Dynamics Updates -- Do They Work?

[Guest]

I have spent several days reading and re-reading online Help, O'Reilly books, and so forth and performing various trials trying to figure out what the trick is to get dynamic updates to work. Specifically, I want an IP address allocated by DHCP to appear as a new Resource Record or an updated Resource Record in DNS. I have ensured that dynamic updates are enabled in DNS. The DNS database is integrated within Active Directory. I have ensured the ACR is not restrictive. For the exercise, I put a currently allocated IP address into the "do not allocate" range of the only zone there is. Then I type "IPCONFIG /RELEASE" and "IPCONFIG /RENEW" followed by a check to see what address DHCP has allocated. For good measure I type "IPCONFIG /REGISTERDNS". Sometimes I check the box "Allow Any Unauthenticated User..." in the New Host dialog. No matter what I do, DNS never updates or creates the (A) RR when DHCP allocates a new IP. I gave into the idea that maybe it takes a few minutes for the change to sink in and become evident. Waiting an hour was not enough. There are all these different periods of time that can be fiddled with to confuse the issue (TTL and all that).

Windows 2003 Server is on all five computers of the subnet. Every client of DHCP should be responsible for informing DNS when a potential change occurs. DHCP and DNS are co-located in the same computer.

This shouldn't be rocket science. How about a completely worked out S*I*M*P*L*E example that demonstrates in a laboratory setting what the administrator must do and what the administrator expects to see. I'm none too fond of the helpless feeling I get after reading Help. Thanks in advance for actual help directed my way.

 

[Herb Martin]

I have spent several days reading and re-reading online Help, O'Reilly
books, and so forth and performing various trials trying to figure out what
the trick is to get dynamic updates to work.

Turn them on for a ZONE on the Primary (or AD Integrated Set).

Use machines that are "dynamic update aware"; which means
Win2000+

If you cannot, then use the Win2000+ DHCP server to set and
register for older clients.

IF you use "secure updates only" then use machines than are in
the domain (and can authenticate.)

Make sure all machines have the DOMAIN NAME set in the
system control panel (and no override for registration in the NIC
properties.)

That's it.

Specifically, I want an IP address allocated by DHCP to appear

as a new Resource Record or an updated Resource Record in DNS.

Then set the DHCP server that way.

I have ensured that dynamic updates are enabled in DNS.

Good. Same zone/domain as DHCP, right?

The DNS database is integrated within Active Directory.
I have ensured the ACR is not restrictive.

ACR?

Are the clients set to USE THIS zone/domain name in system
properties and DHCP server in the scope?

Windows 2003 Server is on all five computers of the subnet.
Every client of DHCP should be responsible for informing DNS
when a potential change occurs.

Clients don't do that. The lease, release, or renew.

My guess is you don't have these machines set to the ZONE --
remember a DNS zone is set to be "dynamic" so unless the DHCP
or the client registers IN THAT ZONE (and not some other) then
it isn't going to work.

Also check your DNS/DHCP server for its CLIENT NIC DNS
settings -- there have been a lot of people putting TWO DNS servers,
one from the external world, in there; or even using just the external
ISP DNS.

INTERNAL machines, including servers need to use an INTERNAL
DNS server (only.)

 

[Herb Martin]

Nice list but I think we can improve/simplify it a bit, and I have
a question or two also....

"Ace Fekay [MVP]"

Here's the SIMPLE rules for Dynamic Updates (assuming either an AD
environment or not):

1. Primary DNS Suffix of the machine MUST be the zone name of AD or the zone
name you want to update to.

The word "Primary" above is extraneous and confusing since many people
confuse this term with Primary DNS servers -- we mean the "System Control
Panel DNS domain name portion of the FULL Computer name."

2. Point ONLY to the DNS server hosting this zone (no other servers
whatsover unless they host a copy of this zone also for fault tolerance). If
you use your ISP's in your properties, it probably will not work and it may
try to update to their servers and you'll get errors stating so.
3. Enable Updates on the zone (set it to at least YES).

4. If AD, make sure the Primary DNS Suffix and the zone name in DNS are
spelled EXACTLY the same.
5. If not AD, make sure the Primary DNS Suffix is spelled EXACTLY as the
zone name in DNS.

