrote:
> Hi,
> I would like to know in the case where a PC is configured to use dhcp but to
> update it's A record in DNS (Register this connection's addresses in DNS)
> and at the same time DHCP is configured to (Always dynamically update DNS A &
> PTR record).
> Which one of them (PC or dhcp) will actually update the A record ?
> Note : DNS is AD integrated and Secure Only.
>
> Thanks for assistance,
> Luca

Thanks Chris,
May I ask another question ?
In our case I see in the dhcp logs regularly "DNS update failed" and see
that DNS is not updated consistently, that is: when workstations connect they
get an IP from dhcp and their DNS "A" & "PTR" record is created successfully,
but then if the workstations is moved to a new subnet (ie. laptops moving
between wireless and wired network) they register correctly with dhcp and get
an IP but their record is not updated in DNS. The PC functions correctly, but
if one looks for the PC by FQDN the DNS returns the old address instead of
the new one.

I am running out of ideas about how to address this issue, any hints would
be most welcome.

Luca

"Chris Dent" wrote:

>
> Hi Luca,
>
> The DHCP Server updates the record in that instance. It takes precedence
> over any client settings.
>
> Only if you told the DHCP server not to update would the DHCP Client
> service perform the update.
>
> Chris
>
> Luca wrote:
> > Hi,
> > I would like to know in the case where a PC is configured to use dhcp but to
> > update it's A record in DNS (Register this connection's addresses in DNS)
> > and at the same time DHCP is configured to (Always dynamically update DNS A &
> > PTR record).
> > Which one of them (PC or dhcp) will actually update the A record ?
> > Note : DNS is AD integrated and Secure Only.
> >
> > Thanks for assistance,
> > Luca
>

I thought I'd posted a response to this yesterday, sorry for the delay
getting back to you.

Typically, if you have 2 DHCP servers, and if they both run MS DHCP they
should be configured with fixed credentials for performing updates.

To set credentials you'll need to create a regular user account, then
open the DHCP console, select the server properties then Advanced. The
Add the username and password into the Credentials option.

If they don't both run MS DHCP then you choices are a bit more limited.
My preferred option would be to stop the current DHCP server updating
DNS. Once done the client will issue Refresh Requests via the DHCP
Client service (anything from Windows 2000 and up will be able to do this).

In both cases the change can take a while to kick in as the new
credentials will not have permission to update / refresh records created
before the credentials were set.

If you have Aging and Scavenging configured that just requires a bit of
patience.

The other options are DNSUpdateProxy or allowing non-secure dynamic
updates. I would avoid these unless clients updating is not an option or
impractical.

Chris


Luca wrote:
> Thanks Chris,
> May I ask another question ?
> In our case I see in the dhcp logs regularly "DNS update failed" and see
> that DNS is not updated consistently, that is: when workstations connect they
> get an IP from dhcp and their DNS "A" & "PTR" record is created successfully,
> but then if the workstations is moved to a new subnet (ie. laptops moving
> between wireless and wired network) they register correctly with dhcp and get
> an IP but their record is not updated in DNS. The PC functions correctly, but
> if one looks for the PC by FQDN the DNS returns the old address instead of
> the new one.
>
> I am running out of ideas about how to address this issue, any hints would
> be most welcome.
>
> Luca
>
> "Chris Dent" wrote:
>
>> Hi Luca,
>>
>> The DHCP Server updates the record in that instance. It takes precedence
>> over any client settings.
>>
>> Only if you told the DHCP server not to update would the DHCP Client
>> service perform the update.
>>
>> Chris
>>
>> Luca wrote:
>>> Hi,
>>> I would like to know in the case where a PC is configured to use dhcp but to
>>> update it's A record in DNS (Register this connection's addresses in DNS)
>>> and at the same time DHCP is configured to (Always dynamically update DNS A &
>>> PTR record).
>>> Which one of them (PC or dhcp) will actually update the A record ?
>>> Note : DNS is AD integrated and Secure Only.
>>>
>>> Thanks for assistance,
>>> Luca

"Chris Dent" <> wrote in message
news:%...
>
> I thought I'd posted a response to this yesterday, sorry for the delay
> getting back to you.
>
> Typically, if you have 2 DHCP servers, and if they both run MS DHCP they
> should be configured with fixed credentials for performing updates.
>
> To set credentials you'll need to create a regular user account, then open
> the DHCP console, select the server properties then Advanced. The Add the
> username and password into the Credentials option.
>
> If they don't both run MS DHCP then you choices are a bit more limited. My
> preferred option would be to stop the current DHCP server updating DNS.
> Once done the client will issue Refresh Requests via the DHCP Client
> service (anything from Windows 2000 and up will be able to do this).
>
> In both cases the change can take a while to kick in as the new
> credentials will not have permission to update / refresh records created
> before the credentials were set.
>
> If you have Aging and Scavenging configured that just requires a bit of
> patience.
>
> The other options are DNSUpdateProxy or allowing non-secure dynamic
> updates. I would avoid these unless clients updating is not an option or
> impractical.
>
> Chris

Chris, good point about previous records. Luca may choose to delete the
older records and allow the workstations to refresh their records, as well
as institute DNS Scavenging using the default 7 day values.

