How system determine who own the dns record

2013-05-16

Question

_{Thursday, May 16, 2013 10:34 AM}

I have DC with DNS and DHCP service enabled;

DNS hold one active directory intergerated primary zone of my domain and using dynamic update with secure only;

DHCP is selected "Dynamically update DNS A and PTR records only if requested by the DHCP clients" on DNS tab;

The DC computer account is member of DnsUpdateProxy security group.

All of the clients are dhcp client;

I find most of the dns records owned by the "system"(system) and few owned by their computer account(computername$);

The "system" account own the dns record event when I manual set an ip address on the client.

I think it is not by designed behaviour.

How can I remediate it?

All replies (9)

_{Friday, May 17, 2013 8:33 AM ✅Answered}

The root cause for this is the client settings. The records owned by computer$ are proabably:

clients not using dhcp
clients configured to set/update their own adress (tab dns in advanced tcp/ip properties) that registered the record before dhcp could do so.

This exactly why you will need have dns admin permissions for the service account; per default only the owner and dns admins are allowed to update or delete the records.

I would suggets you check the privileegs on the servie account used. You will probably will need a domain account that is member of the dnsadmins group.

also refer to this article DNS Record Ownership and the DnsUpdateProxy Group

MCP/MCSA/MCTS/MCITP

_{Friday, May 17, 2013 3:35 PM ✅Answered | 1 vote}

A little background on the DNS registration process:

By default, a Windows 2000 and newer statically configured machines will
register their A record (hostname) and PTR (reverse entry) into DNS.
If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
the machine itself to register its own A record, but DHCP will register its PTR
(reverse entry) record.
The entity that registers the record in DNS, owns the record.

If you want the DHCP Credentials to own ALL records, then you must conifgure DHCP to ALWAYS update all clients whether they ask or not, otherwise, DHCP will register it for them, and you will see SYSTEM as teh owner. If you configured credentials but haven't added the DHCP Server computer object to the DnsUpdateProxy group, then it won't work.

In summary:
Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
Set DHCP to update everything, whether the clients can or cannot.
Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure that ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
On Windows 2008 R2 or newer, DISABLE Name Protection.
If DHCP is co-located on a Windows 2008 R2 DC, you can and must secure the DnsUpdateProxy group by running the following:
dnscmd /config /OpenAclOnProxyUpdates 0
Configure Scavenging one one DNS server. What it scavenges will replicate to others anyway.

More specifics with screenshot step-by-steps.

DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

Good summary
How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, May 16, 2013 9:26 PM}

Did you configure the serivice account to be used to do the dns updates? Has this service account enough privileges to update dns and to delete dns records?
Please be aware that who will place and update the dns records will depend on the client configuration too.

For example, if you configure a static IP adress, the client will never resuets an IP from dhcp and this the dhcp server cannot update/set the according record. If you confige dhcp on the client, a radiobutton lets you configure the dynamic dns update behaviour for the client. Aditionnaly, not al versions of Windows OS behave the same in this respect (Microsoft tries to improve with each release...)

Please refer to these technet articles on how to configure this properly:
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
and
Integrating DHCP with DNS

and on top an older article that has a nice explanation on how it really works, including some comprehensive pictures:
Using DNS servers with DHCP

MCP/MCSA/MCTS/MCITP

_{Friday, May 17, 2013 3:07 AM}

I known that whether client is dhcp client or not,it will using DHCP Client service register A record by itself.

But few A record owned by the computer$.

I check the DHCP Client service account and it is using local service account.

What is the cause?

_{Tuesday, May 21, 2013 1:22 PM | 1 vote}

Hi SenneVL,

I would like to point out that the DHCP credentials account does not need to be in the DNS Administrators group. A regular, plain-Jane user account in the Domain Users group is sufficient. Any domain user can authenticate using Kerberos to update into a Secure Updates Only zone.

Cheers!

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, May 21, 2013 1:48 PM}

Yes, if the dhcp server is the only one updating the record, that is correct. The service account then becomes owner of the records and has all required privileges to update:delete the record.

However, my personal experience showed me there are a lot of setups possible where dhcp is not the only one that adds the records (all be it by non conform configuration of the server or the clients).

Clients often do not unregiser their records properly, thus leaving stale records. To cope with such an issue, the service account should be able to delete and update records upon lease expiry. As far as I know, only dns admins are allowed so, allthough this article explains the use of dnsproxyupdate group for more or less the same purpose. http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx

If this is incorrect in your opinion, could you please share me your knowledge on how the service account gets the privileges required to do the secure update (delete or change) for records owned by, for example, "computer$"?

MCP/MCSA/MCTS/MCITP

_{Tuesday, May 21, 2013 2:24 PM | 1 vote}

If the DHCP server is set to update all DHCP clients whether they ask or not, then DHCP will update all DHCP clients, whether there is some sort of non-conformity in their configuration such as if "update this record in DNS" is not checked. DHCP wil update it anyway, since the DHCP server settings trumps teh client. And I assume by non-conformity is what you meant. Otherwise, please elaborate.

As for the credentials, it's just a plain Domain User account, with a really complex and long password. That in conjunction with the DHCP server(s)' computer account in the DnsUpdateProxy, DHCP set to update everything whether they ask or not, is all it needs. This was confirmed through multiple emails between myself and with Microsoft engineers/owners responsible for this product group.

As for deleting existing records that were registered prior to configuring credentials, making the DHCP service changes and adding to the DnsUpdateProxy group, disabling NameProtection, then you will see duplicates, one for the old existing record, and one for the new ones, because yes, the Domain User credentials does not have permissions to do so.

In this case, due to security reasons, we do not recommend placing the account used for credentials in any administrative group. Rather, we recommend to configure scavenging on only one DNS server (the scavenged deletions will replicate to others), and just be patient and wait for it to happen. Otherwise, if impatient, we can manually delete the previous records in the DHCP console.

Although your suggestion to place it in some sort of administrative group, whether it be the DNS Admin, Domain Admin, or any other group, will probably work, but it's something we don't recommend.

I hope that helps!

Maybe this will provide additional info:

Good discussion that Microsoft support concurred with my settings for a poster that called in to Support:
DHCP Server Not Registering A Records for Windows Clients
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, May 21, 2013 2:55 PM}

yes, i meant situations where clients atttempt to register their own records in conjunction to teh dhcp server.

ok, my conclusion from your explanation: it is better practice to use dns scavenging instead of assigning elaborate privileges for the dhcp service account to cope with stale records. Thanks for your time and clarification!

This still leaves me with some thinking to do about the created relation beteen the scavenging interval and the dhcp leasetime, and the different client configuration and behavior scenarios, ... but I'll leave that for another time ;)

again many thanks!

MCP/MCSA/MCTS/MCITP

_{Tuesday, May 21, 2013 3:13 PM}

Yes, you don't want to provide additional rights on that account.

As for Scavenging, you want to set the NOREFRESH + REFRESH values so when you add them up, they are approximately equal to the Lease value.

The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
Example:

DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
Server Scavenging period is set to 3 days
The total time is set to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
Good discussion on it and an example by Rick Tan:
Thread: "Enable DNS aging and scavenging "
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/

For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in. Here's a chart showing a 3 day refresh/norefresh setting:

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

How system determine who own the dns record

Question

All replies (9)

Additional resources