none
Should I add Windows 2012 R2 DHCP servers to DNSUpdateProxy Group or hjust configure the credentials? RRS feed

  • Question

  • Hi,

    I have two Windows 2012 R2 DHCP servers configured in a failover cluster, should I add them to the DNSUpdateProxy group in AD or just rely on the DNS dynamic update credentials configured in DHCP console? I think I should not add it because:

    1. Those are not running on top of domain controllers (they are not DCs, just DHCP)

    2. I checked and confirmed that the DNS dynamic update user configured in DHCP console is the owner of the pointer records registered in reverse lockup zone

    3. It is not a security best practice to add them to this group.Thanks for your advise.

    Thursday, January 12, 2017 8:53 AM

All replies

  • Hi , if you are registering only Windows domain joined clients , netlogon will register the client name and IP in DNS.

    I usually create a new user for DHCP-DNS update and add the user to the zone.

    • Proposed as answer by John Lii Friday, January 13, 2017 3:14 AM
    Thursday, January 12, 2017 1:13 PM
  • Hi Ahmadjy,

    The link below is information about DNSUpdateProxy and how to use it for your reference:

    DNS Record Ownership and the DnsUpdateProxy Group

    https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 13, 2017 3:13 AM
  • Hi Ahmadjy,

    Have you successfully resolve your issue?

    If there is update about issue, you could post it to here for further support.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 7, 2017 2:09 AM
  • Hi John,

    Thanks for following up.

    In fact I did not add the DHCP servers to the DNSUpdateProxy group but configured the DNS dynamic update credentials only. Now each client register its own A record in DNS and it is set automatically as the owner on that record but for the PTR record, I assume the DNS dynamic update credentials user should be the owner on that record, but I see "System" is the owner, I think this is wrong and need to be solved. Of course the DNS dynamic update credentials user is not a DNS admin hence it will not be able to own the PTR record so what do you think?

    Tuesday, February 14, 2017 3:32 PM
  • Hi Ahmadjy,

    >>I assume the DNS dynamic update credentials user should be the owner on that record, but I see "System" is the owner

    You could check link below to understand it:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4b0fa67b-17b3-46ff-8e32-b5ae201d213e/dns-name-owner-how-to-check?forum=winserverNIS

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 15, 2017 9:44 AM