While we are on this screen, make sure you set the Conflict Detection Attempts to at least 2. Microsoft recommends setting this option to allow DHCP to send a ping to an address before handing it out. This is useful in preventing IP address conflicts when someone manually assigns an address within a DHCP range. I prefer to set it to 2 since I have seen some environments where a switch might not have an entry in the ARP table for that MAC address, and it drops the first ping, but then finds it. By setting it to 2, you can ensure that you have given your switch time to update the ARP table and aren't relying upon a single ping before handing out the address. If you're concerned about slowing down the process, I wouldn't worry about it. Having made this change in dozens of environments, I never ran into anyone that was able to notice the difference in boot times of the clients.
Not enabling scavenging in DNS
I will go into more detail in another post about DNS, but I do want to mention that scavenging should be enabled and the Refresh/No Refresh interval should equal the length of your DHCP scope. If you are scared to enable scavenging, good. You should have a healthy fear of screwing up your environment. I highly recommend exporting your list of DNS addresses prior to enabling scavenging. However, don't let the fear of issues prevent you from configuring your servers properly. DNS Scavenging can be configured to work properly. Let me repeat. DNS Scavenging can be configured to work properly!
Forgetting to remove or update legacy Authorized DHCP Servers
While it usually isn't the end of the world, it is possible to put yourself in a pickle by leaving legacy addresses in DHCP as authorized servers. Not likely, but while you are in and cleaning things up, this is a good place to look. Right click DHCP, then select Manage Authorized Servers. Make sure you only remove the old IP addresses. If you authorized a DHCP server, then replaced it later with a server with the same IP address, but a different name, you will want to make sure you unauthorize the old one with the wrong name, then authorize the new one. I've seen situations where an old authorization works because the IP address is the same, but then someone deletes that authorized server later because the name is different. Then everyone stops getting DHCP addresses until someone realizes they need to add that DHCP server back into the authorized list.
which DNS servers does the dhcp server dynamically update? its own? the one(s) given out to the client? scope level? server level? is there a way to tell in DNS if a record has been registered by a client or by a dhcp server
ReplyDeleteThe DNS servers to be updated will be whatever is configured for the client. That can be at the scope or server level. The client will try, and if it's not able, and the DHCP server is configured to do so, it will then attempt to update the DNS server itself. If I recall (not 100% on this one), you can look at the security settings of the record on the DNS server, and look at the owner. If the server is doing the work and you've configured it with a service account, then you should see the service account as the owner (I believe). Otherwise I think you'll often see System as the owner of the record.
ReplyDelete