DHCP Name Protection & DNS Records

Similar Messages

• Dns records

  Recently started running an oes11 dhcp server, replacing a nw65sp8 dhcp
  server.
  Cleared out the existing dns records added by nw65 dhcp & restarted all
  dns/dhcp services.
  Dns records do not seem to be updating the way they did w/ nw65 dhcp.
  Suggestions?
  Stevo

  Originally Posted by Stevo
  Recently started running an oes11 dhcp server, replacing a nw65sp8 dhcp
  server.
  Cleared out the existing dns records added by nw65 dhcp & restarted all
  dns/dhcp services.
  Dns records do not seem to be updating the way they did w/ nw65 dhcp.
  Suggestions?
  Stevo
  How have you setup DDNS on the DHCP server and what do you mean by not updating the way they did? Meaning not at all... partially? :)
  Did you follow TID 3372644 (How to setup Dynamic DNS (DDNS) on OES2 SP2 Server
  Cheers,
  Willem

• DNS record ownership for DHCP clients

  my configuration:
  dhcp/dns/dc installed on same system - Windows 2008 R2 SP1 in domain environment.
  all zones configured to secure updates only with aging and scavenging enabled
  dhcp servers are member of DNSupdateproxy group.
  dhcp are configured with standard domain user account (this user was made a member of dnsupdateproxy as well, DOES THAT MATTER?)
  dhcp scopes are configured with default DNS setup (force DNS update by DHCP)
  now...
  all DNS records for endpoint devices on dhcp lease (windows7, mac os X, ubuntu) are owned by SYSTEM
  in security tab for some DNS records i can see service account with write permission to record ( i believe this is desired state)
  in other records service account has no permission but timestamps are still updated by computer account (hostname$ has write permission). these records have pencil icon on computers in dhcp lease table.
  Problem with this (hostname$ has write permissions) is when user connect to network via VPN (obtains dhcp lease) it get's two records registered in DNS -> 1 record for ip distributed by dhcp server and 2nd record for his home private network.
  Have anyone seen this before?
  i've tried deleting DNS records / releasing ip on endpoint device (example win7). It would not register to DNS by DHCP. However if i do ipconfig /registerdns it will do it, but dhcp service account won't have permission no this record.

  Apparently it appears that DHCP may not be configured with credentials, DHCP DNS settings are not configured to force DHCP to register ALL requests, nor has the DHCP server itself have been added to the DnsUpdateProxy group. These are all prerequisites
  for DHCP to own all records, otherwise you will see default behavior, which is:
  By default, a Windows 2000 and newer statically configured machines will
  register their A record (hostname) and PTR (reverse entry) into DNS.
  If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
  the machine itself to register its own A record, but DHCP will register its PTR
  (reverse entry) record.
  The entity that registers the record in DNS, owns the record.
  In summary:
  Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
  Set DHCP properties, DNS tab, to update everything, whether the clients can or cannot.
  Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
  Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
  On Windows 2008 R2 or newer, DISABLE Name Protection.
  If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
  dnscmd /config /OpenAclOnProxyUpdates 0
  Configure Scavenging one one DNS server. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length. What it scavenges will replicate to others anyway.
  DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
  Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx 
  Good summary:
  How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
  DNS Record Ownership and the DnsUpdateProxy Group
   http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
  DNS Record Ownership and the DnsUpdateProxy Group
  "... to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated (NON-ADMIN) user account and
  configure DHCP servers to perform DNS dynamic updates with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."
  http://technet.microsoft.com/en-us/library/dd334715(WS.10).aspx
  DNS record ownership and the DnsUpdateProxy group
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279/
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• 2012R2 hyper-v failover cluster Cluster name object has no DNS record created

  I’m trying to setup a 2-node ws2012R2 cluster using ws2008R2 AD(with DNS) but got an issue with DNS entry creation on AD. I also tried ws2012 AD but it's the same problem.
  The individual node DNS entries were created on AD automatically upon joining AD but I can’t get AD to create DNS entry for my cluster name object automatically. AD will have cluster name computer
  created but no record for cluster name  in DNS entries
  Got the following event ID 1196 error with the info below.
  Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason:
  DNS server failure.

