DNS Reverse Zone updates

  • 147 Views
  • Last Post 02 March 2016
nicolaferrari posted this 01 March 2016

Hi everybody.

We're running a Windows 2008 R2 DC with DNS, AD and DHCP roles on it.
DNS Forward zone is working fine (when a new client is added to the
domain, it registers itself into DNS also).

But the client PTR record in its reverse zone isn't created.
Our network is a class-C segmented network. I manually added a reverse
zone for each subnet as primary reverse ipv4 zone (eg.
26.168.192.in-addr.arpa for 192.168.26.0/24 subnet).
Anyway reverse zones are not populated automatically: i can see only NS
and SOA records.
Zones are integrated in AD, clients are joined to the domain and get IP
address from DHCP.
At the moment, reverse name resolutions don't work (checked using
nslookup and ping -a commands).

Any suggestion?

Tnx,
Nick
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
gkirkpatrick posted this 01 March 2016

My memory sucks but this sounds like a permissions problem. Check to make sure that the DHCP server is configured to populate the reverse lookup zone, and make sure that the DHCP service has the permissions in AD to do so.

There is some scenario where the client actually does the update, in which case the client machine account needs the permissions. It might be only in the case of non-Windows DHCP, I forget.

-gil

show

robertsingers posted this 01 March 2016

I have a vague recollection of having to create a service account with
proper permission on it to get this to work for a couple of quite
locked down forests. I don't think I found it documented anywhere, I
think I just noticed there was a dialog that allowed you to specify
the account to use either on the DHCP or DNS side and I just gave it a
go and it solved all problems.

show

webster posted this 01 March 2016

DHCP Server
Protocol
Properties
Advanced
DNS dynamic update credentials

Is probably what you are thinking about.


Webster

show

robertsingers posted this 02 March 2016

Yup!

show

Tony.Massa posted this 02 March 2016

A service account added to the DNSUpdateProxy AD group is required if you're using secure, dynamic updates.https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
> Date: Wed, 2 Mar 2016 14:40:28 +1300
> Subject: Re: [ActiveDir] DNS Reverse Zone updates
> From: rsmsingers@gmail.com
> To: ActiveDir@mail.activedir.org
>
> Yup!
>

show

jeremyts posted this 02 March 2016

I think you’ll find that it’s more related to the client side settings.

 

Ensure the following settings are enabled:

“Register this connection’s addresses in DNS”

“Use this connection’s DNS suffix in DNS registration”

 

There’s a thread here including a screen shot:



http://serverfault.com/questions/639398/reverse-dns-records-not-registered-when-using-dhcp

 

This is what I typically set for every deployment I do and never have any issues for reverse registrations. Often I’m using 3rd party DHCP services like InfoBlox, or non-Domain DHCP servers, so the DNSUpdateProxy

is not an option.

 

Also, for Win 7 and 2008R2 you should have KB2520155 deployed so that you can change DNS servers without issue:

https://support.microsoft.com/en-us/kb/2520155

 

Clearly your mileage may vary because every environment is different, but try this before setting up the DNSUpdateProxy.

 

Cheers,

Jeremy

 

show

nicolaferrari posted this 02 March 2016

Hi Jeremy,

You drove me into the right way.
I just had to enable BOTH the options:
- Register this connection’s addresses in DNS
- Use this connection’s DNS suffix in DNS registration
(the first one was already activated, but the second one did not).

Now both registrations in forward and reverse zones are working fine.

I found on the net this GPO to force that setting:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/d654af96-8c52-431f-b547-676234fd82c1/which-gpo-setting-affects-use-this-connections-dns-suffix-in-dns-registration?forum=winserverGP


Thanks to everybody.
Nick


Il 02/03/2016 04:45, Jeremy Saunders ha scritto:
> Ensure the following settings are enabled:
>
> “Register this connection’s addresses in DNS”
>
> “Use this connection’s DNS suffix in DNS registration”
>


--
| Linux User #554252 |
Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

jeremyts posted this 02 March 2016

Yep, I forgot to mention the GPO thing.

Glad it's working for you.

One thing though. Make sure Scavenging is enabled on your reverse zones, otherwise you'll end up with multiple reverse records for the same hosts, which defeats the purpose.

Cheers,
Jeremy

show

a-ko posted this 02 March 2016

I would strongly recommend using DHCP and "Name Protection" for your zones
if there are any chances of devices other than Windows sitting on those
subnets.

There are multiple ways to update DNS for a client. If you're running DHCP
off of Windows, this is easy. If you're running it off of some other
appliance but running DNS off of Windows you may need to work with the
appliance vendor to configure their DHCP to register names.

-Mike Cramer

show

Close