Windows 2000 DNS is not dynamically updating

[numb3rs1x]

I am running a windows 2000 DC using AD and the windows dns service. DHCP is provided by an openBSD server. My problem is this: My DNS forward and reverse zones not only do not match, but there are hardly any entries that are even accurate. There are two entries for almost everyone about 10 percent of them are right. It seems to me by looking at it that DNS is not being dynamically updated when a computer joins the domain. I've done some looking, and as far as I can tell, the dns server is set up to update dynamically and clean itself out every once in awhile. I'm a little stuck at the moment because I don't know what to start checking. I've tried to get an idea as to how this is all working, but I don't know what to do on my machine to verify that it is working properly. Anyone have any suggestions?

Thanks,

Jon

 

[ITPangaeaArchitect]

I cant speak to the openBSD DHCP...but I can speak from a MS DHCP perspective....

Lets hit on the basics for DHCP scope configuration:

1. Is the DNS domain option set, and is it set to your AD domain name? (domain.com for example)
2. Are you specifying a DNS suffix search list (I never recommend this unless absolutely necessary)? If so, is the top listed domain your AD domain name, and if there is a parent domain, is it second, before all other dns suffixes?
3. Are clients pointing to the DC for DNS (I assume yes but playing it safe)?
4. What other options are you setting?

let's go over DNS basic config questions:

1. Are secure and insecure dynamic updates enabled?
2. Are your client systems NATed in any way?
3. Is the zone set to allow everyone group to update the records on the zone?


My DNS forward and reverse zones not only do not match, but there are hardly any entries that are even accurate.
Q: What do you mean by "not only do not match"? Are you speaking of different IPs appearing for the host records?


There are two entries for almost everyone about 10 percent of them are right.
Q: Do they have different IP addresses? Is this what you mean by 10 percent are right?
Q: How many network segments are the clients residing in?


It seems to me by looking at it that DNS is not being dynamically updated when a computer joins the domain.
A: DNS records *should* be updated at computer startup (or reboot), and every 1.5 hrs or so, give or take. They should also be registered when the DHCP client service is restarted, or when running ipconfig /registerdns





Basics of how MS DHCP works with client DNS registration:

1. DHCP server registers on behalf of client, therefore, it owns the record (this can be disabled via the reg)
2. DHCP maintains ownership of records, and performs periodic updates of DNS records (the client never registers itself, despite pointing to the DC for DNS)
3. DHCP removes the DHCP records when a lease for a system expires

Its late, but thats pretty much the nuts n bolts off top of head.


What I think is happening (theoretical right now of course):

You are running secure and insecure dynamic updates on the zone. openBSD is unable to "own" the DNS records due to not being a domain member/AD authorized DHCP server. It can however do the initial update of the client systems as they boot up. Since it does not take ownership, about 1.5 hrs after bootup, the client recognizes it needs to register a record under its ownership as it does not recognize the original registering entity, or the IP address is incorrect. Now there are two records for the same system (which is a major problem for kerberos auth to work properly).



Here's what I'd like to see tested:

1. Choose a client system you have seen the dup DNS records for
2. Check its assigned IP and IP info (sm, gw, etc.), then set this info statically OR choose an IP that has not been assigned by the DHCP server (I suggest reserving the IP for testing-skip step 3 if doing this)
3. If possible, terminate the lease of the IP of that client in the DHCP scope, then reserve that IP for the client for testing
4. Once client system is set statically, power it off completely OR disable and stop the DHCP client service temporarily
5. Delete all DNS records for the client system from the DNS zone; also ensure no duplicate IPs exist in the zone for the IP you are using for testing.
6. Power on the system, or reset the dhcp client service back to automatic and start it
7. Look at the DNS management console at your zone FROM THE DC ITSELF and refresh repeatedly until you see the record appear (depending on the client OS, this could take 5-10 minutes)-ensure the record is accurate
8. Delete the DNS record once more
9. Restart the DHCP client service on the client system
10. Repeat step 7

If your record is correct after steps 7 and 10, then your problem is likely not with the zone itself at all, but rather, the use of a 3rd party DHCP server.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[lhuegele]

Make sure you have set-up record scavanging on the DNS server itself. You want to scavange old records on a regular basis to clean out old DNS information that piles up on your DNS server.

