locked
DHCP Server Not Registering A Records for Windows Clients RRS feed

  • Question

  • Hello,

    Despite reading every Ace Fekay blog on the Internet, I can't seem to get DHCP + DNS integration working properly. ;-)

    My environment:

    Single Forest, Single Domain

    Forest and Domain Level: Windows Server 2008 R2

    3 Domain Controllers; All Running DNS

    1 Domain Controller running the only DHCP Server; It's authorized

    Active Directory Integrated Zones

    No Duplicate Zones (Followed Ace's article to make sure)

    DHCP Server Configured like this according to the blog post:

    • Add the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group.
    • Configure DHCP Credentials.
    • Configure Name Protection.
    • If DHCP is co-located on a Windows 2008 R2 DC, you must secure the DnsUpdateProxy group by running the following:
      dnscmd /config /OpenAclOnProxyUpdates 0 

    Here is what I am seeing:

    1. PTR records working and owned by the DHCP server's service account

    2. A records are showing up, but are owned by the client (for Windows and Macs with Centrify)

    3. A records for other devices (iPhones etc) show up and are owned properly by DHCP server's service account

    I would like number 2 above to behave like number 3 (DHCP service account owns and manages all records)

    Any help would be appreciated. Thanks!

    Aaron

    Friday, December 21, 2012 10:31 PM

Answers

  • My issue has been resolved. Basically your recommended settings are exactly what works. The problems were:

    1. Other DCs that were DNS servers were in the DnsUpdateProxy security group besides the DHCP server

    2. Name Protection must be disabled with the configuration we are using

    .

    We also applied a hot fix from MS support as some of our DNS components appeared to be out of date, but it did not fix the problem.

    .

    I don't know why the items listed above were a problem and neither does Microsoft. I'd like to mention here that they refunded our money since we came up with item number 1. They were not able to provide a KB article to support number 2. I suggested that they write one. The only thing they could find was the link I posted earlier:

    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/7a2eee1b-6776-4dbf-9c74-ffa45f87422b

    .

    Here is the summary of the settings we are using.

    .

    DHCP Server

    .

    Authorized the DHCP server

    Added the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group

    Created a standard user account in Active Directory and used it's credentials for the DHCP Server on the Advanced Tab.

    Ran dnscmd /config /OpenAclOnProxyUpdates 0 since this is a domain controller

    .

    DNS Tab of DHCP Server is configured as stated below:

    .

    Enable DNS dynamic updates according to the settings below:

    -Always dynamically update DNS A and PTR records

    -Discard A and PTR records when lease is deleted

    -Dynamically update DNS A and PTR records for DHCP that do not request updates

    Name Protection

    -Name Protection is NOT enabled

    .

    Lease Time for all scopes is 1 day (24 hours)

    .

    DNS Server

    .

    Dynamic Updates: Secure Only

    .

    DNS Aging and Scavenging Settings on all zones (these were set by MS Support based on our 24 hr lease time--8+16=24):

    -No Refresh: 8 hrs

    -Refresh: 16 hrs

    .

    Scavenging is only set on one DNS server. It is turned off on the others.

    .

    Thanks again for the help, Ace.

    Aaron

    • Marked as answer by aasmith10 Wednesday, February 6, 2013 4:53 PM
    Wednesday, February 6, 2013 4:53 PM
  • Then everything else seems ok, as far as I can see and think of without access to your systems.

    I think at this time it would be best to contact Microsoft Support. There must be something else going on that we're missing that they can find with hands-on access. Here's the contact info if you choose this option:
    http://support.microsoft.com/contactus/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by aasmith10 Thursday, December 27, 2012 8:13 PM
    Thursday, December 27, 2012 8:00 PM

All replies

  • Can you confirm which option you have selected in the DNS tab for your DHCP server properties? I think you should have it set to Always dynamically update DNS A and PTR records.
    Saturday, December 22, 2012 3:38 AM
  • Can you confirm which option you have selected in the DNS tab for your DHCP server properties? I think you should have it set to Always dynamically update DNS A and PTR records.

    Christopher, that would be my question, too. :-)

    .

    aasmith:

    Are all A records, even new ones that weren't previously created, behaving this way?

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, December 22, 2012 5:43 AM
  • Hi,


    Agree with Ace and Christopher.


    Also, we can refer to the following:


    Integrating DHCP with DNS

    DNS Record Ownership and the DnsUpdateProxy Group

    Understanding Dynamic Update


    Hope this helps and Happy Holidays!


