Any windows DHCP/DNS experts here?

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
I am trying to get DHCP to update dns, but gettting a lot of failed updates.

31,03/09/16,14:17:01,DNS Update Failed,172.20.253.200,DP1-FW14.domian.com,,,0,6,,,,,,,,

DHCP server is part of dnsupdateproxy group
and has service account for dns updates set

sometimes it does work any other times not, but i can't find a verbo log telling me why it fails? only the line above that does not tell me much.
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • StarxOnStarxOn Registered Users Posts: 4 ■□□□□□□□□□
    If it used to work, and now it doesn't, then the first question I have is what changed? Something installed, altered, changed, etc, or is it possible that you thought it worked but just realized that it now doesn't or possibly it never properly worked?
    The DHCP credentials account should be a plain Domain User account and not an admin account. The DHCP server should be in the DnsUpdateProxy group, and not the credential account.
    Is that how you have or had it set? And did you set DHCP DNS tab to update everything whether the client can do it or not?
    Did you disable Name protection?
    ***
    Here's a summary:

    ===
    In summary:
    DHCP DNS Update summary:
    - Configure DHCP Credentials.
    The credentials only need to be a plain-Jane, non-administrator, user account.
    But give it a really strong password.
    - Set DHCP to update everything, whether the clients can or cannot.
    - Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    - Add the DHCP server(s) computer account to the Active Directory, Built-In DnsUpdateProxy security group.
    Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
    For example, some folks believe that the DNS servers or other DCs not be
    running DHCP should be in it.
    They must be removed or it won't work.
    Make sure that NO user accounts are in that group, either.
    (I hope that's crystal clear - you would be surprised how many
    will respond asking if the DHCP credentials should be in this group.)
    - On Windows 2008 R2 or newer, DISABLE Name Protection.
    - If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2,
    or NEWER DC, you can and must secure the DnsUpdateProxy group by running
    the following command:
    dnscmd /config /OpenAclOnProxyUpdates 0
    - Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    - Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    ***
    The DnsUpdateProxy a default, built-in group already created by Active Directory. You simply:
    •In ADUC, click on the Built-In container.
    •Scroll down to the DnsUpdateProxy group.
    •Right-click DnsUpdateProxy group, choose properties
    •Click ADD - make sure that the search criteria is set to look for computer objects
    •Either type in the DHCP server's name and click Check Name or click on Advanced, then click on FIND, and scroll down to the DHCP server name.
    •Once you see the DHCP server's computer object, highlight it
    •Click add.
    •Make sure ALL other servers or any other users accounts are NOT in the DnsUpdateProxy group.
    •Click OK.
Sign In or Register to comment.