Win2k3 Secure DNS updates via DHCP

Hello there! Been a while since I posted, but I've come across an issue that could use the expertise of the crew here.


The lone DHCP server on our network is configured to update A and PTR records when the clients request it. The DNS zones are configured to receive only secure dynamic updates, therefore I added the DHCP server to the dnsupdateproxy group in AD and configured the DHCP credentials to use the local administrator account machine of that server. Additionally, (which I hope isn't the problem), each client is configured, under the advanced tab in tcp/ip properties, to register it's name with the DNS servers.


About every hour or so, the DHCP sends out update requests for every client it has a lease on. Shortly afterwards, the log shows and equal number of "Update failed", or error code 31. This also occurs whenever a client releases and/or renews its adapter. Due to this problem, there are stale and duplicate records(even with aging configured) that cause address conflicts on our network.


I've tried everything from removing secure updates all together(for the sake of testing) to rebuilding the DHCP server, with no luck so far. I've even manually deleted stale and duplicate records in DNS hoping it would take an update. Now, I have noticed that the records are getting updated, but not routinely and not on the behalf of DHCP, which is making management more difficult.


My questions to the crew is, what credentials need to be placed in the DHCP server settings? What can I look for in DNS debug log to narrow down the issue? Am I overlooking anything in particular when it comes to configuration? And how do I eliminate which service is NOT at fault? Or, if this is an easy fix, do tell! Thanks in advance.



-David

P.S. I'm not sure what other information would be useful in troubleshooting this particular scenario and I don't have time to censor sensitive information right now, so just let me know if you would like any configuration settings posted.

Just to make sure everything is working ok have you tried turning off the secure DNS updates and just allowed all updates ? This will make sure everything between DHCP and DNS works ok and will confirm its an authentication issue between DHCP and DNS.

Also, do you get an specific errors in the windows event logs on the DNS Server and/or the DHCP Server ?

I turned secure updates off initially and the errors are still occurring. There is no serious alarms going off in the event viewers for either services, but the errors I am concerned about are in the log files for DHCP. (C:\WINDOWS\system32\dhcp). Below is a the format of the errors I am receiving (with bogus addresses though)

30,12/20/06,00:48:26,DNS Update Request,33.3.168.192,client.domain.LOC,,

31,12/20/06,01:03:56,DNS Update Failed,192.168.3.33,client.domain.LOC,-1,

This occurs for all clients with leased addresses in sequence every hour or so. The same error occurs for any client that releases and/or renews an address.

Here's a really good document on this topic which is well worth a read.

The only thing i can think is that someone other then the DHCPServer (DNSUpdateProxy) is the owner of the record and therefore the DHCP Server isn't able to update the record. On one of the resource records can you confirm who is the owner of the record ?

Take a look at the document above also to see if it sheds any lights for ya.

Cheers

I have scourged technet for this issue, and followed it as much as I could with no luck. I do believe it has to do with the owner of the record, so I simulated a scenario that would allow for a new owner. I deleted the (A) Host entry for my computer. I removed my lease in the DHCP pool. I then changed my computer name and restarted. This updated the record, but it still gave me errors in the DHCP log, which means that my something else (client, probably) is updating the records and the DHCP server isn't. I want the DHCP server to handle updates, but it's being difficult. The technet says nothing of a conflict of interest between clients and DHCP servers, (such as removal of DNS updates in client properties) but that's what I'm going to take as my next solution avenue.

Did you check the permission of the host record within the DNS ? Who is the owner ?