  Hi hjma29,
  How about your issue now? I just want to confirm the current situations.
  Please feel free to let us know if you need further assistance.
  Regards.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Shared Printers - Using a DNS record instead of server name for failover

  I have a Server 2012 Print Server. I plan on creating a second one for failover purposes. I will be installing the shared printers on client PCs using Group policy preferences.  Instead of using
  \\servername\printer as the path, can I create a DNS record for the server name and use
  \\dnsname\printer?  That way, if the first server dies, I just edit the dns record to point to the second server instead of renaming the second server and changing the IP of the second server.

  Hi,
  Based on your description, we can try creating a DNS alias for our printer server and use the alias instead of the host name in the UNC path. When this server goes down, we
  can make the alias pointing to another printer server.
  Regarding how to create an alias for a DNS host name, the following article can be referred to for more information.
  Add an Alias (CNAME) Resource Record to a Zone
  http://technet.microsoft.com/en-us/library/cc772053.aspx
  Hope it helps.
  Best regards,
  Frank Shen

• DNS records are not 100% correct

  For a while now we've been noticing that some DNS records are not correct. The records are pointing to incorrect IP addresses. One by one I open the record, update the IP, then replicate across all domain controllers.
  What would cause the hostname of one machine to point to another IP address?

  I believe what you're seeing is from DHCP-DNS registration. You may have duplicates, or incorrect data for records that can't be updated by DHCP service or the DHCP client due to permissions on the record. You may also not have scavenging in place.
  In summary:
  Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
  Set DHCP to update everything, whether the clients can or cannot.
  Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
  Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it.
  They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
  On Windows 2008 R2 or newer, DISABLE Name Protection.
  If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
  dnscmd /config /OpenAclOnProxyUpdates 0
  Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
  For specifics and step by steps, and good discussions on what's going on in the background and what to expect:
  DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  
  Good summary
  How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
  http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
  Another good Summary:
  Thread: "DNS problem" December 18, 2013
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/37b8b6b3-6cb1-496c-8492-09ded13bab18/dns-problem?forum=winserverNIS
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• DNS record ownership and the DnsUpdateProxy group

  I have a 2 x 2003 domain controller that have DNS and DHCP Services installed
  I was thinking of configuring DHCP to use a service account to update DNS records.
  If I set this, do the DHCP Servers need to be members of the DNSUpdateProxy security group for the service account to work?>

  I have to agree with John here. I don't think it's reasonable to just say 'ms told us so'. We need a
  technical before and answer is given. I have multiple DHCP servers and I use a security account on them to register the records and never use the
  DNSUpdateProxy Group and I have no problems. My thinking is this:
  Assume we are using Integrated Secure Zones in AD:
  Scenario 1:
  Windows DHCP server i registering records on behalf of clients
  Not a member of DNSUpdateProxy Group and not using dedicated account
  Records will have owner as dhcpserver$  and only that account can update
  This is a problem if that DHCP server fails
  Also, non Windows DHCP server with no AD account cannot update
  Scenario 2:
  Windows DHCP server i registering records on behalf of clients
  Member of DNSUpdateProxy Group and not using dedicated account
  Records will have owner as SYSTEM  and authenticated users can updated meaning any user or client on that domain
  No problem if that DHCP server fails as any other authorized DHCP server can update
  Non Windows DHCP servers can updated if they have a domain machine account
  Scenario 3:
  Windows DHCP server i registering records on behalf of clients
  Using a dedicated account
  Records added with owner same as this dedicated account
  Another DHCP server that also uses this same account can updated the records
  A non windows DHCP server that can use this account can also update the records
  Now, can someone from MS please clarify the technical reason they say that in Scenario 3, you must add the DHCP servers to the
  DNSUpdateProxy group ?
  http://technet.microsoft.com/en-us/library/cc780538(v=ws.10).aspx
  I guess this link didn't help?
  DNS Record Ownership and the DnsUpdateProxy Group
  "... to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates
  with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."
  http://technet.microsoft.com/en-us/library/dd334715(WS.10).aspx
  Just to add:
  Why is the DnsUpdateProxy group needed in conjunction with credentials?
  The technical reason is twofold:
  DnsUpdateProxy:
   Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.
  DHCP Credentials:
   Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.
  Otherwise, the default process is outlined below, and this applies to non-Microsoft operating systems, too, but please note that non-Microsoft operating systems can't use Kerberos to authenticate to dynbamically update into a Secure Only zone, however
  you can configure Windows DHCP to do that for you.
  1. By default, Windows 2000 and newer statically configured machines will
  register their own A record (hostname) and PTR (reverse entry) into DNS.
  2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
  the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
  (reverse entry) record.
  3. If Windows 2008/Vista, or newer, the DHCP server always registers and updates client information in DNS.
     Note: "This is a modified configuration supported for DHCP servers
           running Windows Server 2008 and DHCP clients. In this mode,
           the DHCP server always performs updates of the client's FQDN,
           leased IP address information, and both its host (A) and
           pointer (PTR) resource records, regardless of whether the
           client has requested to perform its own updates."
           Quoted from, and more info on this, see:
  http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
  4. The entity that registers the record in DNS, owns the record.
     Note "With secure dynamic update, only the computers and users you specify
          in an ACL can create or modify dnsNode objects within the zone.
          By default, the ACL gives Create permission to all members of the
          Authenticated User group, the group of all authenticated computers
          and users in an Active Directory forest. This means that any
          authenticated user or computer can create a new object in the zone.
          Also by default, the creator owns the new object and is given full control of it."
          Quoted from, and more info on this:
  http://technet.microsoft.com/en-us/library/cc961412.aspx
  More on this discussed in:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6f5b82cf-48df-495e-b628-6b1a9a0876ba/regular-domain-user-uses-rsat-to-create-dns-records?forum=winserverNIS
  If that doesn't help, I highly suggest to contact Microsoft Support to get a definitive response. If you do, I would be highly curious what they say if it's any different than what I found out from the product group (mentioned earlier in this thread).
  And of course, if you can update what you find out, it will surely benefit others reading this thread that have the same question!
  Thank you!
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• DNS in DHCP Pool (Internal DNS issue)