    Jeremy Wu
    TechNet Community Support

    Tuesday, December 25, 2012 9:11 AM
  • Thanks for the responses, especially during this busy holiday time.

    .

    @ChristopherEvery: Yes, DNS tab of DHCP server and scope properties are set to 'Always dynamically update DNS A and PTR records.'

    .

    @Ace Fekay: Yes, all A records are behaving this way. New and old. I have deleted some existing records from the DNS snap-in and reboot the host to see if that would fix the issue, but they are still owned by the host computer account when they get re-added.

    .

    @Jeremy_Wu: Thanks for the articles. I had previously read these articles, but I re-read them to be sure.

    .

    Additional information: All 3 domain controllers are members of the DNSupdateproxy group in case we need to move DHCP to one of them. Also, I originally made the service account that is used in the 'Configure DHCP Credentials' step a member of the DNSupdateproxy group. After re-reading the steps on Ace's blog I felt I had interpreted that wrong, so I removed the service account from the group, rebooted the DHCP server and deleted the DNS records from the DNS snap-in for the hosts that I am testing. The domain controllers are presently the only members of the DNSupdateproxy group.





    • Edited by aasmith10 Wednesday, December 26, 2012 6:26 PM
    Wednesday, December 26, 2012 3:21 PM
  • It seems you have all the settings correct. Do you also have it set to register even if a client computer doesn't know how to ask?

    Any eventlog errors including the directory service logs?


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, December 26, 2012 7:31 PM
  • Yes. My settings are:

    Enable DNS dynamic updates according to the settings below:

    -Always dynamically update DNS A and PTR records

    -Discard A and PTR records when lease is deleted

    -Dynamically update DNS A and PTR records for DHCP that do not request updates

    Name Protection

    -Enable Name Protection

    .

    I will check the logs and get back to you.


    • Edited by aasmith10 Thursday, December 27, 2012 2:45 PM
    Thursday, December 27, 2012 2:45 PM
  • Here is what I found in the Directory Services log:

    .

       

    Internal event: The LDAP server returned an error. 

    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    'CN=System,DC=mydomain,DC=com'
    (user:SYSTEM)
    .
    .
    Internal event: The LDAP server returned an error. 

    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=z.y.x.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=com'
    (user:my_dnsupdateproxy_account)
    .
    .
    Internal event: The LDAP server returned an error. 

    Additional Data 
    Error value:
    0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
    'CN=Dfs-Configuration,CN=System,DC=bmydomain,DC=com'
    (user:my_computer_account$)
    .

    Internal event: The LDAP server returned an error. 
     .
    Additional Data 
    Error value:
    00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
    (user:my_dnsupdateproxy_account)

    .

    After reviewing the errors, I remembered that my_dnsupdateproxy_account was a member of a service account group only and not domain users, so I put it back in domain users and rebooted the dhcp server and tested, but the issue is still present. I will also post any DNS logs I find. Just wanted to get these out here for consideration.

    Thursday, December 27, 2012 5:06 PM
  • I think you misunderstood the purpose if the DnsUpdateProxy  group. It's only meant for dynamic updates and the ONLY object to be added to the group us the DHCP server. That's it.

    If you have added the group to another group, I don't understand why. That's not its purpose. Remove it from everything else. Only the DHCP servers, nothing else, should be in the group. No users, either.

    .

    Please post an unedited ipconfig /all to diagnose the LDAP errors.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 27, 2012 5:37 PM
  • Sorry for the confusion--I meant the user account used for the credentials for the DHCP server had been removed from the 'Domain Users' group to reduce it's access. I thought that might be a problem when I saw the access error, so re-added it. The actual DNSUpdateProxy group only has the three Domain Controllers as members; one of which is also the DHCP server.

    .

    IPconfig from the workstation:

    removed
    .
    IPconfig from the DHCP Server:


    removed



    • Edited by aasmith10 Thursday, December 27, 2012 8:15 PM
    Thursday, December 27, 2012 6:30 PM
  • No DNS errors in the event log.
    Thursday, December 27, 2012 6:51 PM
  • The ipconfigs look good except that ::1 IPv6 entry. Let's change the IPv6 NIC properties to obtain a DNS address automatically, then retest it.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 27, 2012 7:06 PM
  • That's in this spot:

    THen restart the Netlogon service.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 27, 2012 7:09 PM
  • I changed the IPv6 DNS setting and restarted the Netlogon service, but to no avail.
    Thursday, December 27, 2012 7:20 PM
  • One of the other two domain controllers had the same IPv6 DNS setting, so I did the same on it as well.
    Thursday, December 27, 2012 7:37 PM
  • Then everything else seems ok, as far as I can see and think of without access to your systems.

