I was encountering an issue at a customer's site where the DNS records of their client PCs often would be behind or out of sync with the records in DHCP. Usually the IP address would be older in DNS and this was causing issues with scripts executing and network tools correctly resolving client PC hostnames to their correct IP addresses.
I realised I needed to make some changes to their dynamic DNS updating configuration. After a lot of reading through Microsoft's documentation and various online forums, this is what I ended up configuring. Hopefully this may help someone, some day:
- Make the DHCP server a member of the "DnsUpdateProxy" group
-
Create a new user account, in the "Users" OU, called "dnsdynamicupdates"
- This new user only needs to be a member of the "Domain Users" group - no special privileges
- Make the password strong and set it to never expire
- Set this new user as the credentials used by the DCHP server in IPv4 Properties | Advanced | Credentials
- Secure the DnsUpdateProxy group by running the following command with Admin privileges:
- dnscmd /config /OpenAclOnProxyUpdates 0
- Set the DHCP server's DNS settings to "Always dynamically update DNS records" in IPv4 Properties | DNS
- Configure DNS Aging values on the DNS server (combined these should be less than the DHCP lease time):
- NoRefresh: 3 days
- Refresh: 3 days
- Set the scavenging period on the DNS server to 4 days (often recommended to be less than the DHCP lease time)
- Set the DHCP lease time to 7 days (as appropriate for your network)
Some good Resources:
- DNS Dynamic Updates: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003
- DNS Scavenging: https://lazyadmin.nl/it/dns-scavenging/
https://chrisbrown.au/techblog/how-dns-aging-and-scavenging-actually-work/
https://techit-services.com/best-practices-for-windows-dns-scavenging/#:~:text=In%20general%2C%20the%20total%20duration,is%20a%20well%2Drecognized%20practice.
Comments