  I know that we can setup multiple DNS server under DHCP pool. But I like to make sure the order.
  I have multiple branch offices.
  Let us say that Branch 1 office has a router with 10.30.1.1 as default gateway.
  Our internal DNS is 10.0.0.1 and 10.0.0.2 as Pri and Sec.
  My order of DNS server is like below.
  1. gateway
  2. internal DNS
  3. public DNS provided by ISP
  I saw couple of issues that when I put internal DNS first. Particular situation is when IPsec is not working, users could not access internet through domain name because they had internal DNS which is not reachable.
  But, when gateway is first order, I am not sure whether user are able to access internal website because gateway DNS doesn't have internal DNS records.
  So, my question is that. what should be the best order for DNS setup under DHCP among default gateway, internal DNS and public DNS?  Our current setup doesn't have even gateway address, it only has internal DNS addresses only.      
  ip dhcp pool ccp-pool1
  network 10.30.1.0 255.255.255.0
  domain-name test.org
  default-router 10.30.1.1
  netbios-name-server 10.30.1.1
  dns-server  10.30.1.1 10.0.0.1 10.0.0.2 24.25.5.60

  Thank you, Richard.
  You are right. when I setup router IP for DNS server in DHCP pool. it did not work.
  Let me ask regarding external DNS forwarding.
    I like to know the process of exteranl DNS.
  User --> Internal website --> OK with internal DNS
  User --> External website --> Internal DNS forwarding to External DNS
  We have our own external DNS (ns), in this case, if external DNS (ns) is down, every branch users are not able to resolve any external IP because internal DNS can't get reply from external DNS?
  2nd question)
  IPsec is split-tunneled, but in this case, every DNS request goes internal DNS which is located in HQ and goes back through IPsec? Usually Split tunnel doesn't go internet traffic through IPsec but internet directly.
  3rd Question)
  what is for ip name-server x.x.x.x   when I setup ip name-server 8.8.8.8 and I tried to ping 8.8.8.8 from router, it didn't work. Am i missing something?
  https://supportforums.cisco.com/thread/230711
  Thanks for your time and knowledge.