    I think at this time it would be best to contact Microsoft Support. There must be something else going on that we're missing that they can find with hands-on access. Here's the contact info if you choose this option:
    http://support.microsoft.com/contactus/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by aasmith10 Thursday, December 27, 2012 8:13 PM
    Thursday, December 27, 2012 8:00 PM
  • Thanks for your time working with me on this as well as for the helpful information you've posted elsewhere.

    Happy Holidays!

    Thursday, December 27, 2012 8:12 PM
  • You are welcome! 

    If you can, please update us whatever Microsoft finds. It may help others. :-)

    And Happy Holidays to you, too!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 27, 2012 8:16 PM
  • Update: We are working with Microsoft on the issue. They say that while all settings and network communications are as expected, the problem appears to be that the DHCP Server is not taking the ownership of the DNS records at the end of the process. They said this may take awhile to solve. The Microsoft summary is below. I will post the solution when we get one.

    SUMMARY

    From the traces and debug logs, we do find client sending option 81( Update Request) and response for the dhcp server for the same.

    I find in the trace from the dhcp response, Dhcp is configured for option  - "Always dynamically update DNS A and PTR records"

    and is updating both the A and PTR records.

    Frame: Number = 1626 and Frame: Number = 1627 Suggest the same indication that dhcp would register both A and PTR records,

    In the dns query section -We find client successfully queries for SOA record and thereafter later on in the trace in frame 1758 ,

    Record is updated in the Dns.


    Wednesday, January 9, 2013 9:01 PM
  • Thanks for the update. So you did have everything set properly. Apparently something else in the background is preventing record ownership. I realized Support is working on it, but curious, is there an AV installed that may be preventing it?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, January 9, 2013 11:29 PM
  • Great thought! Yes, there is AV installed. I will mention that to Support.
    Monday, January 14, 2013 6:28 PM
  • Uninstalled AV and rebooted, but it didn't fix it. I'll keep you posted.
    Tuesday, January 15, 2013 9:25 PM
  • I had all the DCs in the DnsUPdateProxy group as I stated earlier so that if we had to move DHCP to one of them, they would already be in the group. Since this was not to the letter of Ace's advice (nothing else in the group), I decided to remove the two DCs that were not DHCP servers to see if that was the problem, then rebooted all the DCs (not at the same time ;-) Now the problem seems to be resolved. I will be doing more testing with MS Product Support tomorrow and post a follow up.
    Tuesday, January 15, 2013 10:57 PM
  • A question I want to discuss with product support tomorrow is the fact that the first thing they did was disable 'Name Protection'. They said something to the effect that it causes problems in Windows Server 2008. However, everything I've read says that if you want to let DHCP manage DNS that you should enable 'Name Protection'. Any responses to this question before I ask Product Support?
    Tuesday, January 15, 2013 11:07 PM
  • I had all the DCs in the DnsUPdateProxy group as I stated earlier so that if we had to move DHCP to one of them, they would already be in the group. Since this was not to the letter of Ace's advice (nothing else in the group), I decided to remove the two DCs that were not DHCP servers to see if that was the problem, then rebooted all the DCs (not at the same time ;-) Now the problem seems to be resolved. I will be doing more testing with MS Product Support tomorrow and post a follow up.

    So as you can now see, I have a method to my madness. :-)

    .

    .

    A question I want to discuss with product support tomorrow is the fact that the first thing they did was disable 'Name Protection'. They said something to the effect that it causes problems in Windows Server 2008. However, everything I've read says that if you want to let DHCP manage DNS that you should enable 'Name Protection'. Any responses to this question before I ask Product Support?

    First I've heard of this. Ask them for specific KBs or Technet articles that fully explains their statement, please.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, January 15, 2013 11:30 PM
  • I'm a believer. That's why I went back through our conversation looking for anywhere I deviated from the method :-)

    .

    I haven't received a response from product support yet today, but I did further testing. My test PC is still working today (it's A record is owned by the DHCP server whenever I re-register). I then tested a PC in another DHCP scope and it failed (the client owned the A record, rather than the DHCP server credential account). I then disabled name protection on that scope just as Microsoft had done on the scope that my test PC was using and now the DHCP server credential account indeed owns the A record for this second test PC.

    .

