PRT records being removed

We have 1 DHCP server for the clients on several different subnets. The
properties of the DHCP server are "checked" as follows...
-Enable DNS dynamic updates according to the settings below.
-Always dynamically update DNS A and PTR records.
-Discard A and PTR records when lease is deleted
-Dynamically update DNS A and PTR records for DHCP clients that do not
request...

We have an account in the "DNSPROXYUPDATE" group along with the DHCP Server
and have set the credentials on the advanced tab on the properties pages of
the DHCP server.

All reverse lookup zones/subnets are/have been created. Scavanging is set
to default (7 days) and DHCP leases are for 2 days.

We have a few PTR records in some subnets and none in others. There should
be at least 50 per records per subnet.

A few months ago they were populated and now there aren't any. Any ideas?

The forward records are fine.

Thanks,
Brian

"BrianB" <> wrote in message
news:C5C9F6D8-D06B-4595-8C5B-...
> We have 1 DHCP server for the clients on several different subnets. The
> properties of the DHCP server are "checked" as follows...
> -Enable DNS dynamic updates according to the settings below.
> -Always dynamically update DNS A and PTR records.
> -Discard A and PTR records when lease is deleted
> -Dynamically update DNS A and PTR records for DHCP clients that do not
> request...
>
> We have an account in the "DNSPROXYUPDATE" group along with the DHCP
> Server
> and have set the credentials on the advanced tab on the properties pages
> of
> the DHCP server.
>
> All reverse lookup zones/subnets are/have been created. Scavanging is set
> to default (7 days) and DHCP leases are for 2 days.
>
> We have a few PTR records in some subnets and none in others. There
> should
> be at least 50 per records per subnet.
>
> A few months ago they were populated and now there aren't any. Any ideas?
>
> The forward records are fine.
>
> Thanks,
> Brian
>
>

What may have changed between a few months ago and today?

Do you have more than one DHCP server? I ask because you stated you have
more than one subnet.

Do you have more than one reverse zone, or a single zone such as, 10.10.x.x,
and for example, 10.10.20.x records are registered under a "20" folder under
the 10.10.x.x zone?

I assume updates are allowed in the reverse zone(s).


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hey Ace,

Prior to May 9th, 2009 there were no PTR records.
We then set the DNS updates for "secure and non-secure" and configured the
DNSUPDATEPROXY. Over time the PTR records were being populated. We just
checked recently to find that most are no longer there, hence the question.

Other than the changes on the 9th of May, nothing changed.

We use only 1 DHCP server.

We have multiple reverse lookup zones, but all the users fall under
20.20.x.x zone, such as 20.20.10.x and 20.20.11.x. Verified that we don't
have a zone and a subfolder for subnet.

Thanks,
Brian

"Ace Fekay [MCT]" wrote:

> "BrianB" <> wrote in message
> news:C5C9F6D8-D06B-4595-8C5B-...
> > We have 1 DHCP server for the clients on several different subnets. The
> > properties of the DHCP server are "checked" as follows...
> > -Enable DNS dynamic updates according to the settings below.
> > -Always dynamically update DNS A and PTR records.
> > -Discard A and PTR records when lease is deleted
> > -Dynamically update DNS A and PTR records for DHCP clients that do not
> > request...
> >
> > We have an account in the "DNSPROXYUPDATE" group along with the DHCP
> > Server
> > and have set the credentials on the advanced tab on the properties pages
> > of
> > the DHCP server.
> >
> > All reverse lookup zones/subnets are/have been created. Scavanging is set
> > to default (7 days) and DHCP leases are for 2 days.
> >
> > We have a few PTR records in some subnets and none in others. There
> > should
> > be at least 50 per records per subnet.
> >
> > A few months ago they were populated and now there aren't any. Any ideas?
> >
> > The forward records are fine.
> >
> > Thanks,
> > Brian
> >
> >
>
> What may have changed between a few months ago and today?
>
> Do you have more than one DHCP server? I ask because you stated you have
> more than one subnet.
>
> Do you have more than one reverse zone, or a single zone such as, 10.10.x.x,
> and for example, 10.10.20.x records are registered under a "20" folder under
> the 10.10.x.x zone?
>
> I assume updates are allowed in the reverse zone(s).
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
> 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>
> .
>

