It is important to understand how clients update their DNS records dynamically to prevent issues where the process fails due to poor management of your DNS zones and records. Many DNS administrators find that the Dynamic DNS update process and aging/scavenging processes may be difficult to understand and manage correctly.
Hopefully, the information in this article will help you understand the relationship between DNS security and record updates to prevent issues such as clients NOT being able to update their DNS records, or DNS records being scavenged for legitimate domain computers.
When a DNS record is created by a new client, the NoRefresh interval is in effect, which is 7 days by default. When the client dynamically updates its DNS information in this situation, the client’s DNS timestamp is not updated until the Refresh interval takes effect. This behavior controls and manages DNS and Active Directory replication (for AD Integrated Zones).
During the Refresh interval, which is 7 days by default, the client’s DNS timestamp is updated. During the Scavenging interval, old DNS resource records are automatically deleted. This process works very well when the correct security permissions are in place for DNS client records.
When a DNS client or a DHCP server performs a dynamic update, the DNS record adds the Client_Computer_Name$ account to the permissions for the DNS record. Therefore, only the computer that registered the DNS record can update the DNS record. If the computer account in the domain is DELETED and then recreated for the same computer, the DNS record is not updated with the new SID for the computer account.
Recall that computer accounts are also security principles and therefore deleting the object and recreating the object results in a new object with a different SID. In other scenarios, when a change is made on the DHCP server such as configuring the DHCP service to update DNS records on behalf of the client, the DHCP server may not update a DNS record when the client registers a DNS record.
This behavior occurs if the Client_Computer_Name$ account already exists for the DNS record. The DHCP server does not have permissions to the records in DNS.
When the DNS client is configured to use a static IP address, the DNS client registers both host (A) resource records and pointer (PTR) resource records on the DNS server. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record.
In the case of using the DHCP service to register client’s DNS records, you need to add the DHCP server’s computer account to the DNSUpdateProxy Security group and set the appropriate settings on the DHCP server’s properties.
- Enable DNS Dynamic updates according to the settings below.
- Dynamically update DNS A and PTR records only if requested by the DHCP clients.
In this case, the DNS client registers the host (A) resource record. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record on the DNS servers.
Next, the DHCP server registers the pointer (PTR) resource record. Finally, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.
- Enable DNS Dynamic updates according to the settings below
- Always dynamically update DNS A and PTR records
In this case, the DHCP server registers both the host (A) resource record and the pointer (PTR) resource record. Then, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.
With the proper configuration and management of your DNS records, the updating and aging/scavenging process should work flawlessly in your environment
