Technology Tips and News
Hi there,
my 2008 R2 DHCP stopped updating 2008 DNS :-(
The scope is configured like this:
- Name Protection is disabled!
- Network Access Protection is Disabled
- The DHCP-Server is Member of "domain\DnsUpdateProxy" -Group
- The Credentials which are listed in the ipv4-Options at "Advanced" are correct!
What else do I have to check?
Cheers
Miranda
.
Can you also post an unedited ipconfig /all of the DHCP server and of a sample DHCP Client, please?
Thank you.
Is DHCP Option 015 configured for the zone name? -> YES
Is DHCP Option 006 confgured only for the internal DNS server(s)? -> there are only AD-integrated DNS-Servers listed!
Are Updates allowed in the zone properties? -> What do you mean exactly? In the Zone-Properties are oly secure dynamic updates allowed...do I have to check further options like security-settings...?
Is the client joined to the domain? -> which client? The client where I don't get a DNS-Hostname? No...it's a printer...but the DHCP is configured to create and update DNS-Hostnames for non-Windows-clients! It worked well until something happend...
Does the client have the Primary DNS Suffix configured the same as the zone name? -> the printer get's the DNS-Domain from DHCP. In the printer setting I can see that the device received the DNS-Domain correct
Event log errors on the client or the server? -> the printer does not have an eventlog and in the DHCP-Log I have a lot of entries with "DNS update request failed as the DNS update requests queue limit exceeded"... maybe this is the problem?!
Thanks for your support!
Hi Miranda,
Thanks for posting here.
Did we change any system setting before this issue started ?
> - The Credentials which are listed in the ipv4-Options at "Advanced" are correct!
If we specified credential on DHCP server for updating , could we confirm if the password is correct and the not been disabled ?
Please also check the ACL of that DHCP zone to see if this account we assigned has write permission on it .
Thanks.
Tiger Li
could we confirm if the password is correct and the not been disabled ?
-> I verified that the user is not disabled and the password is correct. Further the User "dnsupdate" has the following rights to the zone:
Read
Write
Create all child objects
is it correct that the user does only have rights on the zone "company.domain" and not to the child objects?!
I see you have mentioned that NAP is disabled. Does this mean it is not configured or it is installed and currently disabled? Do you have DHCP NAP enforcement method configured?
Is the problem with all clients or just printers?
You can use a packet sniffing software like wireshark to capture DHCP packets and see what is the reason why DHCP offers aren't validated.
I checked and at the moment we do not have Registry-Key "DynamicDNSQueueLength" set...
What do you think...should I set this Key? Microsoft recommends a value of 2048...At the moment we have > 9000 records in the Zone...---
i set the registry-key "DynamicDNSQueueLength"...with a value of 2048. Now some printers get DNS-Records after i rebooted them... What do you think about the value of 2048? Is it enough for > 9000 DNS-Records?!
Hello MIranda,
I didn't realize this was for your printers, since it was not specified in your earlier post. I assumed it was for your workstations, which was why I asked if the DHCP client, meaning the workstations, have any event log errors.
Just to understand, this is not happening with Windows workstations, and it is only happening with non-Windows DHCP enabled devices, such as your printers?
.
The value for the registry key the article indicates the value of 2048 was just a suggestion, because it says "For example, type 2048". The value can be a from 1-65535 for Windows 2008 & Windows 2008 R2.
DHCP server processes expired PTR resource records in Windows Server 2003
http://support.microsoft.com/kb/837061
.
Let's use a value that is a multiple of 1024 (1024 bytes per kilobytes). Therefore, arbitrarily assuming 9000 based on your environment, let's multiply 9 *1024, which gives us 9216. Therefore, let's enter 9216. Then restart the DHCP service.
Please update your findings after the change is made.
I realize this is a very old thread - but I couldn't find any information on solving this for us - and this will save someone some time.
DHCP suddenly stopped registering DNS records on behalf of clients. It was doing thousands per day and suddenly stopped. No more failures or successes in the DHCP logs - it just simply stopped trying. It continued to hand out leases just fine - but just complete radio silence on the DNS front.