"BrianB" <> wrote in message
news:C4A40440-7702-4AB1-9274-...
> Hey Ace,
>
> Prior to May 9th, 2009 there were no PTR records.
> We then set the DNS updates for "secure and non-secure" and configured the
> DNSUPDATEPROXY. Over time the PTR records were being populated. We just
> checked recently to find that most are no longer there, hence the
> question.
>
> Other than the changes on the 9th of May, nothing changed.
>
> We use only 1 DHCP server.
>
> We have multiple reverse lookup zones, but all the users fall under
> 20.20.x.x zone, such as 20.20.10.x and 20.20.11.x. Verified that we don't
> have a zone and a subfolder for subnet.
>
> Thanks,
> Brian

Ok, let me see if I understand your reverse zone description. YOu have a
20.20.x.x reverse zone. YOu have clients that should be updating into the
20.20.x.x zone. Therefore, you should see subfolders under the 20.20.x.x
zone, at least one called "10" and another called "11."

If not, then something else is going on.

Regarding the DNSProxyUpdate group and setting credentials, the idea is to
do one or the other, not both. I've never tried or tested it, regarding if
any issues arise, to do both. You would either add the DHCP server to the
DnsUpdateProxy group (whichever DC it is and the DnsUpdateProxy group method
only applies to DCs that are DHCP servers, not member servers) , or create a
plain-Jane user account, provide a strong password, and set this account as
credentials (on either a DC or member server DHCP server).

More info here in my blog, here:

DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the
DnsProxyUpdate Group (How to remove duplicate DNS host records)
http://msmvps.com/blogs/acefekay/arc...ate-group.aspx

It may also be helpful to post an ipconfig /all of a sample client that is
not updating, as well as from the DHCP server.

Regarding Johnathan's suggestions, if there are any Event log errors on the
DC/DNS servers or on the client side, they would be helpful as well.

Thanks,
Ace

What an insightful little rant that was. Thanks so much for the wonderful
enlightenment.

"J de Boyne Pollard" wrote:

> B> Other than the changes on the 9th of May, nothing changed.
>
> That's obviously false. If nothing changed, you wouldn't be here.
> Something changed.
>
> If I had to make an educated guess, based upon your posting NO LOG
> INFORMATION AT ALL from either your content DNS server or your DHCP
> server, whose log outputs will at least tell you why the softwares
> think that Dynamic DNS updates are failing, I'd say that what changed
> between then and now is that someone within your organization learned
> of RFC 2317 and thought what a brilliant wheeze it seemed to be. It
> isn't a brilliant wheeze. But the useful information, that will get
> you more than just educated guesses based upon very little, is in your
> logs. Read them and find out what the softwares think that they are
> doing.
>
> <URL:http://homepage.ntlworld.com./jonath...d/FGA/problem-
> report-standard-litany.html>
>
> If you want more than stabs in the dark from other people, tell the
> rest of the world what the error messages are, too.
> .
>

Followup information...

Reverse Lookup Zones
|-20.20.x.x
|-20.20.10.x
|-20.20.11.x

I have removed the credentials and left the DHCP server in the
DNSPRoxyUpdate group.

DHCP logs...
31,11/25/09,11:47:54,DNS Update
Failed,20.20.10.30,workstation.domain.domain.domai n,-1,
31,11/25/09,11:47:54,DNS Update
Failed,20.20.1031,workstation.domain.domain.domain ,-1,
31,11/25/09,11:47:54,DNS Update
Failed,20.20.11.32,workstation.domain.domain.domai n,-1,

Per company policy, I cannot post the IPconfig /all output, but can report
no issues.

DNS server logs report no errors.

Thanks,
Brian

"Ace Fekay [MCT]" wrote:

> "BrianB" <> wrote in message
> news:C4A40440-7702-4AB1-9274-...
> > Hey Ace,
> >
> > Prior to May 9th, 2009 there were no PTR records.
> > We then set the DNS updates for "secure and non-secure" and configured the
> > DNSUPDATEPROXY. Over time the PTR records were being populated. We just
> > checked recently to find that most are no longer there, hence the
> > question.
> >
> > Other than the changes on the 9th of May, nothing changed.
> >
> > We use only 1 DHCP server.
> >
> > We have multiple reverse lookup zones, but all the users fall under
> > 20.20.x.x zone, such as 20.20.10.x and 20.20.11.x. Verified that we don't
> > have a zone and a subfolder for subnet.
> >
> > Thanks,
> > Brian
>
> Ok, let me see if I understand your reverse zone description. YOu have a
> 20.20.x.x reverse zone. YOu have clients that should be updating into the
> 20.20.x.x zone. Therefore, you should see subfolders under the 20.20.x.x
> zone, at least one called "10" and another called "11."
>
> If not, then something else is going on.
>
> Regarding the DNSProxyUpdate group and setting credentials, the idea is to
> do one or the other, not both. I've never tried or tested it, regarding if
> any issues arise, to do both. You would either add the DHCP server to the
> DnsUpdateProxy group (whichever DC it is and the DnsUpdateProxy group method
> only applies to DCs that are DHCP servers, not member servers) , or create a
> plain-Jane user account, provide a strong password, and set this account as
> credentials (on either a DC or member server DHCP server).
>
> More info here in my blog, here:
>
> DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the
> DnsProxyUpdate Group (How to remove duplicate DNS host records)
> http://msmvps.com/blogs/acefekay/arc...ate-group.aspx
>
> It may also be helpful to post an ipconfig /all of a sample client that is
> not updating, as well as from the DHCP server.
>
> Regarding Johnathan's suggestions, if there are any Event log errors on the
> DC/DNS servers or on the client side, they would be helpful as well.
>
> Thanks,
> Ace
>
>
>
>
>
>
> .
>

"BrianB" <> wrote in message
news:2D44397C-A964-4845-B0FC-...
> Followup information...
>
> Reverse Lookup Zones
> |-20.20.x.x
> |-20.20.10.x
> |-20.20.11.x
>
> I have removed the credentials and left the DHCP server in the
> DNSPRoxyUpdate group.
>
> DHCP logs...
> 31,11/25/09,11:47:54,DNS Update
> Failed,20.20.10.30,workstation.domain.domain.domai n,-1,
> 31,11/25/09,11:47:54,DNS Update
> Failed,20.20.1031,workstation.domain.domain.domain ,-1,
> 31,11/25/09,11:47:54,DNS Update
> Failed,20.20.11.32,workstation.domain.domain.domai n,-1,
>
> Per company policy, I cannot post the IPconfig /all output, but can report
> no issues.
>
> DNS server logs report no errors.
>
> Thanks,
> Brian
>

I can understand not being able to post the actual one. You can change the
domain names, etc. What we look for is Prim DNS Suffix, if routing is
enabled, multihoming, single label name, disjointed namespace, and ifusing
an external DNS. Yes, the ipconfg gives us all that info.

I assumed you've restarted the DHCP server after removing the credentials.

Otherwise, from what you posted, it is definitely difficult to tell where
the problem lies, especially when this usually just works by default.
Apparently something else is amiss, such as the credentials and
DnsUpdateProxy config, and not sure what else was configured (either
correctly or incorrectly) but I can't determine that at this point.

If security it a concern posting any info, which I fully understand, if I
may suggest, it may be better placing a call with Microsoft PSS to assist
you. They will keep your info confidential.

Ace