DNS "Dynamic Updates" - Secure only vs Nonsecure and secure

Article
2013-04-22

Question

_{Monday, April 22, 2013 8:52 PM}

We have a 2003 AD DC. I see that most of our DNS zones are set for Nonsecure and secure. We have domain PCs, workgroup PCs, and wireless devices such as phones connecting to access points. We mainly use DHCP but our servers are hard-coded. I just came on-board with this company and I am wondering why it would be set up this way. Is it because the workgroup machines and wireless devices?

All replies (6)

_{Tuesday, April 23, 2013 1:57 AM ✅Answered | 1 vote}

Yes, if Secure DDNS were selected only domain members would have the ability to update their DNS records:

Secure DDNS

MCITP-EA | "You don't understand anything until you learn it more than one way" | Hope This Helps!

_{Friday, April 26, 2013 3:14 AM ✅Answered}

Don't forget to create and configure credentials.

Yes, lower them to 4+4, because they total to 8, equal to or greater than 7. I just haven't updated it yet.

More notes:

Good article by Sean Ivey, MSFT:
How DNS Scavenging and the DHCP Lease Duration Relate
(Make the No-reresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
Example:

DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
Server Scavenging period is set to 3 days
The total time is set to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
Good discussion on it and an example by Rick Tan:
Thread: "Enable DNS aging and scavenging "
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/

For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, April 23, 2013 4:48 AM}

I concur with Ryan.

That's up to allow non-domain joined devices register into your DNS zones. You can set it to Secure only, but if you setup DHCP with credentials, forcing it to update everything, etc, then they will register, in which case to stop them, you can do all that, but just set DHCP to allow clients to update themselves (default).

It depends on what you want or what the company's requirements are.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, April 23, 2013 2:42 PM}

I do have DHCP setup with credentials and "Always dynamically update." With these settings, is it better to set the zones now to Secure only or would it just be a wash since I am using credentials and "Always dynamically update?"

_{Wednesday, April 24, 2013 2:54 AM}

Absolutely. Also to make sure it works, the requirement is to add the DHCP server's computer account (not the DHCP credentials or any other account), into the DnsUpdateProxy group.

Share via

DNS "Dynamic Updates" - Secure only vs Nonsecure and secure

Question

All replies (6)

Additional resources