Actually ran into this again - and the fix I posted above had worked for a little bit of time but failed again. No need to install anything.
The fix is simple, but when I had spoken to MS they couldn't tell me why it wasn't working.
The old DHCP server (2003) was on a DC, with no service account running the DHCP Service.
Our new DHCP server (2008 R2 - which was having problems) had the same config. Yet it wasn't working.
Once I added credentials to the DHCP service, with an account that had rights appropriate rights, the DNS registration suddenly started working. You immediately see "DNS Update Request" start showing up in the logs where it was just a silent
failure before.
What I recall from working with MS was when the client made the request, the packet has a bit that says "please register this". The behavior (and subsequent reply) on the server is different when those credentials are in place.
I understand it's not recommended to have a DC running DHCP - but it will work (as evidenced by our 2003 server.) I understand there are security issues. I'm not sure if there are multiple factors here, but adding the account solves the issue
for us on 3 different 2008 R2 SP1 servers now.
Hi Matt,
You are replying to an older thread. Here's an updated blog that points out the requirements of credentials and additional information.
This blog covers the following:
DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM 3758 2
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/
-
In summary (specifics are in the blog above):
1. Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
2. Set DHCP to update everything, whether the clients can or cannot.
3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
4. Add the DHCP server(s) computer account to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some folks believe that the DNS servers or other DCs not running
DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in the DnsUpdateProxy
group - they should not be in this group.)
5. On Windows 2008 R2 or newer, DISABLE Name Protection.
6. If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2, or NEWER DC, you can and must secure the DnsUpdateProxy group by running the following command:
dnscmd /config /OpenAclOnProxyUpdates 0
7. Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
8. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
-
I hope you found this additional information helpful.