Tried restarting the DHCP Service, and rebooting - didn't help.
Set the DynamicDNSQueueLength Registry key - restarted the server - still nothing.
Ran the following Rollup on my 2008 R2 SP1 DHCP server:
http://support.microsoft.com/kb/2775511
There are a few hotfixes you need to install immediately after. Essentially brings the DHCP dll's (and a bunch of others) way more up to date.
After installing that and the hotfixes mentioned in the article - everything started working perfectly again.
Matt
Actually ran into this again - and the fix I posted above had worked for a little bit of time but failed again. No need to install anything.
The fix is simple, but when I had spoken to MS they couldn't tell me why it wasn't working.
The old DHCP server (2003) was on a DC, with no service account running the DHCP Service.
Our new DHCP server (2008 R2 - which was having problems) had the same config. Yet it wasn't working.
Once I added credentials to the DHCP service, with an account that had rights appropriate rights, the DNS registration suddenly started working. You immediately see "DNS Update Request" start showing up in the logs where it was just a silent
failure before.
What I recall from working with MS was when the client made the request, the packet has a bit that says "please register this". The behavior (and subsequent reply) on the server is different when those credentials are in place.
I understand it's not recommended to have a DC running DHCP - but it will work (as evidenced by our 2003 server.) I understand there are security issues. I'm not sure if there are multiple factors here, but adding the account solves the issue for us on 3 different 2008 R2 SP1 servers now.
Actually ran into this again - and the fix I posted above had worked for a little bit of time but failed again. No need to install anything.
The fix is simple, but when I had spoken to MS they couldn't tell me why it wasn't working.
The old DHCP server (2003) was on a DC, with no service account running the DHCP Service.
Our new DHCP server (2008 R2 - which was having problems) had the same config. Yet it wasn't working.
Once I added credentials to the DHCP service, with an account that had rights appropriate rights, the DNS registration suddenly started working. You immediately see "DNS Update Request" start showing up in the logs where it was just a silent
failure before.
What I recall from working with MS was when the client made the request, the packet has a bit that says "please register this". The behavior (and subsequent reply) on the server is different when those credentials are in place.
I understand it's not recommended to have a DC running DHCP - but it will work (as evidenced by our 2003 server.) I understand there are security issues. I'm not sure if there are multiple factors here, but adding the account solves the issue for us on 3 different 2008 R2 SP1 servers now.
Actually ran into this again - and the fix I posted above had worked for a little bit of time but failed again. No need to install anything.
The fix is simple, but when I had spoken to MS they couldn't tell me why it wasn't working.
The old DHCP server (2003) was on a DC, with no service account running the DHCP Service.
Our new DHCP server (2008 R2 - which was having problems) had the same config. Yet it wasn't working.
Once I added credentials to the DHCP service, with an account that had rights appropriate rights, the DNS registration suddenly started working. You immediately see "DNS Update Request" start showing up in the logs where it was just a silent failure before.
What I recall from working with MS was when the client made the request, the packet has a bit that says "please register this". The behavior (and subsequent reply) on the server is different when those credentials are in place.
I understand it's not recommended to have a DC running DHCP - but it will work (as evidenced by our 2003 server.) I understand there are security issues. I'm not sure if there are multiple factors here, but adding the account solves the issue for us on 3 different 2008 R2 SP1 servers now.
Hi Matt,
You are replying to an older thread. Here's an updated blog that points out the requirements of credentials and additional information.
This blog covers the following:
DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM 3758 2
http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/
-
In summary (specifics are in the blog above):
1. Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
2. Set DHCP to update everything, whether the clients can or cannot.
3. Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
4. Add the DHCP server(s) computer account to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some folks believe that the DNS servers or other DCs not running
DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in the DnsUpdateProxy
group - they should not be in this group.)
5. On Windows 2008 R2 or newer, DISABLE Name Protection.
6. If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2, or NEWER DC, you can and must secure the DnsUpdateProxy group by running the following command:
dnscmd /config /OpenAclOnProxyUpdates 0
7. Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
8. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
-
I hope you found this additional information helpful.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier