Duplicate HOST A record entries on the reverse lookup Zone

Discussion in 'DNS Server' started by aMIT, Aug 20, 2009.

  1. aMIT

    aMIT Guest

    Hi,

    I am having any issue with reverse lookup zone, i am seeing lot of duplicate
    IP address for different machines and duplicate names as well with different
    IP address, so what setting i have to change to get rid of this ??

    Currently there is a Windows 2003 DC on which i am observing these things -
    duplicate IP address and names . Apart from that Allow dynamic updates" are
    enabled and set to Only secure updates, and no, scavenging option is not
    checked but showing no-refresh interval and refersh interval is set for 7
    days.
     
    aMIT, Aug 20, 2009
    #1
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Aug 20, 2009
    #2
    1. Advertisements

  3. aMIT

    aMIT Guest

    HI,

    As suggested i did both the options

    1. configure scavenging on the DNS faulty reverse lookup zones, not less
    then 24 and did the manual/ start scavenging of the stale resource records
    but still the duplicate ip's and name are there .

    2. Used the DHCP server to update DNS records: selecting the below options.

    a:) select the Dynamically update DNS A and PTR records only if requested by
    the DHCP clients check box, which is located in Properties on the DNS tab on
    the applicable DHCP server or on one of its scopes.

    b:) Discard A and PTR records when the lease is deleted.

    BUT STILL there are duplicate ip's and names .
     
    aMIT, Aug 20, 2009
    #3
  4. aMIT

    Chris Dent Guest

    When you first configure aging on a zone a lock is placed preventing
    Scavenging from operating until a full Refresh Interval has passed.

    You can see the value for that if you select View then Advanced and open
    the Aging properties again. It will show you when Scavenging is next
    able to operate against the zone.

    Worth reading this one to get a decent overview of how it all works:

    http://blogs.technet.com/networking...afraid-of-dns-scavenging-just-be-patient.aspx
    More than one DHCP server?

    If you do, do they all update using the same credentials?

    Chris
     
    Chris Dent, Aug 20, 2009
    #4
  5. Hello aMIT,

    This will not remove the exisitng ones, mark the servername in DNS management
    console, rightclick and choose "Scavenge Stale Resource Records". This should
    cleanup old ones.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 20, 2009
    #5

  6. You will need to delete any existing ones. Also you have to force DHCP to
    own the record it registers, otherwise it cannot update it, therefore it
    creates a dupe. Until you address that, the dupe issue will continue.
    Meinolf's second link explains this. Did you get a chance to read it?

    For your convenience, the following is my blog on it. I hope it helps. I
    left the timestamps portion out of it. (Some of the links were already
    provided by Chris and Meinolf in the 'related links' section.)

    ==================================================================
    DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, and the
    DnsProxyUpdate Group
    ---
    By Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MCSA 2000/2003, MCSA Messaging
    First compiled 4/2006
    Updated 7/2009
    ---

    Keep in mind, the entity that registers the record in DNS, owns the record.
    By default, a Windows 2000 and newer statically configured machines will
    register their A record (hostname) and PTR (reverse entry) into DNS.

    If set to DHCP, the Windows 2000 and new machines will request DHCP so that
    the machine itself will register its own A record, but DHCP will register
    its PRT record.

    However, you can configure DHCP to update the record for the client, no
    matter what the client asks. However one problem with that, if the client
    shuts down, and later on when it comes back up past the lease time, it may
    get a different IP address. What happens here is a duplicate A record gets
    created with the new IP. This happens even though DHCP registered the
    record. This is because DHCP doesn't own the record, the client does, even
    though DHCP registered it.

    What we want to do to keep DNS clean without additional records
    with the same name but different IP address in DNS, is to configure
    DHCP to own the record, so it can keep it up to date.

    The nice thing about DHCP owning the record is it will update it if DHCP
    gives the machine a new IP. Otherwise you'll see multiples of the same in
    DNS
    whether scavenging is enabled or not. I would force DHCP to own the record
    as
    well as enable scavenging to keep it clean.

    To force DHCP to own the record, you have two options: Option 1 is to add
    the
    DHCP server to the DnsUpdateProxy group. However this is a security risk if
    DHCP is on a DC. And Option 2, which is preferred, whether DHCP is on a DC
    or
    not, is to create a user account for the sole purpose of using it as
    credentials
    that DHCP will use to update records. This is a regular Domain User account,
    and
    not an admin account.

    Option 1:

    1. Add the DHCP server to the DnsUpdateProxy Group.
    2. Force DHCP to register all records, Forward and PTR, (whether a client
    machine can do it or not) in the Option 081 tab (DHCP properties, DNS tab).
    3. Set Option 015 to the AD domain name (such as example.com).
    4. Set Option 006 to only the internal DNS servers.
    5. If the zone is set for Secure Updates Only, then DHCP cannot update
    non-Microsoft clients and Microsoft clients that are not joined to the
    domain. In this case, you will need to create and configure a user account
    for use as credentials for DHCP to register such clients.

    Option 2:

    (Steps 1 and 2 are for Windows 2003)

    1. In AD, create and configure a dedicated Domain User account to use as
    credentials in DHCP. The user account does not need any elevated rights, a
    normal
    user account is fine, however I recommend using a Strong non-expiring
    password on
    the account.
    2. In the DHCP Console, DHCP server properties, select the Advanced tab,
    click
    the Credentials button, and provide the account's credentials.
    3. If using Windows 2000, it must be done with the Netsh command. Windows
    2003
    and newer can also be done with the Netsh command, if you desire.

    Providing DHCP credentials, or using the DnsUpdateProxy group, will also
    allow
    DHCP to register Win9x machines, as well as non-Windows machines, such as
    Linux,
    OSx (BIND based), and other Unix flavors.

    With regards to the DnsProxyUpdate Group, as said, this is one method, but
    normally, for
    the most part, it is not advised to use it as it weakens security including
    the
    DC records if DHCP is on a DC. Preferably configure DHCP with an account.

    Once you've implemented scavenging, you will need to wait at least a week
    for it to
    take effect. You can quicken it up by manually deleting the incorrect
    records to
    give yourself a head start.

    Configuring credentials or using the DnsUpdateProxy group, will allevaite
    another
    issue - If DHCP is on a DC, it will not overwrite the original host record
    for a
    machine getting a new lease with an IP previoulsy belonging to another host.


    ======
    Scavenging

    Scavenging is a feature that will remove expired records based on their
    Timestamps.
    Scavenging is not enabled by default.

    To set aging and scavenging properties for a DNS server using the DNS
    Console:

    1. In the DNS console, right-click the DNS server name, and choose
    "Set Aging/Scavenging for All Zones.

    3. Select the Scavenge stale resource records check box.

    4. You can now either choose to set Scavenging for all zones, or choose No,
    and
    manually set each zone individually. I suggest setting it for all zones.

    5. It's recommended to go with the defaults of 7 days. If you choose to
    change it,
    it should reflect and stay in line with DHCP's lease times. Now I've never
    found
    anything specific stating this, but keeping the scavenge setting to the
    lease minus
    one day, ensures that records will be deleted one day before lease renewal
    so it
    will be deleted if that record were actually not in use by a client, and has
    expired. If still in use, it will go through the scavenging refresh period
    and
    scavenge lifetime until the next expiration time.

    The following related links provide additional information on how it all
    works.

    How to configure DNS dynamic updates in Windows Server 2003.
    http://support.microsoft.com/kb/816592

    Using DNS Aging and ScavengingAging and scavenging of stale resource records
    are features of Domain Name System (DNS) that are available when you deploy
    your server with primary zones.
    http://technet.microsoft.com/en-us/library/cc757041.aspx

    Microsoft Enterprise Networking Team : Don't be afraid of DNS, Mar 19, 2008
    DNS Scavenging is a great answer to a problem that has been nagging everyone
    since RFC 2136 came out in 1997.
    http://blogs.technet.com/networking...afraid-of-dns-scavenging-just-be-patient.aspx

    DHCP, DNS and the DNSUpdateProxy-Group - Directory Services/Active ...I had
    a discussion in the Newsgroups lately about DHCP and the
    DNSUpdateProxy-Group which is
    used to write unsecured DNS-Entries to a DNS-Zone which only ...
    http://msmvps.com/ulfbsimonweidner/archive/2004/11/15/19325.aspx

    And from Kevin Goodnecht:
    Setting up DHCP for DNS registrations
    http://support.wftx.us/setting_up_dhcp_for_dns_registra.htm

    317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and
    DNSUpdateProxy Group:
    http://support.microsoft.com/kb=317590

    816592 - How to configure DNS dynamic updates in Windows Server 2003:
    http://support.microsoft.com/kb/816592

    Follow up discussion on the DNSUpdateProxy-Group:
    http://msmvps.com/ulfbsimonweidner/archive/2005/03/26/39841.aspx
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 20, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.