Duplicate DNS entry

  • 22 Views
  • Last Post 9 hours ago
pawan posted this 3 weeks ago

Hi experts,
I need your advise to deal with multiple duplicate records exist in DNS.
Scenario:-
1.) Two forest with single domain. Forest A/Domain A & Forest B/Domain B.
2.) Users Machines are in Domain A and DHCP servers (2003) in Domain B leasing IPs for Domain A Machines.
Dhcp servers are configured on default settings to update client A and PTR records and dynamically update them.
Issue:
1.) Same IP has different Hostnames and is owned by Machines itself in forward zone.
2.) Same IP has multiple PTR records in reverse zone and owned by DHCP server.
Thanks in Advance!
Regards,PWN

Order By: Standard | Newest | Votes
amulnick posted this 3 weeks ago

What have you done to allow the DHCP server to update records in Forest A? 
PTR records are best effort by definition.  Nothing to worry too much about there - monitoring apps typically care about those and should have provision for other more reliable methods.  
What are your settings for finding duplicates in the DHCP server? 
Al


show

pawan posted this 2 weeks ago

Hi Al,
Sorry but i didn't find anything special configured for DHCP server in Forest B.
They only have installed dhcp servers in forest B to provide IPs in A forest.
On Nov 6, 2017 10:44 PM, "Al Mulnick" <amulnick@xxxxxxxxxxxxxxxx> wrote:
What have you done to allow the DHCP server to update records in Forest A? 
PTR records are best effort by definition.  Nothing to worry too much about there - monitoring apps typically care about those and should have provision for other more reliable methods.  
What are your settings for finding duplicates in the DHCP server? 
Al


show

crossme posted this 2 weeks ago

Remove me.
Stop.
I tried disabling all emails from the site. no luck.


show

pawan posted this 2 weeks ago

Hi,
Has anyone have cross forest dhcp server setup configured
Rgds,Pawan
On Nov 8, 2017 1:27 AM, "Bill Cross" <crossme@xxxxxxxxxxxxxxxx> wrote:
Remove me.
Stop.
I tried disabling all emails from the site. no luck.


show

davyp posted this 2 weeks ago

Hi Pawan, By default, workstations register their own A records in forward DNS zones.Because they do this in their own security context (computer account), the A record is secured on creation and only the workstation itself can modify the IP when it receives another IP from DHCP.If “the same IP has multiple hostnames” in the forward zone, this is perfectly normal. The forward zone just reflects the last known IP that a hostname had, and if you keep introducing new workstations, but you don’t enable scavengeing in DNS, it is normal that you would end up with a lot of old A records, many of which list the same IP as their last known IP. On the other hand, if a workstation would register its own reverse (PTR) record, and secured it in the same way that it does its A record, other workstations getting the that IP from the DHCP server later on would be unable to change the data (hostname) in the PTR record for that IP, which would “lock” that PTR record in an incorrect state until it would be scavenged.That is why, by default, the DHCP server creates (and secures) the PTR records, because it is the only one who knows which workstation actually has a specific IP.I am not sure what’s the deal with the duplicates in the reverse zone, but if it is a reverse zone for an IP range managed by DHCP, I would expect that you enable scavenging on that zone with quite a short interval anyway, because the DHCP server will create / update the records with every lease  or lease renew anyway, so the correct records will always stay. With regards to the cross-forest security, by default, secured DNS zones allow “Authenticated Users” to “create new records.As long as there is an Active Directory trust between Domain A and Domain B, computer accounts of workstations will be considered “Authenticated Users” and so will the DHCP server.This means they will always be able to create new records, and through the same mechanism update records they created earlier. I hope this clarifies things a bit. Best regards,Davy Pierson 

show

pawan posted this 1 weeks ago

Hi Davy,
Thanks for such a wonderful explanation.I have noticed that machine goes offline, creates the duplicate A records issue.
But still confused why Duplicate PTR records exist in reverse zone while owner of records shows the DHCP server(exist in other forest than workstation).
What we have identified to resolve the issue:-
1.) Create a service account in user's forest with dns admin rights and configure it in all dhcp servers.
2.) Set the scavenging time as short as dhcp scope lease time. But that is not possible as some of wifi scopes have 2-3hrs lease. So we cannot set scavenging to 2-3hrs.
3.) Increase dhcp lease time to dns scavenging time(in our case it is set to default 7/7 14days). Which is also not possible as it requires lots of free IPs in infrastructure.
4.) Configure a simple service account for all dhcp servers with options to update A & PTR records on behalf of client. And set a gpo to deny workstation to create/update A records.
Need your suggestions if anyone have to adopt best option.
Thanks,PWN

show

davyp posted this 9 hours ago

Hi Pawan,Comments inline below. Best regards,Davy

show

Close