DHCP

Hi,
I have several XP machines logging on to a domain (Server 2003) using the
same username (to keep things simple) and all has been going ok for several
months until Saturday morning when no machines could logon or from what I
hear from the users took ages to logon, then the server had been restarted,
then today Monday, same thing happened, had to restart the server before the
workstations could logon.
I have gone into the Event Viewer and found the follow error

Event Type: Warning
Event Source: DhcpServer
Event Category: None
Event ID: 1056
Date: 13/06/2009
Time: 9:02:06 a.m.
User: N/A
Computer: CCSBS001
Description:
The DHCP service has detected that it is running on a DC and has no
credentials configured for use with Dynamic DNS registrations initiated by
the DHCP service. This is not a recommended security configuration.
Credentials for Dynamic DNS registrations may be configured using the
command line "netsh dhcp server set dnscredentials" or via the DHCP
Administrative tool.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I have no idea where to start

Thanks

 

Create a non-admin user account. Add the account to the DnsUpdateProxy
group. Go into DHCP console, right click the server name, properties, last
tab to the right, select the credentials tab, and enter the user account you
created and it's password. This way the DHCP server can register machines
into DNS as well as update the registrations when machines get a new or
different IP than the last one they had, else DHCP cannot update any
records, and will simply create a new record with the same name but with a
different IP.

Configure DNS dynamic update credentials: Dynamic Host ...Jan 21, 2005 ...
To configure DNS dynamic update credentials. Open DHCP. In the console tree,
click the applicable DHCP server. Where? DHCP/applicable DHCP ...
http://technet.microsoft.com/en-us/library/cc775839(WS.10).aspx

I would also suggest to implement Scavenging in DNS.

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Using DNS Aging and ScavengingAging and scavenging of stale resource records
are features of Domain Name System (DNS) that are available when you deploy
your server with primary zones.
http://technet.microsoft.com/en-us/library/cc757041.aspx

Microsoft Enterprise Networking Team : Don't be afraid of DNS ...Mar 19,
2008 ... DNS Scavenging is a great answer to a problem that has been nagging
everyone since RFC 2136 came out way back in 1997.
http://blogs.technet.com/networking...afraid-of-dns-scavenging-just-be-patient.aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

 

How about if I disable DNS and DHCP on there server and allocate each
computer it's IP address and DNS address's from the ISP?

 

No, that won't do. If you are using Active Directory, the clients must use
the local DNS server, not a DNS server at your ISP.
Domain members use DNS to find domain resources (including the logon
server). The DNS server at your ISP cannot do the job for you.

 

How about if I disable only the DHCP and allocate IP addresses to the other
computers?

 

Nope, that won't work either, because the DNS still won't update correctly.

I think you are missing the point. In an Active Directory domain, the DHCP
and DNS /should/ be working together,
such that when a new DHCP lease is assigned, the DNS records are
automatically updated.

This appears not to be happening on your domain, and is one cause of slow or
non-working logons. The other problem, if I understand you correctly, is
that your client machines' primary DNS should be pointed at your DC's IP
address (Ideally this should be set in the DHCP scope) whereas you currently
have them pointed at an external DNS server. As Bill said, the client
machines on the domain need to use the LOCAL DNS in order to correctly find
and talk to the logon server and other resources on your network.

What I suggest you do is remove the DHCP and DNS server roles from your DC
and then start again, making sure that the DNS zone is created as an Active
Directory Integrated Zone.

Make sure you install DNS before DHCP, and DHCP should be able to configure
itself to update the DNS.

Alister

 

Hi All,
All the client machines primary DNS is pointing to the DC's IP which is
192.168.0.2
The slow logon's happens once in awhile

I haven't tried what you guys suggested as I am trying to figure out how it
is done, Ace suggested I create a non-admin user account and have found the
credentials tab but not sure what user account and password to use, I have
added 10 users on the server as I was only using 2 accounts, do I need to
add every user in the credentials tab in DHCP console?

 

Also why can't everyone logon using the same username and password? can
their be a problem with the same multiple users?

 

Hi Clayton,

I think you may have missed the point for the purpose of the account. The
links I supplied should have explained it. No, you simply create ONE
non-admin account, and supply only that user account for DHCP credentials.
The credentials are to allow DHCP to own the records in DNS so it can update
the records if their IP addresses change. It is not for users to logon on
to. It's for keeping DNS records updated.

Please re-read this article to get a better understanding of how the DHCP
and DNS updates work. Scroll down and look for the term "DnsUpdateProxy."

Ace

Ace

 

Sorry, I meant to re-post that link for you to read. Here it is:

How to configure DNS dynamic updates in Windows Server 2003.
http://support.microsoft.com/kb/816592

Ace

 

ok, I will create a non-admin account, once done what permissions do I give
that account? i.e domain admin, domain users, Administrators etc?

 

Just create the account and leave it default, eg, part of the Domain Users
group.

As far as everyone logging on as the same username, that really isn't
advised. Security-wise, and best practice wise. Why wouldn't you want a
specific user name for everyone in your office? It reminds me of that old TV
show, Bob Newhart, where the guy has two brothers wtih the same name, named
Larry. Well, that may be not exactly a good analogy, but with individual
accounts, you create accountability, they can be monitored, etc, and not
sure if you do or even think about going that far, but if you are using
Exchange email, then everyone will be the same email address.

It's just not best practice. I've run across it once with a customer years
ago. I sat and explained the differences to them, and they wound up agreeing
it wasn't a good practice.

Ace

 

Yeh, we have that effect on customers don't we?

The security is not a major issues in this business, they are all family

 

Family? Hmm... I don't know the arrangements, but that could be a good thing
or a bad thing!

Ace

 

When I create the non-admin account and enter it into the credentials tab do
I use the full domain name including the .local in the domain box?

 

In the user box, type in the user account's username.
In the domain box, just type in the NetBIOS domain name (not the FQDN AD DNS
domain name).
In the pasword box, type in the password.
In the confirm password box, retype the password.

I hope that helps.

Ace