Sunday, December 20, 2015

domain name system - Dynamic DNS client records not being updated correctly

Our network is running Windows and macOS clients all of which are joined to Active Directory. The Macs are all running Windows via Bootcamp. We were having issues which were being caused by our macOS clients because they were not registering PTR records. We were also having issues with stale records. I spent a lot of time researching DNS and DHCP configuration to try to resolve these problems and ended up thinking I had solved it with the following configuration. But I have now realised that we still have problems which I will explain after the configuration.



Servers





  • 2 x Windows Server 2016 VM's

  • Both Domain Controlers

  • Both running DNS

  • Both running DHCP



DHCP Config




  • Failover mode: Load balance


  • Enable DNS dynamic updates: Always dynamically update DNS records

  • Discard A and PTR records when lease is deleted: Enabled

  • Dynamically update DNS records for DHCP clients that do not request updates: Enabled

  • Disable dynamic updates for DNS PTR Records: Disabled

  • DHCP name protection: Disabled

  • Lease duration: 2 days

  • Dynamic DNS credentials are configured. Account is only a Domain User



DNS Config





  • Active Directory Integrated Zones

  • Dynamic updates: Secure only

  • Replication: All domain controllers in this domain

  • No-refresh interval: 1 days

  • Refresh interval: 1 days

  • Scavenging period: 3 days




Group Policy




  • Computer\Administrative Templates\Network\DNS Client\Dynamic update: Set to Disabled



Current Problems



My aim was to get the DHCP servers to handle all DNS registration to solve the problem of macOS not registering PTR records. The PTR records are now being created but it looks like the macs are still creating their own A records as the permissions list the client instead of the DNS registration user.




The macs obviously use the same ethernet or wireless card in macOS and Windows so the MAC address won't change. I assume when each OS requests an IP it will be given the same IP due to the MAC address and the DHCP server will update the client name. I'm not sure about DNS though; Will the DHCP server create a new A record because the client name is different? resulting in duplicate records for a single IP; OR will the the DHCP server try to change the client name on the A record with the matching IP in which case it will fail if the mac has already registered its own record. I don't know if/how I can tell the mac to let the DHCP server register the records for it (Our mac technician decided to pursue a different career path leaving us Windows tech's scratching our heads :P ).



The second problem I'm having is that for some reason even the Windows clients aren't always registering correctly. I have a Windows only device which has received an IP from DHCP but has no A or PTR records. This device is affected by the Group Policy mentioned above, so it would be relying on the DHCP server to register the records for it. But I can't see anything in the DHCP-Server or DNS-Server logs in Event Viewer on the our servers which relate to this client name.



The third problem, albeit minor is that any clients with statically assigned IP's don't register in DNS due to the setting in Group Policy. There are only a handful of these and we occasionally assign IP's temporarily for various tasks (as DHCP clients require proxy for Internet)



If I have missed any important information please ask. Any help would be greatly appreciated.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...