• DNS record is not dynamically created in DNS Zone, when joining to DNS domain

  hi
  in my test lab i have deployed two virtual machines (both are windows server 2008 R2 enterprise).
  on vm1 i have installed just DNS role (without Active directory) and created a primary non-ADintegrated zone.
  on this DNS zone, i have enabled dynamic update set to
  non-secure & secure .
  now in my vm2 (as a DNS client) , i set the ip address of this DNS server as preferred DNS server and then in system properties, on the primary DNS suffix field, i entered the name of my DNS domain (mydomain.lab)& rebooted VM2, but the a record of this
  client (vm2) is not registered (created ) in mydomain.lab zone.
  i respect the record be created like the situations which we join a client to AD domain 

  Hi  John ,
  When registering DNS record ,client will send a SOA query to find the primary server of the zone .Then send register message to the server .
  We can use nslookup to find the problem :
  Open Command Prompt
  type nslookup
  type set type=soa
  type zone name
      1. If there is positive response ,check the name of
  primary name server and the IP address of the server .
  Its name should be vm1.mydomain.lab .If not ,edit the SOA record in the zone .
  If no IP address ,edit NS record in the zone .
      2. If there is no response ,check the SOA record in the zone .
  We can manually delete and recreate the records to ensure there are right SOA and NS records .
  Here is the guide for using nslookup :
  Nslookup :
  https://technet.microsoft.com/en-us/library/cc940085.aspx
  Best Regards,
  Leo
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Hi Leo, thanks for reply.
  i did all steps you mentioned but still no result.
  i put an screenshot of my desktop here , everything is shown here:

• HTTPS, DNS and dynamically updating DNS records

  Hello to you all, if you are able to help with a DNS problem that I'm having then please accept my thanks and appreciation in advance.
  First some background information, I recently  moved my server from my studio to my house where a new purpose built studio will soon be erected. At my old studio any requests for myurl.com came in via the IP (whether that be http, https, ftp etc) from the domain registrar and the router would send the request to the relevant port number whether that be 80 for http or 443 for https etc and all was well as this location had a fixed IP address. Unfortunately at my new location whilst I have a much faster connection I do not have a fixed IP. To get around this I have the following set up (not ideal for a business I know but perfectly OK for home hosting); I set up two psuedo nameservers at no-ip.com (ns1myurl.com and ns2myurl.com) which tracks the changes in my IP address and updates its records accordingly, my registrar then sends any requests to these 'nameservers' and no-ip then forwards it on to my server. So far so good.
  The problem arises once the requests get to my server, whilst I have DNS set up, I can only recieve requests from a straight request to the server ie myurl.com will display the site without any problem, but if I then put a www in front of that or try to access the https part of my site (which is set up as a seperate site on the same server) then the server throws an error. I have tried to put an alias (CNAME) into the zone but it does not want to resolve the request. I have searched around but to no avail, I am totally new to DNS so am currently on a steep learning curve and fumbling around in the dark.
  The first thing that I need to get working is the request to be resolved correctly and then (and this is where the real fun starts!) is to dynamically update the IP in the DNS records as the IP changes. I will probably have to get help in on this as I understand that this requires BIND of which I know nothing about, first though I'd like to get the pages to be served up correctly. Advice, hints, tips or links to tutorials all greatly appreciated. Full set up listed below.
  Many thanks, David.
  Xserve PPC G5 running 10.5.8 unlimited set up as standalone OD master
  Xraid
  APC UPS
  CradlePoint MBR1200 Gateway router which acts as the DHCP
  http://myurl.com and https://myurl.com set up as 2 seperate sites and located on the Xraid
  Current DNS setup:
  Primary Zone name: myurl.com with nameservers ns1myurl.no-ip.info and ns2myurl.no-ip.info and allow zone transfers in checked
  Then
  Name
  Type
  Value
  myurl.com
  Primary Zone
          ns1myurl.no-ip.info
          Machine
  12.34.56.78 (external IP)
          ns2myurl.no-ip.info
          Machine
  12.34.56.78 (external IP)
          myurl.com.
          Machine
  12.34.56.78 (external IP)
          www.myurl.com.
          Alias
  myurl.com.
  With the reverse zone looking thus with allow zone transfers being checked
  Name
  Type
  Value
  56.34.12.in-addr.arpa.
  Reverse Zone
          12.34.56.78
          Reverse mapping
          myurl.com.

  Thanks for the reply Camelot, that part though I had already figured out. I now have this working, all I did was change the external IP to the internal one of the server with resolves with the .local machine name and all is working just fine (for now!). As long as I have primary zones set for each site and any alias or services set up on them then everything works well.. The real test will be when my ISP changes the IP, whilst my tests have proved successful the proof will be when they update the address.
  Thanks anyway. David.

