The feature enables the administrators to manage Duplicate DNS A record entries in the Active Directory DNS zone.
This article provides instructions on testing the SYNERGIX AD Client Extensions software Network \ DNS Client \ Manage DNS A type record for computer feature. Typically, Active Directory integrated DNS zones are configured for Secure dynamic updates. Windows Domain Computers with static IP address or DHCP assigned IP address should register their own records. Although the DHCP Server(s) can register related DNS A record on behalf of their DHCP clients, this practice is not recommended as the DHCP Server becomes the owner of the records.
It is also a good practice to set the DNS Server Aging / Scavenging Properties to No-refresh interval of 7 days and Refresh interval of 7 days or some other reasonably high value to avoid unwanted replication traffic.
Roaming computers can register their A records multiple times in the Forward Lookup Zone configured for Active Directory domain and several reverse lookup zones. SYNERGIX AD Client Extensions software addresses such circumstances and helps reconcile the entries in the DNS zone.
When the policy setting is enabled, the software will scan specific DNS zone. If duplicate DNS A records for the computer are found in the primary DNS zone or in the specified DNS zone, previous DNS A record entry or entries for the computer are removed leaving only one active record in the DNS zone. The replication traffic is minimal as only specific records are updated instead of the DNS Server Scavenging cycle that updates a large number of stale records at the same time.
- Microsoft Windows 7.0 or
- Microsoft Windows 8.1 or
- Microsoft Windows 10 or
- Microsoft Windows Server 2008 & R2 or
- Microsoft Windows Server 2012 & R2 or
- Microsoft Windows Server 2016
- .NET Framework 4.0
Active Directory Domain Environment
- Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. SYNERGIX.WIN
- You can setup a more complex Active Directory Domain environment, if needed. For example, one forest SYNERGIX.WIN with child domains US.SYNERGIX.WIN, and GB.SYNERGIX.WIN and a trusted forest SYNERGIXLABS.WIN with child domains US.SYNERGIXLABS.WIN, GB.SYNERGIXLABS.WIN
- Security Group(s)
- Create a security group called “SYNERGIX ADCE Managed Computers”. The group type may be Domain Global Group or Domain Local Group.
- Add the test domain computer(s) into the security group “SYNERGIX ADCE Managed Computers”
- Delegate Control
- On the Active Direcotry domain DNS zone, grant the security principal “Domain Computers” READ PROPERTIES, WRITE PROPERTIES, DELETE, READ PERMISSIONS and ALL VALIDATED WRITES permissions or
- On the Active Directory domain DNS zone, grant the security group “SYNERGIX ADCE Managed Computers” READ PROPERTIES, WRITE PROPERTIES, DELETE, READ PERMISSIONS and ALL VALIDATED WRITES permission
- The test domain computer must be member of “SYNERGIX ADCE Managed Computers” security group.
- Configure domain Group Policy Object
- Copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions on admin workstation (must be Windows 7.0)
- Copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US on same admin workstation (must be Windows 7.0)
- Using GPMC.MSC, edit existing or new Group Policy Object.
- In Group Policy Editor, expand COMPUTER CONFIGURATION
- Expand Administrative Templates
- Expand SYNERGIX AD Client Extensions
- Expand Network
- Expand DNS Client
- Select Manage DNS A record type for computer
- Enable policy setting
- Configure Minimum Update Interval to 60 (in minutes)
- The value determines the time interval before next update occurs. By default, it is 60 minutes.
- Log into a domain computer with local administrative privileges
- Install SYNERGIX AD Client Extensions software
- Log into the same domain computer with a domain user account. This domain account represents a business user who does not have elevated privileges on his / her computer.
- Launch DNS Management console (DNSMGMT.MSC)
- If DNSMGMT.MSC is not installed, log into another workstation with Administrative Tools installed and then, launch DNSMGMT.MSC on it
- Select Active Directory domain DNS zone
- Search for domain computer object
- Do you see single DNS A record entry or multiple DNS A record entries ?
- If you see single DNS A record entry, have additional entry created by moving the computer to another IP Subnet simulating a remote user who connects via VPN at different time of the day and possibly, from different locations (home, hotel, internet cafe, etc.). Refresh DNS Management Console to see if multiple DNS entries exist.
- When multiple DNS A records exists, computers with SYNERGIX AD Client Extensions installed should have all but current DNS entry.
- Were all stale DNS A record entries removed ?
- If Yes, Test Results are successful. In the Test Result, write down PASS
- If No, re-run test
- If the test environment does not easily create duplicate DNS A record entries, you may manually add second entry for your workstation. You should notice that it gets disappeared in a short span.
Test Results Submission
- Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit