none
DHCP not updating DNS

    Question

  • I have 3 domain controller/DNS servers (2 are 2008r2 and 1 is 2003). Recently the DHCP records are not updating DNS which is causing other issues. We have 2 DHCP servers and they're both authorized in the domain. The settings are "Always dynamically update DNS A and PTR records". Is there a way to force DHCP to update DNS manually? Any ideas what could be causing this?

    Thanks,
    Scott
    Monday, January 18, 2010 9:05 PM

Answers

  • I would also check the event logs (system log) on one of the XP systems to see why it is unable to update DNS.  Maybe the DNS suffix is not the same as the zone you created in DNS?  It would be evident there in the logs.

    In regards to the group, do keep in mind ****  you will have to restart the servers to become members of the group.  When you add a user or a computer to a group, it does not automatically become a member of the group.  If the servers have not been restarted, they do not have the updated access tokens.

    In regards to running the DHCP service using specific credentials, it depends on how they are configured.  Take a look at the link i provided, specifically in the section called: "Securing records when using the DnsUpdateProxy group".


    Visit my blog: anITKB.com, an IT Knowledge Base.
    Wednesday, January 20, 2010 11:35 PM

All replies

  • There are a few things that you should be very familiar with when choosing to use DHCP to update records in DNS on behalf of clients.  Personally, I see that may people have issues with this configuration and it is basically due to a mis-configuration either in DHCP or in DNS.  In addition, many people are unaware that this is not a REQUIREMENT.  If you have Windows 2000 and later clients, there is no need for DHCP to participate in this manner as those clients are able to register with DNS natively.  Therefore, why include additional complexitity?  If you have down-level clients such as NT 4.0, then I would understand this configuration.

    In any case, the first thing you want to make sure is that the DHCP server(s) are members of the DNSUpdateProxy group.  Secondly, if they are in this group, you have to make sure that the DNS zone, if set to AD Integrated, is not configured for Secure Only (Dynamic Updates), unless you configure the service account to use an AD username and password.


    There are a few other things that you have to consider.  I would read over this technet article which has an excellent summary regarding this topic.
    http://technet.microsoft.com/en-us/library/cc787034(WS.10).aspx


    However, I would consider to not use DHCP to update DNS records unless it is necessary.  I can assure you that it works just as well (if not better) by keeping it simple, especially when troubleshooting.
    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Edited by [JorgeM] Wednesday, March 03, 2010 7:57 PM
    • Proposed as answer by MichaelBLITZ Wednesday, July 04, 2012 1:32 AM
    Tuesday, January 19, 2010 3:43 AM
  • Thanks for your response.
    We are only running XP clients. Any idea why they would not be updating themselves in DNS. If the option is selected for DHCP to update DNS, does this override the client from updating DNS?

    The DHCP servers were not members or the DNSUpdateProxy group, so I added them, but this did not seem to correct it. DNS is AD integrated with secure only updates. When you say "unless you configure the service account to use an AD username and password.", do you mean from the properties of the DHCP server > Advanced tab > Credentials ? This is currently set to use a domain account. Anything else I can try?

    Thanks,
    Scott
    Wednesday, January 20, 2010 9:16 PM
  • I would also check the event logs (system log) on one of the XP systems to see why it is unable to update DNS.  Maybe the DNS suffix is not the same as the zone you created in DNS?  It would be evident there in the logs.

    In regards to the group, do keep in mind ****  you will have to restart the servers to become members of the group.  When you add a user or a computer to a group, it does not automatically become a member of the group.  If the servers have not been restarted, they do not have the updated access tokens.

    In regards to running the DHCP service using specific credentials, it depends on how they are configured.  Take a look at the link i provided, specifically in the section called: "Securing records when using the DnsUpdateProxy group".


    Visit my blog: anITKB.com, an IT Knowledge Base.
    Wednesday, January 20, 2010 11:35 PM