• #554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##

  Hi,
  This is my first post here. 
  My exchange server of late is facing a peculiar problem. I get the error message that I have posted below when sending mails to any outside domain. However when I restart the server the mails can be resend to the address without any issue. After a certain
  time again the issue pops up upon which I am forced to restart the server again. I am running 2007 Exchange on Windows 2003.
  Generating server: name.mydomain.com
  [email protected]
  #554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
  [email protected]
  #554 5.4.4 SMTPSEND.DNS.MxLoopback; DNS records for this domain are configured in a loop ##
  Original message headers:
  Received: from name.mydomain.com ([1xx.xxx.xxx.xx5]) by MHDMAILS.mouwasat.com
   ([1xx.xxx.xxx.xx5]) with mapi; Wed, 19 Oct 2011 08:56:29 +0300
  From:  <[email protected]>
  To: <[email protected]>
  CC: "Al Alami,Tareq" <[email protected]>
  Date: Wed, 19 Oct 2011 08:56:27 +0300
  Subject: RE:   
  Thread-Topic:   
  Thread-Index: AcyAQ5tu8z9CvBfdT5+1pcGQkk6x0AIuwczAAAGZjeABQyW5sAADeeJQAAETNDA=
  Message-ID: <[email protected]>
  References: <[email protected]com>
   <[email protected]com>
  Accept-Language: en-US
  Content-Language: en-US
  X-MS-Has-Attach: yes
  X-MS-TNEF-Correlator:
  acceptlanguage: en-US
  Content-Type: multipart/related;
              boundary="_004_EEC8FA6B3B286A4E90D709FECDF51AA06C0588CA11namedomain_";
              type="multipart/alternative"
  MIME-Version: 1.0

  On Sun, 23 Oct 2011 15:05:15 +0000, Jobin Jacob wrote:
  >
  >
  >Even af
  >
  >ter removing my domain from the send connector I continue to receive the error. I would like to say I do have a firewall, Cyberoam. However, it was the same configuration till now in the firewall. I did try Mx lookup and found the following.
  >
  >Could there be any other solution to this issue ?
  Sure, but it's necessary to ask a lot of questions since none of us
  know how your organization is set up.
  I see you also have "Use the External DNS Lookup settings on the
  transport server" box checked. How have you configured the "External
  DNS Lookups" on the HT server's property page? Is there any good
  reason why you aren't just using your internal DNS servers? If the
  internal DNS servers are configured to resolve (or forward) queries
  for "external" domains then there's no reason to use that checkbox. In
  most cases checking that box is a mistake.
  http://technet.microsoft.com/en-us/library/aa997166(EXCHG.80).aspx
  The behavior you describe (it works for a while and then fails;
  restarting the server returns it to a working state) sure sounds like
  some sort of DNS problem.
  Rich Matheisen
  MCSE+I, Exchange MVP
  --- Rich Matheisen MCSE+I, Exchange MVP

• Creating a little GUI with adding DNS record functionality

  Hi all,
  Creating a DNS record (A record) is pretty straight forward in Powershell. I wonder if somebody knows how to create a little GUI with the powershell commands in the background to create DNS records.
  For example something like a HTML form in where u can enter the DNS name, the Zone and the IPv4 address. Click Add and Powershell will add it on the background. I cannot find any good information on this when i google on it.
  Thanks!

  Hi Bennekommer,
  I‘m writing to check if the suggestions were helpful, if you have any questions, please feel free to let me know.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Creating DNS record

  Hi,
  Our external facing web server was recently moved to an external hosting provider but when they set it up they set the address as Home - Dilworth School instead of Home - Dilworth School. There is a database backend to this and changing the name of the server would be a major undertaking. The problem is that any emails that are generated from within this website have links pointing to Home - Dilworth School. The company that manages our external DNS records have put in an appropriate record so people outside get sent to the right place but I cannot work out how to do this internally.
  When I go to create a resource record in the DNS/DHCP management console it insists that I must fill in the owner name field so I am not sure how to get around this.
  thanks
  Keith

  Thanks - that worked. Windows would not let me do it - tried to create a DNS key when I asked it to create a resource record. Running the DNS/DHCP management console directly on the server worked.

• Can we generate the Offfice 365 MX-Token needed for the MX-DNS-Record by ourselves?

