question

LankyDoodle-7423 avatar image
0 Votes"
LankyDoodle-7423 asked SunnyQi-MSFT commented

DHCP Dynamic Updates not working consistently

Hi,

I have an issue that I'm struggling to solve fully. Basically DHCP is not consistently keeping DNS in order so we have multiple hostnames with the same IP. We have LOTS of scopes, with different lease times. Sometimes it works and sometimes it doesn't. We have DHCP Server set to this, and there is presently a single DHCP Server.

Enable dynamic updates: On
-> Always dynamically update A and PTR
Discard A and PTR: On
Dynamically update for clients that do not request updates: On
Name protection: Off
Custom domain user account for doing the updates
DHCP Server is NOT in the DnsUpdateProxy group

The above settings are historic and so I have no knowledge around the original decisions - I have inherited this issue just this week!

DHCP Server is 2008 R2, and is NOT running AD DS or DNS role
DNS Servers are all now 2016 - this upgrade work happened very recently and some believe this problem has started since decommissioning the last 2008 R2 DNS Server. However I have also been told "stale" DNS has happened for a very long time
Some A records have the custom user account as the owner and some have the actual computer object itself (I know by default only the owner can make some changes to the DNS records)

DHCP Server Log sample:

Microsoft DHCP Service Activity Log

ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid.

24,04/19/21,00:00:31,Database Cleanup Begin,,,,,0,6,,,

31,04/19/21,00:00:31,DNS Update Failed,172.16.127.142,<redacted-device-1>,,,0,6,,,
30,04/19/21,00:00:31,DNS Update Request,172.16.127.142,<redacted-device-1>,,,0,6,,,
34,04/19/21,00:44:02,DNS update request failed as the DNS update requests queue limit exceeded,172.16.127.142,<redacted-device-1>,,,0,6,,,

31,04/19/21,00:14:06,DNS Update Failed,192.168.69.152,<redacted-device-2>,,,0,6,,,
30,04/19/21,00:14:06,DNS Update Request,192.168.69.152,<redacted-device-2>,,,0,6,,,
11,04/19/21,00:14:06,Renew,192.168.69.152,<redacted-device-2>,14ABC52E274B,,1512827778,0,,,
31,04/19/21,00:14:06,DNS Update Failed,192.168.69.152,<redacted-device-2>,,,0,6,,,
30,04/19/21,00:14:06,DNS Update Request,192.168.69.152,<redacted-device-2>,,,0,6,,,
11,04/19/21,00:14:06,Renew,192.168.69.152,<redacted-device-2>,14ABC52E274B,,1512827778,0,,,

30,04/19/21,00:14:09,DNS Update Request,10.161.134.147,<redacted-device-3>,,,0,6,,,
11,04/19/21,00:14:09,Renew,10.161.134.147,<redacted-device-3>,001AE87FF5D6,,3195220243,0,,,

10,04/19/21,00:40:29,Assign,192.168.68.23,<redacted-device-4>,6C19C0D08A63,,391714430,0,,,
31,04/19/21,00:40:29,DNS Update Failed,192.168.68.23,<redacted-device-4>,,,0,6,,,
30,04/19/21,00:40:29,DNS Update Request,192.168.68.23,<redacted-device-4>,,,0,6,,,
11,04/19/21,00:40:29,Renew,192.168.68.23,<redacted-device-4>,6C19C0D08A63,,391714430,0,,,

02,04/19/21,07:44:51,Audit Log Paused,,,,,0,6,,,
02,04/19/21,17:51:07,Audit Log Paused,,,,,0,6,,,
02,04/19/21,17:54:10,Audit Log Paused,,,,,0,6,,,
02,04/19/21,18:41:15,Audit Log Paused,,,,,0,6,,,
02,04/19/21,19:08:28,Audit Log Paused,,,,,0,6,,,

Since yesterday, I have changed the DNS Queue length in the registry and restarted DHCP. Today, we haven't seen any queue limit exceeded events, but things are still failing. The logs are reaching their max 10MB size daily. I haven't yet tried adding the DHCP Server to the DNSUpdateProxy group.

Where else can start looking to help diagnose this issue.

Thanks

windows-serverwindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered LankyDoodle-7423 commented

Hi,

Thanks for posting in Q&A platform.

Please try to add the DHCP server to the DNSUpdateProxy group to see if the issue can be resolved.

Meanwhile, I'm currently performing test in my environment and if any updates I will get back to you as soon as possible. I appreciate your patience.

If you have any updates during this process, please feel free to let me know.

Thanks and Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply.

If we make this change, will it retrospectively tidy up all of the stale records or will we have to do a manual clean up as well.

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered SunnyQi-MSFT commented

Hi,

Thanks for your update.

I have performed some tests in my lab and attaching the following test results for your reference.

DNS and DHCP are in two separate Windows servers.

Configure Always dynamically update A and PTR and add a credential account on DHCP server, the Host record can be updated by DHCP server successfully.

90196-image-30.png

90197-image-31.png

Configure Always dynamically update A and PTR and add DHCP server in DNSUpdateProxy group, the Host record can be updated by DHCP server successfully.

90040-image-32.png

90231-image-33.png

Note: please restart DNS or DHCP server after you made any changes on them.

Regarding of the stale records, have you enabled Aging and Scavenging on DNS server? If this feature was enabled, then those stale records will be scavenged automatically after NoRefresh interval+ Refresh interval + Scavenge period. Otherwise, you need clean up these stale records manually. To make the change take effect, I would suggest you could delete the specific records manually.

For more details regarding of Aging and Scavenging, please refer to the following article and thread:

How DNS Aging and Scavenging Works

DNS Aging and Scavenging

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-30.png (39.8 KiB)
image-31.png (46.8 KiB)
image-32.png (8.0 KiB)
image-33.png (48.6 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have it set exactly like you show above but we are not seeing that behaviour:

When set with DHCP Credentials AND Always update, we are getting absolutely no A record created in DNS (or PTR for that matter)
When set with DHCP Credentials AND only update if the client requests it, we get an A record but no PTR (however the client owns the A record, not the user set in DHCP Credentials)

This is our testing pattern:

ipconfig /release on the client: removes the lease AND deletes the A record
wait...
change something in DHCP and ALWAYS restart the service
wait...
reboot the client
wait...

When rebooting the client after ipconfig /release, DHCP always registers a new lease, so that's the only thing working 100% as I expect!

We have tried a brand new user in DHCP Credentials
Nothing is appearing in the DHCP Event Viewer logs to suggest the DHCP Credentials are failing because of write permissions to DNS.

What can I look at next?

Thanks again for you help.

0 Votes 0 ·

Also, the DHCP Server account is in the DnsUpdateProxy group. However I have seen contradicting info on this:

"A service account will need to be setup to run the DHCP service, OR all the DHCP servers will need to be joined to the DNSUpdateProxy group (less secure) adding complexity."

That is from an MS doc, which suggests you use EITHER the Credentials OR put the computer account in the group. But not both. However I have seen other MS docs say to do both!





0 Votes 0 ·

Thank you very much for your update and sorry for my late response since I was taken a vacation. Based on provided information, I understand that our DHCP server can lease IP address successfully but doesn't have the permission to register host record or PTR record in our DNS server. If we have added a credential account in DHCP server and add the DHCP in DNSUpdateProxy group already but the issue still existed, I would suggest you could contact Microsoft Technical Support where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

Also, in this way, they can have a clear picture about your issue and your environment by phone communication and live share session.

You may find phone number for your region accordingly from the link below:
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Sunny

0 Votes 0 ·