Hi to all. I was just reviewing a document I put together a while ago as I am currently migrating DHCP services to new servers.
I reviewed this thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/b17c798c-c4b2-4624-926c-4d2676e68279/dns-record-ownership-and-the-dnsupdateproxy-group?forum=winserverNIS
[quote]
Ace Fekay:
In summary:
Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
Set DHCP to update everything, whether the clients can or cannot.
Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
On Windows 2008 R2 or newer, DISABLE Name Protection.
If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
dnscmd /config /OpenAclOnProxyUpdates 0
Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.
[/quote]
[quote]
biffduncan-gglynn
There's a ton of misinformation about this topic throughout the forums and Microsoft's own documentation, so I'll do what I can to clear it up:
There's no reason to put the DHCP Server's computer account in the DnsUpdateProxy group if you're using a service account to do your dynamic updates, full stop.
There's a Microsoft DNS Service property named "OpenACLOnProxyUpdates" and when that property's value is set to 1 (which is the default), then the DNS Service applies a very permissive ACL to any records created or updated by a member of that group,
one that allows any authenticated user to take ownership of and modify the record. If the OpenACLOnProxyUpdates property is set to 0 on any given DNS server, then the DnsUpdateProxy group membership check isn't performed at all, and the permissive ACL
is never applied to records registered through that server. Note that this is a relatively new configurable property (2008 R2 and newer); prior to its introduction, MS DNS servers just always behaved as if the property was set to 1.
As you may have deduced, when you configure a DHCP server to use a service account to perform dynamic registrations, the server's computer account isn't used to authenticate the registration request to the DNS server, so there's no point whatsoever to adding
that computer account to the DnsUpdateProxy group. If you want the dynamic records created by your DHCP service to be created with permissive ("unsecured") ACLs, then you should add the service account to the DnsUpdateProxy group, not the DHCP server's
computer account. However, if you only ever want your DHCP servers updating those dynamic records, then set the options on the "DNS" tab of the "IPv4" or zone object accordingly, and don't put anything in the DnsUpdateProxy group.
Finally, note that if you want your DHCP service account for DNS registration to be able to alter existing DNS records, you would need to make the service account a member of the DnsAdmins, Domain Admins, or Enterprise Admins groups, even if you put the service account in the DnsUpdateProxy group, because membership in this group does not allow a group member to bypass the existing ACL on a record. The group member still initially needs write access to the record before the DNS server will wipe out its ACL. I do not recommend that anyone do this, by the way, but if you wanted this functionality, that's the only way to do it. Which, frankly, is annoying; Microsoft should introduce some other way to permit this, so that domain member PCs and DHCP servers can both modify dynamic client records.
[/quote]
I have done the following:
1) DHCP configured to use a service accounts to register DNS
2) DHCP DNS options set on each scope
3) DNS AD Integrated set to 'Secure Only'
Previously I have also....
4) Added the DHCP server(s) to the in-built DnsUpdateProxy AD group
5) If DHCP was on domain controller run: dnscmd /config /OpenAclOnProxyUpdates 0)
I have not implemented step 4 in existing environment.
My environment has a mix. Some servers running DHCP are also DC's, others are member servers (2012R2).
Question:
Q: With what appears to be contradictory information what is the correct approach?
Kind Regards,
Phil.
PS: DHCP log is reporting DNS Update Failed