How DNS dynamic updates work together with the DNS “aging and scavenging” process in Windows 2000 and in Windows Server 2003
This article describes how Domain Name System (DNS) dynamic updates work together with the DNS “aging and scavenging” process in Microsoft Windows 2000 and in Microsoft Windows Server 2003.
DNS “aging and scavenging” intervals
Windows Server 2003 uses the following DNS “aging and scavenging” settings.
Setting | Default interval value |
NoRefresh | Seven days |
Refresh | Seven days |
Scavenging | Seven days |
Note By default, the Dynamic Host Configuration Protocol (DHCP) lease time is set to eight days.
When a DNS record is created by a new client, the NoRefresh interval is in effect. When the client dynamically updates its DNS information in this situation, the client’s DNS time stamp is not updated until the Refresh interval takes effect. This behavior prevents the replication of lots of DNS objects in the Active Directory directory service.
During the Refresh interval, the client’s DNS time stamp is updated. During the Scavenging interval, old DNS resource records are automatically deleted.
Security and DNS records
When a DNS client or a DHCP server performs a dynamic update, the DNS record adds the Computer_Name$ account to the permissions for the DNS record. Therefore, only the computer that registered the DNS record can update the DNS record. In some scenarios, when a change is made on the DHCP server, the DHCP server may not update a DNS record when the client registers a DNS record. This behavior occurs if the Computer_Name$ account already exists for the DNS record.
How the client dynamically registers the DNS records
When the DNS client is configured to use a static IP address, the DNS client registers both host (A) resource records and pointer (PTR) resource records on the DNS server. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record.
To change this behavior, disable the Register this connection’s address in DNS setting on the DNS client computer. To do this, follow these steps:
- Click Start, point to Control Panel, point to Network Connections, right-click the network connection that you want to change, and then click Properties.
- On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
- On the Internet Protocol (TCP/IP) Properties page, click Advanced.
- On the Advanced (TCP/IP) Settings page, click to clear the Register this connection’s address in DNS check box, and then click OK three times.
Assume that Microsoft Windows 2000-based DNS clients or later versions of DNS clients are configured to use the following DHCP settings:
- Enable DNS Dynamic updates according to the settings below
- Dynamically update DNS A and PTR records only if requested by the DHCP clients
In this case, the DNS client registers the host (A) resource record. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record on the DNS servers. Next, the DHCP server registers the pointer (PTR) resource record. Finally, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.
Assume that Microsoft Windows 2000-based DNS clients or later versions of DNS clients are configured to use the following DHCP settings:
- Enable DNS Dynamic updates according to the settings below
- Always dynamically update DNS A and PTR records
In this case, the DHCP server registers both the host (A) resource record and the pointer (PTR) resource record. Then, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.
The DHCP lease-expiration process
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
DHCP checks for expired leases by using the following registry subkey:
By default, when the DHCP Server service is running on Windows Server 2003-based computers, the DatabaseCleanupIntervalvalue is set to 60 (1 hour). When the DHCP Server service is running on a Windows 2000-based computer, theDatabaseCleanupInterval value is set to 1440 (1 day). When the DHCP lease is released, the DHCP server unregisters the DNS record.
You can configure the client’s DHCP lease to expire automatically when the client computer is shut down for Windows 2000-based DNS clients or for later versions of DNS clients. To do this, follow these steps:
- Click Start, point to Administrative Tools, and then click DHCP.
- Expand the scope for which you want to change the DHCP expiration lease, right-click Scope Options, and then clickConfigure Options.
- Click the Advanced tab.
- Click the list that is next to Vendor Class, and then click Microsoft Windows 2000 Options.
- Click to select the 002 Microsoft Release DHCP Lease On Shutdown Option check box, and then click OK.
How to configure the queue limit on a DHCP server
The DHCP server uses the queue limit to restrict the number of DNS records that the server tries to unregister at the same time. If there are lots of pointer (PTR) resource records to be scavenged, the DHCP server may reach the queue limit. If this behavior occurs, the DHCP server unregisters records until it reaches the configured queue limit.
You can change the DHCP queue limit on a Windows Server 2003-based computer by installing hotfix 837061 or by installing Windows Server 2003 Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
After you install hotfix 837061 or Windows Server 2003 Service Pack 1 (SP1), you can increase the size of the queue that DHCP tries to unregister during each cycle. To do this, set the DynamicDNSQueueLength registry entry to 2048.
For more info http://support.microsoft.com/kb/932464
- Active Directory Troubleshooting Master Guide - 4 December 2024
- Active Directory Security Groups: Management and Best Practices - 2 December 2024
- Active Directory Password Policy Implementation Guide - 26 November 2024