DHCP giving clients addresses with prior DNS record
October 2, 2009 8:47 AM Subscribe
DHCP giving out IP address leases with pre-existing DNS entries for the wrong machine causing network chaos on a mixed windows & mac environment, and it's the macs who are having the problems.
We have DHCP & DNS on a Windows 2003 server. Apple laptops (leopard) are bound to AD. The clients get a DHCP lease easily enough, but then at some point in the future (usually a few weeks, maybe less), they cannot log in or won't get settings from the server.
Have Apple support, and their response is the machine account is not authenticating with AD, so no log in. OK, so...
Upon investigation into DNS, it turns out that these client's DNS entry is actually tied to another PC's IP address. For instance, maclaptop.mydomain.com gets 192.168.1.1. However, the DNS record for 192.168.1.1 on the network is actually pc.mydomain.com. This is causing maclaptop.mydomain.com to try authenticating as pc.mydomain.com, which they are not and getting rejected. I am led to believe this from Console messages stating pc@mydomain.com cannot authenticate with kerberos.
Any thoughts or ideas on how to prevent this from happening? I can delete those individual DNS records and the clients can log in then properly, but at some point in the future, it'll loose its lease and get the address with a wrong DNS entry at some point.
We have DHCP & DNS on a Windows 2003 server. Apple laptops (leopard) are bound to AD. The clients get a DHCP lease easily enough, but then at some point in the future (usually a few weeks, maybe less), they cannot log in or won't get settings from the server.
Have Apple support, and their response is the machine account is not authenticating with AD, so no log in. OK, so...
Upon investigation into DNS, it turns out that these client's DNS entry is actually tied to another PC's IP address. For instance, maclaptop.mydomain.com gets 192.168.1.1. However, the DNS record for 192.168.1.1 on the network is actually pc.mydomain.com. This is causing maclaptop.mydomain.com to try authenticating as pc.mydomain.com, which they are not and getting rejected. I am led to believe this from Console messages stating pc@mydomain.com cannot authenticate with kerberos.
Any thoughts or ideas on how to prevent this from happening? I can delete those individual DNS records and the clients can log in then properly, but at some point in the future, it'll loose its lease and get the address with a wrong DNS entry at some point.
Sounds like a samba issue to me. I believe OSX uses samba to authenticate with AD and then AD/Win2003 updates the DNS record. If it works with windows clients then the problem isnt server-side. Have you tried manually updating the version of samba on one of the OSX machines?
posted by damn dirty ape at 8:55 AM on October 2, 2009
posted by damn dirty ape at 8:55 AM on October 2, 2009
Response by poster: Reserve 192.168.1.1 - 192.168.1.50 (or whatever) for the fixed, named IPs that you need.
I already do that for servers. However, we have about 50 PCs in the classrooms and I'd rather avoid giving static IPs to and configuring in DHCP. Kinda defeats the whole purpose.
posted by jmd82 at 9:02 AM on October 2, 2009
I already do that for servers. However, we have about 50 PCs in the classrooms and I'd rather avoid giving static IPs to and configuring in DHCP. Kinda defeats the whole purpose.
posted by jmd82 at 9:02 AM on October 2, 2009
Best answer: On your Windows 2k3 box, what settings do you have turned on under Services and Applications->DHCP->Scope [192.168.1.0] scopename->Properties->DNS?
posted by flabdablet at 9:55 AM on October 2, 2009
posted by flabdablet at 9:55 AM on October 2, 2009
Response by poster: Ahoy...Under properties --> DNS, I do not have "Enable DNS dynamic updates according to the settings below:" which sounds like what I'd want. Am I thinking right, and would I just use the default setting if so?
posted by jmd82 at 10:16 AM on October 2, 2009
posted by jmd82 at 10:16 AM on October 2, 2009
I believe it is a problem that has been going on for years. With Apple and MS pointing fingers at each other. Updating SAMBA is a dead end, well I have never been able to find a later version of SAMBA that would install on a Mac. Try deleting the computer name in the Mac's sharing control panel and reconnecting to AD
posted by Gungho at 10:29 AM on October 2, 2009
posted by Gungho at 10:29 AM on October 2, 2009
Best answer: Sounds like the Mac clients aren't permitted to update the DNS records. Once someone with proper rights does delete them (you), then the clients can create their "new" record and proceed on their merry way.
Check the middle of this article: By default Windows DHCP will register DNS for windows-based clients. This link seems to have more real-world details.
posted by anti social order at 10:43 AM on October 2, 2009
Check the middle of this article: By default Windows DHCP will register DNS for windows-based clients. This link seems to have more real-world details.
posted by anti social order at 10:43 AM on October 2, 2009
I'd fiddle with all those settings and see what happens.
posted by flabdablet at 11:03 AM on October 2, 2009
posted by flabdablet at 11:03 AM on October 2, 2009
I've run into this issue, and to be honest, the best solution (IMO) is to have the IP addresses reserved but managed via DHCP. You can have DHCP give a fixed IP address based on MAC address and then you can set the DNS record as you like.
It can be kind of a pain to set up, but after that the maintenance is easy and it's much easier to pinpoint failures.
I do agree that this is a sub-optimal solution, but if it's stupid and it works, it isn't stupid.
posted by Pogo_Fuzzybutt at 11:05 AM on October 2, 2009
It can be kind of a pain to set up, but after that the maintenance is easy and it's much easier to pinpoint failures.
I do agree that this is a sub-optimal solution, but if it's stupid and it works, it isn't stupid.
posted by Pogo_Fuzzybutt at 11:05 AM on October 2, 2009
I'm not sure what Samba has to do with anything. Your DHCP server isn't updating DNS when it hands out leases. Why it wouldn't do that for the Macs and will for the PCs is weirdness.
posted by gjc at 3:38 PM on October 2, 2009
posted by gjc at 3:38 PM on October 2, 2009
It could well be because the PCs are asking it to and the Macs aren't, and fiddling with the DNS options on the Windows DHCP server might well fix that.
posted by flabdablet at 8:40 PM on October 2, 2009
posted by flabdablet at 8:40 PM on October 2, 2009
Response by poster: Messing with flabdablet's suggestions and anti social order's links plus deleting old DNS records did the trick. Thanks!
posted by jmd82 at 7:58 PM on February 24, 2010
posted by jmd82 at 7:58 PM on February 24, 2010
This thread is closed to new comments.
Reserve 192.168.1.1 - 192.168.1.50 (or whatever) for the fixed, named IPs that you need.
Configure the DHCP server to hand out only 192.168.1.51 - 192.168.1.254.
If your machine has a fixed address, it can have a name. If not, you use the number only.
posted by rokusan at 8:51 AM on October 2, 2009