DNS Dynamic Updates in a Workgroup

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

www.delcocomputerconsulting.com

Prelude

So the machines and devices you want to register into DNS are not in an Active Directory. Therefore, that means none of your Windows computers have been configured with a Primary DNS Suffix. When you join a computer to a domain, one of the many things that occur on the computer is that the Primary DNS Suffix is automatically configured, which matches the name of the AD DNS domain name, which should also be identical to the DNS zone name.

And further, as we already know, that’s what a computer needs to register into a zone with the same name. If you weren’t aware of this basic requirement, you can catch up on how Dynamic DNS registration works by reading my other blog:

AD & Dynamic DNS Updates Registration Rules of engagement
http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement

Primary DNS Suffix

However, workgroup computers normally do not have a Primary DNS Suffix, unless you’ve already manually configured all of them. Neither do other devices, such as mobile phones, tablets and other non-Microsoft products.

No fret. We can make this work without a Primary DNS Suffix. After all, non-Windows devices, such as phones and tables, do not have such a setting to configure.

There are actually a number of ways to get this to work. One way is to force the Primary DNS Suffix on your Windows workgroup computers by using a registry script (outlined later below). However, that will only be good for your Windows computers. What about those non-Windows devices?

To register your Windows computers and non-Windows devices, an easier way to go about it is to use Windows Server DHCP to register all leases into the DNS zone. We can do this by using the DHCP service on a non-AD joined Windows Server configured with DHCP credentials, DHCP Option 015, and configured to force all leases to register into the zone whether the device has the ability to register on its own or not.

The credentials allows DHCP to own the record, so in case the device leaves and returns at a later date and gets a new IP, the DHCP service can update the old host record in DNS with the new IP. Without credentials, the device will update, but it may not be able to update its old record, which then you may wind up with duplicate host entries in the zone. Of course, we wouldn’t want that.

Use Windows DHCP to Force Register All Leases

The first thing we need is a Windows Server with the DHCP and DNS services installed and running. To provide a 30,000’ view of what’s involved, we start by creating a regular, non-Administrator, local user account on the server that will be used to configure the DHCP scope to use as credentials for registration. And to stress what I just said, it does NOT have to, nor should it be, an Administrator account. It should just be a plain-Jane user account, but give it a really strong password. In an AD domain environment, the credentials would be a plain-old AD Domain User account. But in this case, it’s a local User account. Then configure DHCP to force update all records, whether the entity can register or not.

Zone’s NS & SOA Entries

For the DNS service to properly work, the DNS server itself must have its own host (A) record reregistered into the zone, as well as registered its record as an NS record in the zone’s properties. This means that the Windows server DNS is installed on, must be configured with a Primary DNS Suffix matching one of the zones that DNS will be authoritative for (meaning that DNS is hosting the zone). We usually pick the main zone for the company environment. Once configured, then this part will automatically occur. If it doesn’t have a Primary DNS Suffix, then this automatic part will not happen.

You can easily tell if any Windows computer has a Primary DNS Suffix by a simple ipconfig /all, however I’m sure you already know if your server has one configured one or not, since this must be manually done on a workgroup computer. As stated, an AD joined computer (server or workstations) will automatically configure itself with a Primary DNS Suffix that matches the AD DNS domain name,

Detailed Steps:

  1. First, assuming you haven’t already installed DNS and created a zone in DNS, let’s go ahead and install and create your zone.
  1. You can install the DNS service Role (yes, it’s a Role, not a Feature), using Server Manager in Windows Server 2008, 2008 R2, 2012, and newer.
    Install a DNS Server
    http://technet.microsoft.com/en-us/library/cc725925.aspx
  2. Once installed, create your zone, such as adatum.com. Also in the zone properties, make sure you allow Updates. And note, with DNS on a non-DC, the only option you have is either “None,” or “Nonsecure and secure.” You have no choice other than “Nonsecure and secure.”
    (Click image to see a larger version of the image in a new window)
  • Obviously it’s important that the DNS & DHCP server is set to a static IP configuration. Pick an IP, and stick to it. Then make sure that the server itself is ONLY using its own IP for DNS entry in its NIC. No others must be in here, otherwise you’ll get unexpected and possibly undesired results.
    (Click image to see a larger version of the image in a new window)
    1. I need to stress that this is extremely important.
    2. If you have any computers in the environment that have a static IP address configured (not getting an IP from DHCP), you must also make sure they are configured with only your own Windows DNS server’s IP.
    3. If you’ve configured it with your ISP’s DNS, because you thought that’s what you need for internet resolution, then that’s wrong, and more importantly, that computer will not register nor be able to resolve internal hosts. 
    4. Same thing using your router (either ISP provided, or something you bought from a retail store such as a Linksys, Dlink, etc). Do not use your router as a DNS address. They are not DNS servers, and they only proxy to an external DNS, which is useless if you are running DNS internally.
    5. And no, you CAN’T mix internal and external DNS entries. It doesn’t work that way. It’s not a DNS server thing, rather it’s based on a DNS client, specifically it’s based on how the client side resolver algorithm works. For a technical explanation for the technically curious, please read my blog explaining it:
    6. http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    7. The DNS server can use Root Hints to resolve internet names. Or you can configure a Forwarder:
    8. Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
      http://technet.microsoft.com/en-us/library/cc754941.aspx
      (Click image to see a larger version of the image in a new window)

  • Configure a Primary DNS Suffix on your Windows Servers that’s hosting DNS. To do that:
    Go to Start
    Right-click Computer, properties
    In the computer name tab click change settings
    Then click change
    Then click More
    Type your domain name here.
    Click Ok a few of times, and restart the server.
    (Click image to see a larger version of the image in a new window)

  • After the restart, make sure it registered into the your zone, for example, contoso.com. You can simple check by running an ipconfig /all. Look for the Primary DNS Suffix name.
    (Click image to see a larger version of the image in a new window)

    For more information on all the info that an ipconfig /all provides, please read the following:
  • Why do we ask for an ipconfig /all, when we try to help diagnose AD issues and other issues?
    http://blogs.msmvps.com/acefekay/2013/03/02/why-do-we-ask-for-an-ipconfig-all-when-we-try-to-help-diagnose-ad-issues/

  • In the contoso.com zone properties, Nameserver tab. Make sure it registered itself. If not, manually add it by clicking Add, then type in the server’s FQDN, and click Resolve. If all things are configured correctly, then it should resolve it. Click OK.
    (Click image to see a larger version of the image in a new window)
  • On the “Start of Authority (SOA)” tab click “Browse…” next to the Primary server field and browse for the server’s A record in the contoso.com zone. Click OK.
    (Click image to see a larger version of the image in a new window)
  • Repeat step 4 for the reverse zone, and any other zones you’ve created in DNS.
  • DHCP Options
    1. DHCP Option 015 must be set to your zone, such as adatum.com. This provides a way to work for the interface to use that zone for registration, as well as for the DHCP server to use it to register into the zone.
    2. DHCP Option 006 must be set to only your internal DNS servers. Do not use your router as a DNS address (it’s really not a DNS server anyway), or your ISP’s DNS servers.
      (Click image to see a larger version of the image in a new window)
  • Configure scavenging. The scavenging NoRefresh and Refresh values combined should add up to or greater than the lease length. For example, if the DHCP lease length is 8 days, then the NoRefresh value should be 4, and the Refresh value should be 4.
    More info:
  • Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

  • In DHCP properties, DNS tab (note -this tab is actually DHCP Option 081, even though it doesn’t say it), choose to force DHCP to update all records whether a DHCP client asks or not. And configure it to register records for machines that can’t.
    (Click image to see a larger version of the image in a new window)
  • Configure a user account to be used for DHCP Credentials (as I said above), then go into DHCP, IPv4, properties, Advanced, Credentials, and enter the credentials.
    (Click image to see a larger version of the image in a new window)
  • Restart the DHCP service.
  • It should now work.
  •  

    Example of what you should see after it’s configured and working:

    (Click image to see a larger version of the image in a new window)

    Other notes and references:

    There are a number of ways to get this to work. Read the following discussion for more info:

    Technet thread: “Server 2008 R2: DNS records not dynamically registering in workgroup situation” 12/31/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2380872f-2e71-49eb-8fbb-87f980920fc7/

    Registry summarized:

    Not that this will work for your non-Windows devices, but I’m providing this information if you want to only configure your Windows computers.

    You can create and remotely run a registry script for the interface on the workgroup machines using a tool called PSEXEC (free download from Microsoft). Of course you must have the local admin account credentials on all your computers to run this remotely, and the remote Registry service started, and possibly antivirus software and Windows firewall configured to allow this.

    You’ll want to target and populate the following two registry entries with your zone name, such as adatum.com:

    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain
    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain

    Using the above two keys, try this VB script:
    SET WSHShell = CreateObject(“WScript.Shell”)
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain”, “adatum.com“, “REG_SZ”
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain”, “adatum.com“, “REG_SZ”

    If you are in an AD Environment

    Oh, and if you’re curious how DHCP should be configured in an AD environment to force updates, etc, read my blog on it, please:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a “pen” icon, and more…
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Summary

    I hope you’ve found this helpful. Any suggestions, errors, comments, etc., are all welcomed!

    Ace Fekay

    Leave a Reply