Ace

Hi Chris,
Sorry for the late response, busy days.
Actually both servers run MS dhcp and are set to use a specific account (the
same), the account is also a member of DnsUpdateProxy group and yet after the
first DNS registration the subsequent registrations fail.
Luca

"Chris Dent" wrote:

>
> I thought I'd posted a response to this yesterday, sorry for the delay
> getting back to you.
>
> Typically, if you have 2 DHCP servers, and if they both run MS DHCP they
> should be configured with fixed credentials for performing updates.
>
> To set credentials you'll need to create a regular user account, then
> open the DHCP console, select the server properties then Advanced. The
> Add the username and password into the Credentials option.
>
> If they don't both run MS DHCP then you choices are a bit more limited.
> My preferred option would be to stop the current DHCP server updating
> DNS. Once done the client will issue Refresh Requests via the DHCP
> Client service (anything from Windows 2000 and up will be able to do this).
>
> In both cases the change can take a while to kick in as the new
> credentials will not have permission to update / refresh records created
> before the credentials were set.
>
> If you have Aging and Scavenging configured that just requires a bit of
> patience.
>
> The other options are DNSUpdateProxy or allowing non-secure dynamic
> updates. I would avoid these unless clients updating is not an option or
> impractical.
>
> Chris
>
>
> Luca wrote:
> > Thanks Chris,
> > May I ask another question ?
> > In our case I see in the dhcp logs regularly "DNS update failed" and see
> > that DNS is not updated consistently, that is: when workstations connect they
> > get an IP from dhcp and their DNS "A" & "PTR" record is created successfully,
> > but then if the workstations is moved to a new subnet (ie. laptops moving
> > between wireless and wired network) they register correctly with dhcp and get
> > an IP but their record is not updated in DNS. The PC functions correctly, but
> > if one looks for the PC by FQDN the DNS returns the old address instead of
> > the new one.
> >
> > I am running out of ideas about how to address this issue, any hints would
> > be most welcome.
> >
> > Luca
> >
> > "Chris Dent" wrote:
> >
> >> Hi Luca,
> >>
> >> The DHCP Server updates the record in that instance. It takes precedence
> >> over any client settings.
> >>
> >> Only if you told the DHCP server not to update would the DHCP Client
> >> service perform the update.
> >>
> >> Chris
> >>
> >> Luca wrote:
> >>> Hi,
> >>> I would like to know in the case where a PC is configured to use dhcp but to
> >>> update it's A record in DNS (Register this connection's addresses in DNS)
> >>> and at the same time DHCP is configured to (Always dynamically update DNS A &
> >>> PTR record).
> >>> Which one of them (PC or dhcp) will actually update the A record ?
> >>> Note : DNS is AD integrated and Secure Only.
> >>>
> >>> Thanks for assistance,
> >>> Luca
>

"Luca" <> wrote in message news:BB7D60BC-6ED7-47C7-95BF-...
> Hi Chris,
> Sorry for the late response, busy days.
> Actually both servers run MS dhcp and are set to use a specific account (the
> same), the account is also a member of DnsUpdateProxy group and yet after the
> first DNS registration the subsequent registrations fail.
> Luca

Did you add credentials to both DHCP servers? Have you confirmed this took effect, and in fact the first registration attempt was actually owned by DHCP, and not the workstation? If it didn't take effect, then that means DHCP still doesn't own the record, therefore cannot update it.

Ace

Hi Ace,
Yes both servers have the same credentials. For testing purposes we actually
deleted all traces in dhcp and dns of a specific PC, and repeated the process
and can reproduce the error.

"Ace Fekay [MCT]" wrote:

> "Luca" <> wrote in message news:BB7D60BC-6ED7-47C7-95BF-...
> > Hi Chris,
> > Sorry for the late response, busy days.
> > Actually both servers run MS dhcp and are set to use a specific account (the
> > same), the account is also a member of DnsUpdateProxy group and yet after the
> > first DNS registration the subsequent registrations fail.
> > Luca
>
> Did you add credentials to both DHCP servers? Have you confirmed this took effect, and in fact the first registration attempt was actually owned by DHCP, and not the workstation? If it didn't take effect, then that means DHCP still doesn't own the record, therefore cannot update it.
>
> Ace
>
>
>

"Luca" <> wrote in message news:8A6D8FF6-8008-4284-BDDA-...
> Hi Ace,
> Yes both servers have the same credentials. For testing purposes we actually
> deleted all traces in dhcp and dns of a specific PC, and repeated the process
> and can reproduce the error.

If you add the DHCP servers themselves to the DnsUpdateProxy group, does it work?

Ace

Yes, we had the servers in there also but the result was the same.
Should we give any specific permission to DnsUpdateProxy group or is it
built-in?

A few notes about DNS config, Both DNS & DHCP are installed on the domain
controllers.
The AD domain is called let’s say “MyCo.Local� (single domain), in terms of
DNS locations are identified by a location id ex. NewYork would be “NY�
giving us the DNS suffix “ny.myco.local�.
PCs are joining the AD domain “MyCo.Local� but dhcp is providing
“ny.myco.local� as DNS suffix and registering them as “pcname.ny.myco.local�.
Could the problem be in the above ?


"Ace Fekay [MCT]" wrote:

> "Luca" <> wrote in message news:8A6D8FF6-8008-4284-BDDA-...
> > Hi Ace,
> > Yes both servers have the same credentials. For testing purposes we actually
> > deleted all traces in dhcp and dns of a specific PC, and repeated the process
> > and can reproduce the error.
>
> If you add the DHCP servers themselves to the DnsUpdateProxy group, does it work?
>
> Ace
>
>
>