Recursive DNS

CADS DNS does not maintain its own reverse DNS zone. Queries are forwarded to DoIT’s Campus recursive DNS servers, which are read-only. 

rdns1.doit.wisc.edu…..144.92.254.254

rdns2.doit.wisc.edu…..128.104.254.254

Old DNS Records / DNS Scavenging

Record scavenging in CADS DNS is disabled. We operate under the assumption that critical servers or workstations for our campus partners may, for any number of reasons, be unable to contact the domain and that our associated DNS record may be the only stored information with the workstation’s last known IP address.

Dynamic Updates

CADS DNS uses the default setting of only allowing secure dynamic updates to its integrated DNS zone. Secure DNS means that only objects (computers, groups, users, services) with the appropriate permissions are allowed to read and/or write a given DNS record.

Default permissions allow ‘Everyone’ in ad.wisc.edu to read the record, but only domain Administrators, Domain Admin, Enterprise Admins and Domain Controllers to have ‘Write’ or ‘Full Control’ on all DNS records. 

DNS records for computer objects are created by the computer itself during the domain joining process, giving the computer object ‘Full Control’ of the DNS record. This means that as long as the workstation can stay connected and is able to authenticate to the domain, the computer will update its DNS record with any changes to its IP address.

Issues occur when a machine loses its authentication with the domain, or when an administrator wishes to reuse a computer name.

Re-Using Computer Object Names

The combination of disabling record scavenging and using secure dynamic updates makes reusing names for computer objects more complex. Even though the computer object may have been deleted the DNS record will remain. When the same name is used to add a new machine to the domain the domain join will complete, but during DNS registration the Domain Controller will see that a record already exists and that the SID of the object trying to register is different from the object that had write permissions on the record. Therefore, the new computer object cannot update its DNS record.

The only way around this problem is to request that the CADS team delete the old DNS record and reboot the newly joined machine. That will automatically register a new record with the correct permissions in CADS DNS.

Infoblox

Infoblox is DoIT’s centralized DHCP, DNS and IP management solution and is free to use for UW-Madison IT community. Many groups are already using Infoblox in some manner to manage their networks, but Infoblox can also be used with Campus Active Directory. Using CADS and Infoblox together, admins can use a custom DNS zone to manage their own DNS records and not rely on the CADS team to delete old records or set statics on their behalf. 

Here are some important factors to consider when setting up a custom zone in Infoblox for use with Campus Active Directory: 

• Your computers must still be joined to Campus AD (ad.wisc.edu) and must use CADS Domain Controllers for DNS servers

• Your custom zone name does not need to be the same as your department’s domain name, although in many cases that is what administrators choose to do

• The DHCP server you are using with your ad.wisc.edu-joined workstations must be configured with dynamic DNS enabled on your custom zone. This cannot be done via Group Policy in Active Directory

  • If you are migrating to Campus AD you should first migrate all workstations in a VLAN to CADS. Then request that your network administrator (in most cases this will be DoIT NS OpsEng) change the IP Helper/DHCP relay from your server to Infoblox’s DHCP servers. 

    • dhcp-cssc.doit.wisc.edu…..144.92.254.23

    • dhc-animal.doit.wisc.edu…..146.151.145.40

Further Reading: 

How to configure DNS dynamic updates in Windows Server - Windows Server | Microsoft Learn