my configuration:
dhcp/dns/dc installed on same system - Windows 2008 R2 SP1 in domain environment.
all zones configured to secure updates only with aging and scavenging enabled
dhcp servers are member of DNSupdateproxy group.
dhcp are configured with standard domain user account (this user was made a member of dnsupdateproxy as well, DOES THAT MATTER?)
dhcp scopes are configured with default DNS setup (force DNS update by DHCP)
now...
all DNS records for endpoint devices on dhcp lease (windows7, mac os X, ubuntu) are owned by SYSTEM
in security tab for some DNS records i can see service account with write permission to record ( i believe this is desired state)
in other records service account has no permission but timestamps are still updated by computer account (hostname$ has write permission). these records have pencil icon on computers in dhcp lease table.
Problem with this (hostname$ has write permissions) is when user connect to network via VPN (obtains dhcp lease) it get's two records registered in DNS -> 1 record for ip distributed by dhcp server and 2nd record for his home private network.
Have anyone seen this before?
i've tried deleting DNS records / releasing ip on endpoint device (example win7). It would not register to DNS by DHCP. However if i do ipconfig /registerdns it will do it, but dhcp service account won't have permission no this record.