DHCP not actually updating DNS even though logs indicate otherwise

domain-name-system dhcp dynamic windows-server-2003

This question is sort of a follow-up to this previous question: DHCP failing to update DNS

We have a Windows Server 2003 SP2 machine that is a domain controller, DNS server, and DHCP server. Our DHCP audit logs were filled with Event ID error code 31: "DNS Update Failed". The issue was resolved by creating a reverse DNS zone. Afterwards, we get code 32 in the DHCP audit log. For instance:

32,07/06/09,08:24:40,DNS Update Successful,10.0.1.55,COMPUTER01.ssx.local,,

However, if I take a look at the DNS, the entry for "COMPUTER01.ssx.local" is not 10.0.1.55 but some other IP address.

I've been reviewing the DHCP audit logs again as well as the Event Logs for DNS and other system logs. There are no errors to indicate why the DNS is not actually updating. I am not sure why the DHCP logs would indicate a DNS update success, when the actual DNS does not update.

Any ideas on what is happening here?


Solution 1:

By default, only the "PTR" record is updated by the DHCP server for Windows 2000+ client computers. Here's an article from Microsoft that describes the dynamic DNS process with their DHCP server: http://technet.microsoft.com/en-us/library/cc787034(WS.10).aspx

The stock behaviour of W2K and up is for the client to request the DHCP server register the PTR record on behalf of the client, and the client registers the A record itself. The DHCP server can be made to register the A record and the PTR record (including for pre-Windows 2000 clients that can't make DDNS registrations themselves).

To alter the behaviour of client computers in DNS registrations, have a look in Group Policy in the DNS Client node under the Network subnode of the Administrative Templates node of the Computer Configuration. In there, you'll find that you can force the clients to register their PTR records, rather than having it done by the DHCP server (if you so desire), and you can set the TTL on records registered by clients.

To alter the behaviour of the DHCP server computer to cause it to register the "A" record, you can change the settings on the "DNS" tab of the "Properties" of the DHCP server or on the DHCP scope. If you've already done this and set it to, for example, "Always dynamically update DNS A and PTR records", then the DHCP Server should be modifying the "A" record and "PTR" record.

So, unless you've used that setting to change the behaviour of the client computers or the DHCP Server, the client computers should be doing the updates on their "A" records. (Which is what it looks like you're examining in your question-- the "A" record for COMPUTER01.ssx.local.)

If the clients are supposed to be doing their own updates, have a look at the Application Event Log of one of the clients that's not updating properly after you run an "ipconfig /registerdns" on the client.

My gut tells me that since you're using an "Active-Directory Integrated" DNS zone w/ secure dynamic updates turned on the clients might be running into permission issues updating their "A" records. (You can look at the ACL on each "A" record by looking at the "Properties" of the record in the DNS Management MMC snap-in.) The event log on the client will tell you more.

Related

How can I re-install live production server with minimal downtime?
Ubuntu 10.10 Maverick Server makes system locks up at random intervals (i7 930; 12GB RAM)
How do I do IP Failover for my Public IP address with Linux HA
Amazon SES and Amavis
What is the command to enable 3rd party SFP+ transceivers on Arista switch?
Open Source or lower-cost alternatives to Barracuda Spam Filter [closed]
What's your suggested mail server configuration for a FreeBSD server?
How to configure SELinux to allow apache to run git
Loopback Device Not Configured On Boot
Is it possible to restrict download by MIME type/content type in nginx?
FTP/SSL in passive mode with portrange, which ports has to be open on the firewall?
How Can I prevent a specific application from being run on a specific machine using Group Policy?