4 and 5 are the same and can be collapses if we make no (artificial)
distinction
here for AD-integrate/Primary -- in either case the name must match exactly.

6. If a reverse zone, make sure the reverse zone is created EXACTLY to
reflect the actual subnet your machine is on.

Is this true? I haven't tested it but I would expect any 192.168.x.0
machine to
register properly in 168.192.in-addr.arpa even if using a /24 mask.

I doubt that DNS/DHCP/machines care, but it they do it is a (small) bug.

7. If using DHCP, specify Option 006 to be ONLY the internal DNS servers
that host a copy of this zone.
8. If using DHCP, specify option 015 the Primary DNS Suffix.
9. If using DHCP and you have legacy clients, specify Option 081 to force
registration for clients that cannot (that's in DHCP properties, DNS tab,
check off the box).

Last three are excellent to have listed all together.

 

[Ace Fekay [MVP]]

Here's the SIMPLE rules for Dynamic Updates (assuming either an AD
environment or not):

1. Primary DNS Suffix of the machine MUST be the zone name of AD or the zone
name you want to update to.
2. Point ONLY to the DNS server hosting this zone (no other servers
whatsover unless they host a copy of this zone also for fault tolerance). If
you use your ISP's in your properties, it probably will not work and it may
try to update to their servers and you'll get errors stating so.
3. Enable Updates on the zone (set it to at least YES).
4. If AD, make sure the Primary DNS Suffix and the zone name in DNS are
spelled EXACTLY the same.
5. If not AD, make sure the Primary DNS Suffix is spelled EXACTLY as the
zone name in DNS.
6. If a reverse zone, make sure the reverse zone is created EXACTLY to
reflect the actual subnet your machine is on.
7. If using DHCP, specify Option 006 to be ONLY the internal DNS servers
that host a copy of this zone.
8. If using DHCP, specify option 015 the Primary DNS Suffix.
9. If using DHCP and you have legacy clients, specify Option 081 to force
registration for clients that cannot (that's in DHCP properties, DNS tab,
check off the box).

Netlogon uses the Primary DNS Suffix to register that same name zone into
DNS.

Recommendation if you want efficient Internet resolution, configure a
forwarder.

Hope that helps.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

I have spent several days reading and re-reading online Help, O'Reilly

books, and so forth and performing various trials trying to figure out what
the trick is to get dynamic updates to work. Specifically, I want an IP
address allocated by DHCP to appear as a new Resource Record or an updated
Resource Record in DNS. I have ensured that dynamic updates are enabled in
DNS. The DNS database is integrated within Active Directory. I have
ensured the ACR is not restrictive. For the exercise, I put a currently
allocated IP address into the "do not allocate" range of the only zone there
is. Then I type "IPCONFIG /RELEASE" and "IPCONFIG /RENEW" followed by a
check to see what address DHCP has allocated. For good measure I type
"IPCONFIG /REGISTERDNS". Sometimes I check the box "Allow Any
Unauthenticated User..." in the New Host dialog. No matter what I do, DNS
never updates or creates the (A) RR when DHCP allocates a new IP. I gave
into the idea that maybe it takes a few minutes for the change to sink in
and become evident. Waiting an hour was not enough. There are all these
different periods of time that can be fiddled with to confuse the issue (TTL
and all that).

Windows 2003 Server is on all five computers of the subnet. Every client

of DHCP should be responsible for informing DNS when a potential change
occurs. DHCP and DNS are co-located in the same computer.

This shouldn't be rocket science. How about a completely worked out

S*I*M*P*L*E example that demonstrates in a laboratory setting what the
administrator must do and what the administrator expects to see. I'm none
too fond of the helpless feeling I get after reading Help. Thanks in
advance for actual help directed my way.

 

[Herb Martin]

Last three are excellent to have listed all together.

I like to CLARIFY these points so there is NO question of what I'm talking
about to the poster. This will eliminate re-posts to clarify, as I've seen
in the past.

Didn't mean the last three should be changed but only meant that it is
nice to SEE them all here together in one place (in your list.)