Good luck,

 

[numb3rs1x]

1. Is the DNS domain option set, and is it set to your AD domain name? (domain.com for example)

Not sure what you mean by option. You will have to excuse my ignorance. There is an entry for the domain name we are using in the forward lookup zones, there it has a list of hosts. Like I was saying, most of them are wrong.

2. Are you specifying a DNS suffix search list (I never recommend this unless absolutely necessary)? If so, is the top listed domain your AD domain name, and if there is a parent domain, is it second, before all other dns suffixes?

We don't use this.

3. Are clients pointing to the DC for DNS (I assume yes but playing it safe)?

yes


4. What other options are you setting?

I have the DNS server set to scavenge and also to dynamically update secure. I had it on both, but then I read somewhere to set it to secure. Either way it doesn't work.


1. Are secure and insecure dynamic updates enabled?

secure.


2. Are your client systems NATed in any way?

they are on the same subnet as the dhcp and dns server.


3. Is the zone set to allow everyone group to update the records on the zone?

I think so. The everyone group is included under the security tab in the properties of the domain in question.


Q: What do you mean by "not only do not match"? Are you speaking of different IPs appearing for the host records?

yes. I can do a reverse lookup on an IP, and most of the time I will get an erroneous entry. DNS gives the info is has, but it's the wrong info. There are also multiple entries to some of the hosts.

Q: Do they have different IP addresses? Is this what you mean by 10 percent are right?

yes, I can look at my IP and then when I go to the zone and look at the entry, it will be different. It's like it registers initially, and then it never updates.

Q: How many network segments are the clients residing in?

If I understand this question correctly, everyone is on the same subnet. It's about 50 users.


A: DNS records *should* be updated at computer startup (or reboot), and every 1.5 hrs or so, give or take. They should also be registered when the DHCP client service is restarted, or when running ipconfig /registerdns


Right, I've looked into these things, and they are not happening.




What I think is happening (theoretical right now of course):

You are running secure and insecure dynamic updates on the zone. openBSD is unable to "own" the DNS records due to not being a domain member/AD authorized DHCP server.

is there a way to authorize it?



It can however do the initial update of the client systems as they boot up.Since it does not take ownership, about 1.5 hrs after bootup, the client recognizes it needs to register a record under its ownership as it does not recognize the original registering entity, or the IP address is incorrect. Now there are two records for the same system (which is a major problem for kerberos auth to work properly).


hmmmm. maybe you have something there, but if that were the case, wouldn't there be more than just two or three (at the most) entries for every user? I would say in an eight hour day, there would be at least four, and then since it doesn't seem like anything is being cleaned out, there would be several.

I will go through the steps you mentioned and post that separately.

Thanks for all the help.


I wanted to mention also that I read somewhere else that the reason DNS might not be updating is because this server is an upgrade from NT? Is there any weight in that?

 

[ITPangaeaArchitect]

scavenging is actually not such a great idea due to the dynamic update nature of the zones. Its ok to use, but increments smaller than 1 week can cause problems for DCs.

1. Is the DNS domain option set, and is it set to your AD domain name? (domain.com for example)

Not sure what you mean by option. You will have to excuse my ignorance. There is an entry for the domain name we are using in the forward lookup zones, there it has a list of hosts. Like I was saying, most of them are wrong.

A: The DNS domain name option is a scope option on your DHCP server. It's multi-vendor, so it should be there...




grab a dcdiag /v, and a netdiag /v



is there a way to authorize it?

