none
DHCP event ID 1056 issue

    Question

  • I have one Win2008r2 Domain Controller (DC) and one Win2003 DC.  Both of these servers run dhcp and they each have a seperate scope where each server issues part of our ip addresses.  That way if one dhcp server is not available or is down then the other server can respond.  The Win2008r2 has been in place for about 18 months.

    My problem is: ever since a power failure last week in which I had to shut down all of my servers and related equipment I had a problem with my 2008r2 DC but was not aware of it.  The problem was is stopped giving out ip addresses and I could not remote into the server either.  I had to access it via the Hyper-V manager.  I know, I know it is not recommended that you run a DC as a VM.  Believe me it works great as long as your DC comes up before the other servers.  Anyway, I rebooted the 2008r2 DC and it appears that everything is back to normal.  Howerver, I have an error in my event log that I have not seen before.  The Event is ID 1056 and is copied below.  I have never seen this before and all the information I am finding is related to Windows 2003.  Is this something I need to be concerned with?   thanks

    The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool

    Wednesday, February 13, 2013 6:08 PM

Answers

All replies

  • It sounds like you never set it up with credentials or the DnsUpdateProxy group. And I understand, before you say it, that's it's been working fine all of these years. I guess the power failure brought it to light, because the other DHCP took over, now there's an ownership issue with registered host records.

    Take a look at the following that explains it and how to set the two up.

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 14, 2013 1:56 AM
  • I will look at these docs and repost later today.  Thanks for the reply.
    Thursday, February 14, 2013 2:37 PM
  • I am going thru the document.  So I need to add both the Win2008r2 server and the Win2003 server to the DnsUpdateProxy group, correct?

    Thursday, February 14, 2013 4:54 PM
  • Correct. Nothing else in the group. As well as use the same credentials on both.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 14, 2013 5:14 PM
  • got it.

    Why on step #5 Configure DHCP credentials, does it have the note that reads, "you can do this on 2008r2 and newer, if you chose not to use."

    I don't understand this statement because nothing really follows it??  If you chose not to do what, you can do what??  Maybe it is not important because I am creating the user for credentials, etc.

    Once I finish with the dhcp name protection step, can I stop there?

    Also, when I set the Name Protection at the IPv4 level (like the article says) it does not show up for the actual scope, in other words the box is not checked when you look at the properties, DNS, configure for the actual scope.  Do I need to set it there too?

    update 1 - Ok, just finished working thru the article and I stopped after setting up Name Protection.  I have not gone any further yet.  How can I tell if my dhcp is working properly?  My Win2008r2 DC has still not issued any ip addresses.  Do I need to work thru the scavenging and other section?  Or can you just give me a general "setting" to go by?  thanks for your help.

    update 2 - One more thing.  The note about older and pre-existing dns records.  Am I supposed to delete all the records in my forward lookup zone?  I hope not.  Or am I just supposed to delete any duplicates?  If I do delete all my forward lookup records what am I supposed to do?  Just have everyone reboot?  Not sure about that part.





    • Edited by Poly Admin Friday, February 15, 2013 3:02 PM
    Thursday, February 14, 2013 7:44 PM
  • Hey Ace, you out there???

    Ok, I hope it is working.  Late yesterday I temporarily stopped the dhcp service on the win2k3 server and then did a /release and /renew on a client and it pulled an ip address from the win2008r2 server.  Please look at my questions/comments in my previous post and see if I need to do anything else.

    Thanks for your help.

    Friday, February 15, 2013 3:02 PM
  • Hey Ace!!  You out there??
    Monday, February 18, 2013 2:30 PM
  • SOrry, busy. Remember, MVPs do not work for Microsoft and do this on our own free time.

    That's an incomplete sentence. I'll have to fix that. That was a condition whether you want to use NameProtection or DHCP credentials, not both. I have to dig up the article explaining that. It's recommended to disable NameProtection if using credentials, but either way, ONLY the DHCP servers must be in the DnsUpdateProxy group, nothing else.

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    .

    And yes, manually delete the older records.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 18, 2013 2:42 PM
  • I am reading thru the summary you referenced.
    So use either Credentials or Name Protection, but not both??
    Ok, so I went back and disabled Name Protection on my Win2008r2 server.

    If I check both servers and they are issuing ip addresses but I don't have any duplicate entries across the servers, do I still need to delete any records?  Or can I just leave them alone?  If I do delete any old records, how quickly will they be registered back into the database?

    Update - Scavenging is enabled on one server.  My dhcp lease is set to 4 days and my Refresh and No Refresh rate is set to 3 days.  is that ok?

    thanks for your help.



    • Edited by Poly Admin Monday, February 18, 2013 5:19 PM
    Monday, February 18, 2013 3:40 PM
  • Use either or, not both. But you still need DnsUpdateProxy group and credentials.

    If they are not dupes, you can leave them alone. Keep an eye on it. If you see any dupes after the lease expires or a client walks away past the lease time and gets a new one, then you see a dupe, delete both, delete the lease, ipconfig /renew and set phasers on stun. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 18, 2013 5:52 PM
  • I was wrong.  I do have some duplicates.

    I am deleting both entries and then doing an ipconfig release and renew.  Is there anything special I have to do to "delete the lease"?

    Also, notice the scavenging remark in my previous post.

    • Edited by Poly Admin Monday, February 18, 2013 7:34 PM
    Monday, February 18, 2013 7:23 PM
  • You mean delete the leases in the DHCP console? SUre, go ahead. If in DNS, you can either wait for scavenging to take place or delete them manually to kick it off.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 20, 2013 3:06 AM