  Hi there
  As a hosting company we programmed a DNS-zone-editor in which our customers can edit their DNS-zone. A new feature we are offering is a so-called "DNS-Template-Service", in which our customers can select predefined record templates like GoogleApps
  and then trigger by one click the installation of the predefined records.
  We also would like to offer them "Office 365" as a template. According to this article https://support.office.com/en-ie/article/Create-DNS-records-at-any-DNS-hosting-provider-for-Office-365-7b7b075d-79f9-4e37-8a9e-fb60c1d95166#BKMK_add_CNAME we
  understand that all we need to do is to add a couple of CNAME, TXT and SRV records which is great.
  However, there is also an MX record with a dynamical component (the "MX-Token") that is required:
  <MX token>.mail.protection.outlook.com
  We understand that this token can be fetched by the customer from their office installation. However that would break the purpose of our templating system that is designed to work like an on/off switch.
  So our question is if there is any way that our system could generate this token by itself since we have knowledge of the customers domain anyway.
  According to some customers who already installed those records manually we can see some patterns:
  Example 1: domain1.com results in an MX with a value of
  domain1-com.mail.protection.outlook.com
  This is easy: just replace the dot with a hyphen.
  However for domains with hyphens in the name a special conversion is made and appended on the back of the first part: 
  Example 2: domain-withdash.com results in an MX with a value of domainwithdash-com01e.mail.protection.outlook.com
  Example 3: dom-ainwithdash.com results in an MX with a value of domainwithdash-com0i.mail.protection.outlook.com
  Example 4: doma-in-withadash.ch results in an MX with a value of domainwithdash-com01bb.mail.protection.outlook.com
  So what is the algorithm for this (probably bidirectional) conversion?
  Thanks for letting us know and make it easier for our customers to use office 365 with their own domain name.
  Regards
  Lukas
  Developer @ cyon GmbH

  We actually spent the last 1.5h to reverse-engineer the pattern and (hopefully) found the right answer on how these hyphen-replacements are substituted.
  * This functions generates a token as done in office 365
  * @return mixed|string
  private function getOffice365MxToken($domain)
  $delimiter = '0'; // delimiter between the domain part and the hyphen replacement part
  $token = $domain;
  $hyphenReplaceToken = '';
  // split domain string into chunks of 4 chars
  $chunkSize = 4;
  $chunks = str_split($token, $chunkSize);
  // transform the hyphens (their position) in the domain name to an alphanumerical character string
  $skipCount = 0;
  $intOfA = ord('a'); // get the decimal value of the letter 'a' as start value
  foreach($chunks as $chunk){
  $digit = $intOfA;
  for ($i = 0; $i < $chunkSize; $i++){
  if('-' === $chunk[$i]){
  $digit += pow(2, $i);
  if($intOfA === $digit){ // if the value is a it means no hyphen was found
  $skipCount++;
  continue;
  if (0 !== $skipCount) {
  $hyphenReplaceToken .= $skipCount;
  $hyphenReplaceToken .= chr($digit);
  $skipCount = 0; // rewind skip count
  if(strlen($hyphenReplaceToken) > 0){
  $token .= $delimiter . $hyphenReplaceToken;
  $token = str_replace('-', '', $token); // remove - from domain name
  $token = str_replace('.', '-', $token); // replace dots with -
  return $token;
  Short-hand explanation: The pattern showed that the domain string simply gets chunked into pieces of 4 chars. For each setting at which hyphen(s) can be located at the index value (seen as bit mask 0124) is added up. The resulting number we get per chunk
  then can be added to starting decimal value of the letter 'a' (97) and thus gives us another letter that substitutes the hyphens locations in this chuck. If no hyphen is found, the algo simply counts for how many chunks none were find and adds this up sa a
  number.
  These concatenated letters + skip-numbers then result in the replacement token that gets appended on the end of the domain name (hyphens removed, dots replaced with hyphens). 
  Oh and yeah, between these two parts a '0' is added as delimiter.
  That's it. I hope we got it correct.
  Regards
  Lukas @ cyon GmbH

• How to create a DNS record for a domain itself (without a hostname)

  Hi,
  Normally, you can create a DNS record that points to the zone itself, e.g.:
  @               10800 IN A    196.197.200.201
  How do you accomplish that on a Mac OSX Lion Server? The DNS requires you to enter a hostname and it does not accept "@" as the hostname as it normally appears in the zone file.
  (manually modifying the host file does not work - I tried that ;-) )
  Any help is appreciated
  Thanks
  Bjoern Dirchsen

  Create either a blank record with a ., or a FQDN such as 'domain.com.' (note the trailing dot). Either of these should map to the domain name.