A: Yes, switch to MS DNS (but shouldnt run it on DC)



I wanted to mention also that I read somewhere else that the reason DNS might not be updating is because this server is an upgrade from NT? Is there any weight in that?

A: No weight in that that I know of unless you upgraded to Win2000 RTM or SP1...my assumption is since those havent been supportable for years, thats not the case here...and potnetially if running in NT4 mixed mode with the pdc e set with the PDCEmulator reg value...then maybe I've worked on and headed up literally hudreds of domain upgrades and migrations, have never had a problem like that...with one exception, single label domain names (DOMAIN instead of DOMAIN.com)..and even thats fixable..

hmmmm. maybe you have something there, but if that were the case, wouldn't there be more than just two or three (at the most) entries for every user? I would say in an eight hour day, there would be at least four, and then since it doesn't seem like anything is being cleaned out, there would be several.

A: not necessarily...with MS DHCP, the records will be removed only AFTER the lease has expired unless you have set the option in the dhcp server properties to always update DNS even if the client doesnt request an update...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[numb3rs1x]

Doing primary tests



Testing server: Default-First-Site-Name\****

Starting test: Replications

* Replications Check

......................... **** passed test Replications

Test omitted by user request: Topology

Test omitted by user request: CutoffServers

Starting test: NCSecDesc

* Security Permissions Check for

CN=Schema,CN=Configuration,DC=**,DC=*****,DC=com

* Security Permissions Check for

CN=Configuration,DC=**,DC=*********,DC=com

* Security Permissions Check for

DC=**,DC=********,DC=com

......................... **** passed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check

......................... **** passed test NetLogons

Starting test: Advertising

The DC **** is advertising itself as a DC and having a DS.

The DC **** is advertising as an LDAP server

The DC **** is advertising as having a writeable directory

The DC **** is advertising as a Key Distribution Center

The DC **** is advertising as a time server

The DS **** is advertising as a GC.

......................... **** passed test Advertising

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS Settings,CN=****,CN=Servers,CN=Default-Fi

