DHCP

Discussion in 'Server Networking' started by Clayton, Jun 14, 2009.

  1. Clayton

    Clayton Guest

    Hi,
    I have several XP machines logging on to a domain (Server 2003) using the
    same username (to keep things simple) and all has been going ok for several
    months until Saturday morning when no machines could logon or from what I
    hear from the users took ages to logon, then the server had been restarted,
    then today Monday, same thing happened, had to restart the server before the
    workstations could logon.
    I have gone into the Event Viewer and found the follow error

    Event Type: Warning
    Event Source: DhcpServer
    Event Category: None
    Event ID: 1056
    Date: 13/06/2009
    Time: 9:02:06 a.m.
    User: N/A
    Computer: CCSBS001
    Description:
    The DHCP service has detected that it is running on a DC and has no
    credentials configured for use with Dynamic DNS registrations initiated by
    the DHCP service. This is not a recommended security configuration.
    Credentials for Dynamic DNS registrations may be configured using the
    command line "netsh dhcp server set dnscredentials" or via the DHCP
    Administrative tool.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    I have no idea where to start

    Thanks
     
    Clayton, Jun 14, 2009
    #1
    1. Advertisements


  2. Create a non-admin user account. Add the account to the DnsUpdateProxy
    group. Go into DHCP console, right click the server name, properties, last
    tab to the right, select the credentials tab, and enter the user account you
    created and it's password. This way the DHCP server can register machines
    into DNS as well as update the registrations when machines get a new or
    different IP than the last one they had, else DHCP cannot update any
    records, and will simply create a new record with the same name but with a
    different IP.

    Configure DNS dynamic update credentials: Dynamic Host ...Jan 21, 2005 ...
    To configure DNS dynamic update credentials. Open DHCP. In the console tree,
    click the applicable DHCP server. Where? DHCP/applicable DHCP ...
    http://technet.microsoft.com/en-us/library/cc775839(WS.10).aspx

    I would also suggest to implement Scavenging in DNS.

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Using DNS Aging and ScavengingAging and scavenging of stale resource records
    are features of Domain Name System (DNS) that are available when you deploy
    your server with primary zones.
    http://technet.microsoft.com/en-us/library/cc757041.aspx

    Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
    2008 ... DNS Scavenging is a great answer to a problem that has been nagging
    everyone since RFC 2136 came out way back in 1997.
    http://blogs.technet.com/networking...afraid-of-dns-scavenging-just-be-patient.aspx

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right
    things." - Peter F. Drucker
    http://twitter.com/acefekay
     
    Ace Fekay [Microsoft Certified Trainer], Jun 15, 2009
    #2
    1. Advertisements

  3. Clayton

    Clayton Guest

    How about if I disable DNS and DHCP on there server and allocate each
    computer it's IP address and DNS address's from the ISP?
     
    Clayton, Jun 15, 2009
    #3
  4. Clayton

    Bill Grant Guest

    No, that won't do. If you are using Active Directory, the clients must use
    the local DNS server, not a DNS server at your ISP.
    Domain members use DNS to find domain resources (including the logon
    server). The DNS server at your ISP cannot do the job for you.
     
    Bill Grant, Jun 15, 2009
    #4
  5. Clayton

    Clayton Guest

    How about if I disable only the DHCP and allocate IP addresses to the other
    computers?


     
    Clayton, Jun 16, 2009
    #5
  6. Clayton

    Alister Guest

    Nope, that won't work either, because the DNS still won't update correctly.

    I think you are missing the point. In an Active Directory domain, the DHCP
    and DNS /should/ be working together,
    such that when a new DHCP lease is assigned, the DNS records are
    automatically updated.

    This appears not to be happening on your domain, and is one cause of slow or
    non-working logons. The other problem, if I understand you correctly, is
    that your client machines' primary DNS should be pointed at your DC's IP
    address (Ideally this should be set in the DHCP scope) whereas you currently
    have them pointed at an external DNS server. As Bill said, the client
    machines on the domain need to use the LOCAL DNS in order to correctly find
    and talk to the logon server and other resources on your network.

    What I suggest you do is remove the DHCP and DNS server roles from your DC
    and then start again, making sure that the DNS zone is created as an Active
    Directory Integrated Zone.

    Make sure you install DNS before DHCP, and DHCP should be able to configure
    itself to update the DNS.

    Alister
     
    Alister, Jun 16, 2009
    #6
  7. Clayton

    Clayton Guest

    Hi All,
    All the client machines primary DNS is pointing to the DC's IP which is
    192.168.0.2
    The slow logon's happens once in awhile

    I haven't tried what you guys suggested as I am trying to figure out how it
    is done, Ace suggested I create a non-admin user account and have found the
    credentials tab but not sure what user account and password to use, I have
    added 10 users on the server as I was only using 2 accounts, do I need to
    add every user in the credentials tab in DHCP console?
     
    Clayton, Jun 16, 2009
    #7
  8. Clayton

    Clayton Guest

    Also why can't everyone logon using the same username and password? can
    their be a problem with the same multiple users?
     
    Clayton, Jun 16, 2009
    #8
  9. Hi Clayton,

    I think you may have missed the point for the purpose of the account. The
    links I supplied should have explained it. No, you simply create ONE
    non-admin account, and supply only that user account for DHCP credentials.
    The credentials are to allow DHCP to own the records in DNS so it can update
    the records if their IP addresses change. It is not for users to logon on
    to. It's for keeping DNS records updated.

    Please re-read this article to get a better understanding of how the DHCP
    and DNS updates work. Scroll down and look for the term "DnsUpdateProxy."

    Ace

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 16, 2009
    #9
  10. Sorry, I meant to re-post that link for you to read. Here it is:

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 16, 2009
    #10
  11. Clayton

    Clayton Guest

    ok, I will create a non-admin account, once done what permissions do I give
    that account? i.e domain admin, domain users, Administrators etc?
     
    Clayton, Jun 17, 2009
    #11
  12. Just create the account and leave it default, eg, part of the Domain Users
    group.

    As far as everyone logging on as the same username, that really isn't
    advised. Security-wise, and best practice wise. Why wouldn't you want a
    specific user name for everyone in your office? It reminds me of that old TV
    show, Bob Newhart, where the guy has two brothers wtih the same name, named
    Larry. Well, that may be not exactly a good analogy, but with individual
    accounts, you create accountability, they can be monitored, etc, and not
    sure if you do or even think about going that far, but if you are using
    Exchange email, then everyone will be the same email address.

    It's just not best practice. I've run across it once with a customer years
    ago. I sat and explained the differences to them, and they wound up agreeing
    it wasn't a good practice.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 17, 2009
    #12
  13. Clayton

    Clayton Guest

    Yeh, we have that effect on customers don't we?

    The security is not a major issues in this business, they are all family
     
    Clayton, Jun 17, 2009
    #13
  14. Family? Hmm... I don't know the arrangements, but that could be a good thing
    or a bad thing! :)

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 17, 2009
    #14
  15. Clayton

    Clayton Guest

    When I create the non-admin account and enter it into the credentials tab do
    I use the full domain name including the .local in the domain box?
     
    Clayton, Jun 19, 2009
    #15
  16. In the user box, type in the user account's username.
    In the domain box, just type in the NetBIOS domain name (not the FQDN AD DNS
    domain name).
    In the pasword box, type in the password.
    In the confirm password box, retype the password.

    I hope that helps.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 19, 2009
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.