I’m going to stray off of the beaten path and post a blog regarding an Active Directory DNS issue that I experienced. Although it’s not Exchange server related, I thought this would be worth publishing as I’m sure others have encountered this issue.
We noticed that client DNS records were not getting updated in a timely manner. More specifically, this was occurring primarily with clients that were connecting remotely to the internal network via VPN.
Suspecting that this was a client issue, one of the first measures we took was to give the DHCP servers the authority to update DNS on behalf of clients. This seemed to alleviate the issue somewhat, however it completely resolved the problem. Another step we took wected as to lower the DNS scavenging, where stale records would deleted sooner. This workaround did not help matters alot either.
As I stated previously, this issue was primarily occurring with clients that connected through VPN sessions. When client machines connect via VPN, the VPN appliance acts as the DHCP server and issues an IP address from its address pool. There is an option within the VPN appliance to allow the internal DHCP servers to assign IP addresses, however this is probably a less secure configuration. Once the client receives its IP address from the VPN DHCP server, the client will update its record in DNS. Herein lies the problem.
When VPN clients update their records in DNS, they then take ownership of the records. A look at the properties of a VPN client’s DNS record would show the client as the record owner. When users that previously connected via VPN returned to the office, the internal DHCP servers were unable to update DNS despite having authority to do so. The DHCP servers would need to be given permissions to overwrite records and take ownership. This was done by adding them to the DNS Admins security group. Afterwards, the DHCP servers were now able to update DNS records that were owned by clients that previously connected via VPN.