t-Site-Name,CN=Sites,CN=Configuration,DC=**,DC=*******,DC=com

Role Domain Owner = CN=NTDS Settings,CN=****,CN=Servers,CN=Default-Fi

t-Site-Name,CN=Sites,CN=Configuration,DC=**,DC=*******,DC=com

Role PDC Owner = CN=NTDS Settings,CN=****,CN=Servers,CN=Default-First

ite-Name,CN=Sites,CN=Configuration,DC=**,DC=*********,DC=com

Role Rid Owner = CN=NTDS Settings,CN=****,CN=Servers,CN=Default-First

ite-Name,CN=Sites,CN=Configuration,DC=**,DC=*********,DC=com

Role Infrastructure Update Owner = CN=NTDS Settings,CN=****,CN=Server

CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=**,DC=*******,DC=co

......................... **** passed test KnowsOfRoleHolders

Starting test: RidManager

* Available RID Pool for the Domain is 2102 to 1073741823

* ****.**.*******.com is the RID Master

* DsBind with RID Master was successful

* rIDAllocationPool is 1102 to 1601

* rIDNextRID: 1313

* rIDPreviousAllocationPool is 1102 to 1601

......................... **** passed test RidManager

Starting test: MachineAccount

* SPN found :LDAP/****.**.*******.com/**********.com

* SPN found :LDAP/****.**.********.com

* SPN found :LDAP/****

* SPN found :LDAP/****.**.********.com/HQ

* SPN found :LDAP/1j9i5870-4u46-4j29-78ca-ef8649bc3459._msdcs.**.**********.com

* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1a9a547g-4ss6-4e99-

ca-dfsssssss3459/**.*********.com

* SPN found :HOST/****.**.*******.com/**.*******.com

* SPN found :HOST/****.**.******.com

* SPN found :HOST/****

* SPN found :HOST/****.**.*******.com/**

* SPN found :GC/****.**.*******.***/**.*******.com

......................... **** passed test MachineAccount

Starting test: Services

* Checking Service: Dnscache

* Checking Service: NtFrs

* Checking Service: IsmServ

* Checking Service: kdc

* Checking Service: SamSs

* Checking Service: LanmanServer

* Checking Service: LanmanWorkstation

* Checking Service: RpcSs

* Checking Service: RPCLOCATOR

* Checking Servicw32time

* Checking Service: TrkWks

* Checking Service: TrkSvr

* Checking Service: NETLOGON

* Checking Service: Dnscache

Could not open IISADMIN Service on [****]:failed with 1060: The sp

ified service does not exist as an installed service.

* Checking Service: NtFrs

Could not open SMTPSVC Service on [****]:failed with 1060: The spe

fied service does not exist as an installed service.

......................... **** failed test Services

Test omitted by user request: OutboundSecureChannels

Starting test: ObjectsReplicated

**** is in domain DC=**,DC=***********,DC=com

Checking for CN=****,OU=Domain Controllers,DC=**,DC=*******,DC=com

n domain DC=hq,DC=*******,DC=com on 1 servers

Object is up-to-date on all servers.

Checking for CN=NTDS Settings,CN=****,CN=Servers,CN=Default-First-Sit

Name,CN=Sites,CN=Configuration,DC=**,DC=*******,DC=com in domain CN=Configu

tion,DC=**,DC=*********,DC=com on 1 servers

Object is up-to-date on all servers.

......................... **** passed test ObjectsReplicated

Starting test: frssysvol

* The File Replication Service Event log test

The SYSVOL has been shared, and the AD is no longer

prevented from starting by the File Replication Service.

......................... **** passed test frssysvol

Starting test: kccevent

* The KCC Event log test

Found no KCC errors in Directory Service Event log in the last 15 min

es.

......................... **** passed test kccevent

Starting test: systemlog

* The System Event log test

Found no errors in System Event log in the last 60 minutes.

......................... **** passed test systemlog



Running enterprise tests on : **.*********.com

Starting test: Intersite

Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.

......................... **.*******.com passed test Intersite

Starting test: FsmoCheck

GC Name: \\****.**.******.com

Locator Flags: 0xe0fc

PDC Name: \\****.**.********.com

Locator Flags: 0xe00001fd

Time Server Name: \\****.**.*******.com

Locator Flags: 0xe00001fc

Preferred Time Server Name: \\****.**.*******.com

Locator Flags: 0xe00001fc

KDC Name: \\****.**.******.com

Locator Flags: 0xe00001fc

......................... **.********.com passed test FsmoCheck

 

[ITPangaeaArchitect]

typo on my part earlier...


is there a way to authorize it?

A: Yes, switch to MS DHCP (but shouldnt run it on DC)



dcdiag looks good...what about netdiag /v?

also, this just popped into my head...ensure the dhcp client service is set to auto and started on all clients...this service performs dns record registration.
despite its name (dhcp client), it is actually responsible for a majority of dynamic updating windows performs in various operations (dhcp ip allocation and dns registration being the most major)



-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.

 

[numb3rs1x]

here is a paste of the netdiag.

how would I check to see if dhcp client is set to auto?

Thanks again.

 

[ITPangaeaArchitect]

your best bet..set a service gpo for dhcp client at the domain level (default domain policy). set the security on the service to administrators:FC (local admins, just type administrators with no domain selection), server operators:start,stop, system:FC

after that...reboot workstations, and bam, everyones good all the time unless the policy is overwritten at a lower level (yes you could set the no override option, but this is a BAD idea for domain level policies as we are talking here).

spot check a few through mmc that youve noticed the problem with to see if dhcp client is started for a checker, but either way, id do the policy....if you wanna do kerberos, you need to register, and that requires the dhcp client service. that should get it through even the hardest of changew control boards

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+
Manager - Global AD Operations
ACS, Inc.