--
Herb Martin
"Ace Fekay [MVP]"

Nice list but I think we can improve/simplify it a bit, and I have
a question or two also....

"Ace Fekay [MVP]"
the
zone

The word "Primary" above is extraneous and confusing since many people
confuse this term with Primary DNS servers -- we mean the "System Control
Panel DNS domain name portion of the FULL Computer name."

If you like to refer to it that way, that is fine, and that's the place that
is gets changed, if it is NOT a domain controller. If it is a domain
controller, it can be changed via the registry or by the use of a script I
have possession of, that will change it to whatever the AD DND domain name
is set to, which is the domain name as it shows when you open the ADUC
console.

This value *clearly* shows up when one does an ipconfig /all.

tolerance). it
may


4 and 5 are the same and can be collapses if we make no (artificial)
distinction
here for AD-integrate/Primary -- in either case the name must match

exactly.

True.
I separated it so there is NO question of what I am refering to, as has been
shown in the past by folks that have re-posted asking for clarity.

Is this true? I haven't tested it but I would expect any 192.168.x.0
machine to
register properly in 168.192.in-addr.arpa even if using a /24 mask.

Yes, in your scenario, this will work. The "X" octet will show up as a
subfolder. This may or not be what the customer desired to see, but it will
work. In other scenarios, it may not, depending on the subnet. Hence, why I
clearly state that for all practical purposes, it *should* be properly
created so there is NO question of whether the zone is correct or not.

If it's a subnetted range, we can follow this article:
174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, 2000
or 2003 [Talks about classless reverse zones too]:
http://support.microsoft.com/?id=174419

I doubt that DNS/DHCP/machines care, but it they do it is a (small) bug.

Well, as I mentioned above, it depends on whether it's subnetted or not.

Last three are excellent to have listed all together.

I like to CLARIFY these points so there is NO question of what I'm talking
about to the poster. This will eliminate re-posts to clarify, as I've seen
in the past.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

Nice list but I think we can improve/simplify it a bit, and I have
a question or two also....

"Ace Fekay [MVP]"


The word "Primary" above is extraneous and confusing since many people
confuse this term with Primary DNS servers -- we mean the "System Control
Panel DNS domain name portion of the FULL Computer name."

If you like to refer to it that way, that is fine, and that's the place that
is gets changed, if it is NOT a domain controller. If it is a domain
controller, it can be changed via the registry or by the use of a script I
have possession of, that will change it to whatever the AD DND domain name
is set to, which is the domain name as it shows when you open the ADUC
console.

This value *clearly* shows up when one does an ipconfig /all.

tolerance).


4 and 5 are the same and can be collapses if we make no (artificial)
distinction
here for AD-integrate/Primary -- in either case the name must match

exactly.

True.
I separated it so there is NO question of what I am refering to, as has been
shown in the past by folks that have re-posted asking for clarity.

Is this true? I haven't tested it but I would expect any 192.168.x.0
machine to
register properly in 168.192.in-addr.arpa even if using a /24 mask.

Yes, in your scenario, this will work. The "X" octet will show up as a
subfolder. This may or not be what the customer desired to see, but it will
work. In other scenarios, it may not, depending on the subnet. Hence, why I
clearly state that for all practical purposes, it *should* be properly
created so there is NO question of whether the zone is correct or not.

If it's a subnetted range, we can follow this article:
174419 - HOWTO Configure a Subnetted Reverse Lookup Zone on Windows NT, 2000
or 2003 [Talks about classless reverse zones too]:
http://support.microsoft.com/?id=174419

I doubt that DNS/DHCP/machines care, but it they do it is a (small) bug.

Well, as I mentioned above, it depends on whether it's subnetted or not.

Last three are excellent to have listed all together.

I like to CLARIFY these points so there is NO question of what I'm talking
about to the poster. This will eliminate re-posts to clarify, as I've seen
in the past.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Didn't mean the last three should be changed but only meant that it is
nice to SEE them all here together in one place (in your list.)

I see. No prob. Sometimes in an explanation, no matter as easy it sounds to
be, there will be questions. I understand what you;re saying and I agree
with you.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory