Disabling DNS dynamic updates

On December 28, 2007, in news, by

From the mailbox… 

We have a few inherited SBS 2003 boxes, in addition to ones we have deployed ourselves. On two of the inherited ones, we were having problems with RWW making connections to specific client machines. It turned out that the machines had multiple DNS A records on the SBS box (accumulated over time when they had changed IP for whatever reason) so RWW was having trouble finding the right IP. This was solved by editing the properties on server in the DHCP MMC, and checking “Enable DNS dynamic updates…” on the DNS tab, thus having the client machines update the SBS DNS each time they pulled a lease. At first I assumed that this was an oversight in the original setup, but as I rolled out new SBS box last weekend I noticed that by default it didn’t have that boxed checked either, so that caused me to wonder if I had solved the original problem in “best practice” manner. So I guess the summary of this question is: Is there a reason why SBS 2003 does not by default “Enable DNS dynamic updates” via DHCP? I assume that the server that DHCP would be updating would be the SBS server, and we’re not talking about external ones (which would have obvious security concerns). One curious thing I did find while I was googling this was: http://www.sbsireland.com/Forums/tabid/52/forumid/5/postid/93/view/topic/Default.aspxWhich made it appear that in fact the SBS setup specifically disables this…which really made me wonder if we had done the right thing…Any direction you could point me in would be very helpful!

Just to let Kris know that I’m still trying to get the official reason as to why SBS 2003 has “Enable DNS dynamic updates” unchecked.  Because we don’t have it enabled, you can be like Kris and end up in a situation where the DNS/A records are pointing to the wrong or non existent box.

I think it’s okay to enable that, but I’m checking and will let you know for certain.  The way to test for this is to ping the workstation by IP and name and see if it responds to the right IP address that it’s supposed to.  If not flush out the offending stale DNS/A workstation (just go into DNS and delete the workstation) and it will repopulate with the right one.

I think it will be okay to change this setting…but I’ll update this post when I know for certain.  I’m seeing this issue more and more as we get crustier and move around workstations.  Look in your DNS and see if there are workstation/A records that are old and just don’t belong anymore.

Disabling DNS dynamic updates

By disabling the Domain Name System (DNS) dynamic updates function, the responsibility of managing the DNS server is returned to the administrator. Disabling DNS dynamic updates might be suitable for networks where hosts rarely change locations, where growth and change are infrequent, and when stricter DNS server administration is required


One Response to Disabling DNS dynamic updates

  1. Evan says:

    (I can’t speak to any defaults set by the SBS “integration” cruft– I treat SBS as Windows Server 2003 with a cheaply licensed version of Exchange in the few places where I’ve been contracted to install it, and eschewed as much of the “friendly” rot that came with it as possible. I don’t particularly care about my “green check”, etc– I’ll administer Windows, AD, WSUS, Exchange, DNS, DHCP, WINS, and anything else the way I normally do on “plain vanilla” Windows Server 2003.)

    Kris talks about looking at dynamic DNS settings in the DHCP server. Kris doesn’t know, I think, that the default behaviour is such that a Windows 2000+ client computer performs the update of its “A” record itself. Have a look at <http://support.microsoft.com/kb/816592> for more details– specifically under the section titled “An example of a DHCP/DNS update interaction for Windows Server 2003-based, Windows 2000-based, and Windows XP-based DHCP clients”.

    Disabling dynamic DNS, in general, is a bad idea. The “right thing” to do, if you’ve got machines with multiple stale “A” records and such, is to enable aging and scavenging of the zone. I don’t understand why Microsoft didn’t enable aging and scavenging by default for AD integrated DNS zones (at least in the SBS product, where the zones sizes are small and you’re not going to be creating a bunch of useless AD replication traffic during the scavenging process).

    Not having dynamic DNS registration means that you’re going to have to manually add and remove records for domain controllers. If you add a DC, you’re going to have to add the records for it “by hand” (from the ‘netlogon.dns’ file created for you).

    I don’t think that the Microsoft dynamic DNS client has kept up, however, with the situation that exists today relative to machines having multiple NICs. Frequently, I’m seeing laptop PCs with a wired and wireless NIC (and possibly another wired NIC in their “Docking station”), and usually I’m finding “A” records for all those NICs even in zones that have been aged and scavenged. It’s a mess, and I don’t have the spare cycles to think about a good solution, except to say that somebody who gets paid to do that should think about it.