    I will certainly ask them to explain and reference KB articles to defend this setting. I did find this blog post from last spring, which you may remember :-) with a similar recommendation from Microsoft. See the second to the last post from Aftabhussain.

    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/7a2eee1b-6776-4dbf-9c74-ffa45f87422b


    Wednesday, January 16, 2013 4:53 PM
  • I do remember that conversation. Well, at least you have a handle on the ownership issue. I hope product support gets back to you with an article. I'm curious to read it. I'll go through my resources to see if I can get anything on it, too. Never know, it may be buried in a currently publicly published article that I missed.

    And FYI of how I have my customers setup - I don't use Name Protection, since the other methods have been working for me for years.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, January 16, 2013 5:09 PM
  • My issue has been resolved. Basically your recommended settings are exactly what works. The problems were:

    1. Other DCs that were DNS servers were in the DnsUpdateProxy security group besides the DHCP server

    2. Name Protection must be disabled with the configuration we are using

    .

    We also applied a hot fix from MS support as some of our DNS components appeared to be out of date, but it did not fix the problem.

    .

    I don't know why the items listed above were a problem and neither does Microsoft. I'd like to mention here that they refunded our money since we came up with item number 1. They were not able to provide a KB article to support number 2. I suggested that they write one. The only thing they could find was the link I posted earlier:

    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/7a2eee1b-6776-4dbf-9c74-ffa45f87422b

    .

    Here is the summary of the settings we are using.

    .

    DHCP Server

    .

    Authorized the DHCP server

    Added the DHCP server to the Active Directory, Built-In DnsUpdateProxy security group

    Created a standard user account in Active Directory and used it's credentials for the DHCP Server on the Advanced Tab.

    Ran dnscmd /config /OpenAclOnProxyUpdates 0 since this is a domain controller

    .

    DNS Tab of DHCP Server is configured as stated below:

    .

    Enable DNS dynamic updates according to the settings below:

    -Always dynamically update DNS A and PTR records

    -Discard A and PTR records when lease is deleted

    -Dynamically update DNS A and PTR records for DHCP that do not request updates

    Name Protection

    -Name Protection is NOT enabled

    .

    Lease Time for all scopes is 1 day (24 hours)

    .

    DNS Server

    .

    Dynamic Updates: Secure Only

    .

    DNS Aging and Scavenging Settings on all zones (these were set by MS Support based on our 24 hr lease time--8+16=24):

    -No Refresh: 8 hrs

    -Refresh: 16 hrs

    .

    Scavenging is only set on one DNS server. It is turned off on the others.

    .

    Thanks again for the help, Ace.

    Aaron

    • Marked as answer by aasmith10 Wednesday, February 6, 2013 4:53 PM
    Wednesday, February 6, 2013 4:53 PM
  • You are welcome.

    As for disabling name protection, I believe that is in my blog, unless I haven't updated it yet. If jit, I have more info on it once I get back to my office.

    I'm happy to have helped you.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 6, 2013 6:31 PM
  • I also found this post to be helpful, as I have been experiencing the same exact issues.  Disabling name protection, and ensuring that the DHCP servers are in the DNSUpdateProxy group, (ran dnscmd /config /OpenAclOnProxyUpdates 0 on those machines), and created a domain user account whose only membership is in the domain users group for the DHCP servers to use.
    Monday, May 13, 2013 4:55 PM
  • Glad to hear you've found it helpful. :-)


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, May 13, 2013 5:46 PM
  • I have been trying to figure out the OPs issue #2 (client machines were still owner of DNS A records) as well and stumbled upon this.

    All my other settings were exactly as they should be, based on reading the assorted guides already linked.

    The single change of disabling Name Protection resolved the issue.

    Has there been any update to this or documentation?  Most guides suggest turning this ON, but it clearly breaks record ownership.

    Tuesday, February 4, 2014 7:21 PM
  • I have been trying to figure out the OPs issue #2 (client machines were still owner of DNS A records) as well and stumbled upon this.

    All my other settings were exactly as they should be, based on reading the assorted guides already linked.

    The single change of disabling Name Protection resolved the issue.

    Has there been any update to this or documentation?  Most guides suggest turning this ON, but it clearly breaks record ownership.


    It's actually one or the other. If Nameprotection is checked, it won't allow you to configure the DNS tab in DHCP. Glad that it helped!

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 4, 2014 7:40 PM
  • Sorry to "bump" an old post, but we were having the exact same issue, and got it resolved. (Config pretty much identical as to what's described here except that we use a dedicated DHCP server, not a DC).

