I work for a small university. We have two domain controllers running on Windows 2008 (not R2). On dc2 we have a DHCP server running serving several VLANs across campus. We've been having issues where the dynamic DNS entries contain an incorrect IP address for several machines. In some cases there are even several entries for a single machine. I've notice two main issues by looking at the DNS server. First, old entries aren't being cleaned up. Second, after re-imaging a workstation the DNS entry for that machine is not being updated. After doing some research I came across the blog entry from Ace Fekay on how to go about setting up dynamic DNS. I immediately determined from reading that scavenging was not setup properly on our server. I think I've corrected that problem, but I'll have to be patient and see what happens over time. This brings me to the issue of machines not adding themselves or updating their records in DNS.
After reading Ace's blog I decided to follow his recommendations for configuring dynamic DNS. I created a normal active directory user to use for configuring the DHCP credentials (it appears our server was set to use domain administrator previously). I added the DHCP computer object (this is also one of our domain controllers) to the DnsUpdateProxy group. On the DHCP server I have checked "Enable DNS dynamic updates according to the settings below" along with the "Always A and PTR records when lease is deleted". I also checked "Dynamically update DNS A and PTR records for DHCP clients that do not request updates...". After doing all of this I rebooted the dc2 server. I then manually deleted all of the existing dynamic entries on the DNS server, so they could properly be recreated. Now, here is the problem after setting all of this up. I'm now seeing student's personal machines, phones, tablets, etc. being populated in our DNS. Before making these changes only domain joined machines existed in DNS. Our DNS is configured to allow only secure updates. Why is it that now non domain trusted devices are being allowed to create DNS entries? I was under the assumption that secure updates meant domain only. Am I not understanding something properly here? Can someone please provide me some insight to what's going on and what I might be able to do to prevent non-domain joined devices from having entries created in DNS?