Need help understanding Windows DNS, DHCP and dynamic PTRs

windows domain-name-system dhcp

Here's an article from Microsoft that describes the dynamic DNS process with their DHCP server: http://technet.microsoft.com/en-us/library/cc787034(WS.10).aspx

The stock behaviour of W2K and up is for the client to request the DHCP server register the PTR record on behalf of the client, and the client registers the A record itself. The DHCP server can be made to register the A record and the PTR record (including for pre-Windows 2000 clients that can't make DDNS registrations themselves).

There is an optional setting to have the DHCP server delete the A and PTR records when a lease is discarded. If the lease hasn't time-out, though, the records won't be deleted.

You absolutely should be aging and scavenging your DDNS zones. If you're aging and scavenging, this will eventually "purge". If you're not, it won't.

This Microsoft support article explains how to set the TTL value for DNS resource records registered by DHCP servers (originally in a hotfix, now just built-in to the OS): http://support.microsoft.com/kb/322989

To alter the behaviour of client computers in DNS registrations, have a look in Group Policy in the DNS Client node under the Network subnode of the Administrative Templates node of the Computer Configuration. In there, you'll find that you can force the clients to register their PTR records, rather than having it done by the DHCP server (if you so desire), and you can set the TTL on records registered by clients.

I'm not sure why this would suddenly start occurring. Some configuration had to change, but I'm at a loss as to tell you where. Start talking to your co-admins about any changes they might've made in the DHCP server configuration or in the group policy settings for clients' dynamic DNS behaviour.

I can't say I've seen the behaviour of multiple clients registering the same PTR record. That's odd. I'll have to defer to someone else on that. I will say that all of my reverse-zones are always AD integrated and require secure updates, but I don't know that that would have an effect on this.

In my experience, just having aging and scavenging turned on makes a world of difference in eliminating stale records. The default 7 day interval has worked well for me.


A quick and dirty way of cleaning this up - while you're in the process of doing it right by implementing scavenging - is to just delete all the records in your Windows reverse zone(s). The DNS server will automatically recreate them correctly for you as each client contacts it next time.

It's not a recommended thing to do as a general practice, and if you're doing this kinda thing regularly you'll need to revise how you manage your DNS, but it is good for cleaning up a messy reverse zone (worked for me).

If you're wary about this approach (and I'd advise that you should be) try deleting one or two and see how things behave.

Related

Using AD as a general purpose directory [closed]
Require TLS on RDP for all connections
Is there any alternate to logrotate for apache logs?
Should I use a login banner and if so, what should it say?
Postfix sends to FQDN Hostname instead of Domain Name
SonicWall "gotchas"?
How can I make bash to log shell commands to syslog?
Why are cgroups (blkio serviced bytes) and iotop producing diverging results
Merits of having a shared development server [closed]
Include backend name/ip in response headers in haproxy
postfix - different header checks for incoming and outgoing mail
Memory leak on Apache