    HOWEVER, after a while (1 hour roughly, but have to do more testing), it reverts back to NOT registering the DNS A records and will only start working again once the DHCP service is restarted, again, for a short period of time.

    Does anyone know what would cause this to start working by restarting the service, and not making any other changes?

    Thanks,
    Martin

    p.s I've been using your blogs for years Ace, I'd like to take this opportunity to thank you while I'm here.

    Monday, March 13, 2017 7:29 PM
  • Thank you!!!!  Have been working on same issue for days.  Your instructions were clear and corrected our issues.  KUDOS!!!!
    Thursday, April 13, 2017 4:25 PM
  • Sorry to drag up an old post, but I seem to be suffering a similar issue and I've spent a good while trying to resolve. Basically, I've inherited a large, fairly fragmented network and I've been trying to consolidate and bring it up to scratch. I had quite a problem with duplicate DNS entries, so I've been through DHCP and DNS with a fine-tooth comb, and although the duplicate problem is 95% improved, I still get the odd few.

    What I am finding though, is that although the DHCP dynamic update credential account is the owner of all PTR records, all A records are owned by SYSTEM. ACLs on these records do not include the service account at all.

    I have numerous DHCP servers due to various sites, all registering into same DNS zone. The zone is set to allow secure and unsecure updates (required at present due to certain sites using network switch to serve DHCP.) All windows DHCP servers are also DCs, are using credentials and are members of the DNSUpdateProxy group. No other servers or users are members. DHCP scope, at least on the site I'm testing with, is set to always register DNS records.

    Regardless, A records are always owned by SYSTEM. PTR records are always owned by relevant DHCP update credential service account. Servers are a mixture of 2008R2 and 2012R2.

    Does anyone have any suggestions?

    Thanks

    Monday, January 29, 2018 10:26 AM
  • Sorry to drag up an old post, but I seem to be suffering a similar issue and I've spent a good while trying to resolve. Basically, I've inherited a large, fairly fragmented network and I've been trying to consolidate and bring it up to scratch. I had quite a problem with duplicate DNS entries, so I've been through DHCP and DNS with a fine-tooth comb, and although the duplicate problem is 95% improved, I still get the odd few.

    What I am finding though, is that although the DHCP dynamic update credential account is the owner of all PTR records, all A records are owned by SYSTEM. ACLs on these records do not include the service account at all.

    I have numerous DHCP servers due to various sites, all registering into same DNS zone. The zone is set to allow secure and unsecure updates (required at present due to certain sites using network switch to serve DHCP.) All windows DHCP servers are also DCs, are using credentials and are members of the DNSUpdateProxy group. No other servers or users are members. DHCP scope, at least on the site I'm testing with, is set to always register DNS records.

    Regardless, A records are always owned by SYSTEM. PTR records are always owned by relevant DHCP update credential service account. Servers are a mixture of 2008R2 and 2012R2.

    Does anyone have any suggestions?

    Thanks


    It sounds like you should set DHCP to force all registration so it owns it. For anything in the zone that DHCP creds don't own, delete them, and they will get re-registered automatically. ENsure that zone scavenging is set per my guidelines in my blog:

    https://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, February 1, 2018 10:01 PM
  • Hey Ace, you seem to be the best resource on the net for this stuff... so rather than starting a new thread I wanted to post here. We have a new DHCP server (2019 server, that is our sole DHCP server for the network) that is getting flooded with

    "PTR record registration for IPv4 address [[IPADDRESS]] and FQDN workstation.domain.local failed with error 9005 (DNS operation refused.)."

    And 

    "Forward record registration for IPv4 address [[IPADDRESS]] and FQDN workstation.domain.local failed with error 9005 (DNS operation refused.)."   

    I've worked with our high complexity team at Dell, and have been trying to figure out a solution for this for about a month now.   Just quick thousand foot view: 

    1. DNSUpdateProxy group only contains the DHCP server. 

    2. DHCP Name Protection is Disabled

    3. DNS Dynamic Update credentials are entered to a domain user access account. (member of only Domain Users group and DHCP Administrators group). 

    4. I've checked the "authenticated users" and it did not have "Create all child objects" permission on the DNS Zone (I've added it, but issue still seems to exist).   

    5. our Domain functional level is currently at 2008R2 (I still have two 2008R2 DC’s and am currently working on migrating them).  How would the DFL effect DNS Dynamic Updates? (I see one user resolved this issue by raising the functional level).

    Any idea’s on what I could be missing?

    Thursday, January 16, 2020 6:21 PM