Tuesday, December 16, 2014

Common mistakes with Windows DHCP Configurations

Changing DNS settings to "Always dynamically update DNS records"


There is a very common misunderstanding that takes place frequently in relation to this setting. Common sense would indicate you should select this option to make sure DNS records are always updated. However, we're not supposed to use common sense here. What this setting doesn't mention, is that the default option of "Dynamically update DNS records only if requested by the DHCP clients", means that the DHCP client will update its own record automatically and only ask the DHCP server to do so if it is unable. One example of it being unable to update the record is if the record was already created and the computer account doesn't have permissions to that record. Unless you know for certain you have a case for changing this, then leave it at the default. If you are having issues with records updating, then most likely you have a DNS Scavenging issue, not a DHCP issue. If the second option to Always update is selected, then the DHCP server tells the client not to update the record, that the DHCP server will handle it. What's the problem then, Wes? Well, most people forget to configure credentials for the DHCP server, which means if you have installed DHCP onto a DC, you are in an extremely vulnerable configuration, or you are simply unable to update the DNS records. What I've seen most frequently is that DNS isn't being updated because DNS Scavenging is not enabled.  Someone then sets this to Always dynamically update, then they don't configure credentials, and the DNS records never get updated. So if you are selecting the Always dynamically update option, don't forget to enter credentials.  http://technet.microsoft.com/en-us/library/dd145315%28v=ws.10%29.aspx


Conflict detection Attempts set to 0
While we are on this screen, make sure you set the Conflict Detection Attempts to at least 2. Microsoft recommends setting this option to allow DHCP to send a ping to an address before handing it out. This is useful in preventing IP address conflicts when someone manually assigns an address within a DHCP range. I prefer to set it to 2 since I have seen some environments where a switch might not have an entry in the ARP table for that MAC address, and it drops the first ping, but then finds it. By setting it to 2, you can ensure that you have given your switch time to update the ARP table and aren't relying upon a single ping before handing out the address. If you're concerned about slowing down the process, I wouldn't worry about it. Having made this change in dozens of environments, I never ran into anyone that was able to notice the difference in boot times of the clients.

Not enabling scavenging in DNS
I will go into more detail in another post about DNS, but I do want to mention that scavenging should be enabled and the Refresh/No Refresh interval should equal the length of your DHCP scope. If you are scared to enable scavenging, good. You should have a healthy fear of screwing up your environment. I highly recommend exporting your list of DNS addresses prior to enabling scavenging. However, don't let the fear of issues prevent you from configuring your servers properly. DNS Scavenging can be configured to work properly. Let me repeat. DNS Scavenging can be configured to work properly!

Forgetting to remove or update legacy Authorized DHCP Servers
While it usually isn't the end of the world, it is possible to put yourself in a pickle by leaving legacy addresses in DHCP as authorized servers. Not likely, but while you are in and cleaning things up, this is a good place to look. Right click DHCP, then select Manage Authorized Servers. Make sure you only remove the old IP addresses. If you authorized a DHCP server, then replaced it later with a server with the same IP address, but a different name, you will want to make sure you unauthorize the old one with the wrong name, then authorize the new one. I've seen situations where an old authorization works because the IP address is the same, but then someone deletes that authorized server later because the name is different. Then everyone stops getting DHCP addresses until someone realizes they need to add that DHCP server back into the authorized list.
Posted by at

2 comments:

  1. CurtissNovember 18, 2020 at 1:35 PM

    which DNS servers does the dhcp server dynamically update? its own? the one(s) given out to the client? scope level? server level? is there a way to tell in DNS if a record has been registered by a client or by a dhcp server

    ReplyDelete
  2. Wes BrownNovember 18, 2020 at 5:19 PM

    The DNS servers to be updated will be whatever is configured for the client. That can be at the scope or server level. The client will try, and if it's not able, and the DHCP server is configured to do so, it will then attempt to update the DNS server itself. If I recall (not 100% on this one), you can look at the security settings of the record on the DNS server, and look at the owner. If the server is doing the work and you've configured it with a service account, then you should see the service account as the owner (I believe). Otherwise I think you'll often see System as the owner of the record.

    ReplyDelete

Subscribe to: Post Comments (Atom)