I replaced a 2012 DC (with DNS and DHCP) with a 2019 server. I am now noticing errors in the DHCP event logs on the 2019 server. I still have another 2012 server and that one is not getting these errors. "Forward record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused." and "PTR record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused. Both DCs are in the DNSProxyUpdade group. In DHCP, I am using a DHCP account for updates to the DNS. In DHCP, I enabled Name Protection for all scopes. I ran dnscmd /config /OpenAclOnProxyUpdates 0 on both DCs. If I look at the DNS records, 99% of them have the ComputerName as the owner under the Security tab. This is the way it was before I replaced the 2012 DC. The other 1% shows the DHCP account I setup... which is the way they all should be. What could be causing this?

If you do not want clients updating their own DNS A and PTR records, you need to tell them not to. Specifically, Windows 8.1+ clients ignore your DHCP server settings and will update their records even if you set the DHCP server to always update A records (which, btw, is not a standard practice). Standard practice is to allow the client to update its own A record and have the DHCP server update the PTR record. The client owns the hostname, and the DHCP server owns the IP address. It is not necessary to use the DNSProxyUpdate group. And if you don't do that, then you also don't need dnscmd /config /OpenAclOnProxyUpdates 0 . The best practice is to simply create an unprivileged domain user account and configure the DHCP servers to use this credential for updating DNS. This makes the DHCP server secure even if it is running on a DC and allows multiple DHCP servers to run in failover mode. Most of this behavior is explained here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 To change the behavior of the Windows clients so that they do not update A or PTR records use a combination of the group policies found here: Computer\Administrative Templates\DNS Client You may be interested in: RegisterPTRRecords (Windows computers will, by default, try to register PTR records) Dynamic Update (Windows computers will, by default, try to register A records) I recommend setting the DHCP server the following way: Then set the RegisterPTRRecords GPO to Do not register . If you want your DHCP server to perform all the DNS updates, then change it to: And set both GPOs: RegisterPTRRecords = Do not register Dynamic update = Disabled If you enable Name Protection, it will disable your ability to change the DNS options on the DHCP server and will set it to only update DNS records if requested by the client. However, the DHCP server is already prevented from overwriting records that are owned by the client, so name protection has limited use. However, if you want DHCP to register all DNS records, then you have to disable name protection, essentially allowing any system to request a record be overwritten. It's kind of a catch 22, and further re-iterates why you should not be setting DHCP to register all records. Again, the client owns the hostname, the DHCP server owns the IP addresses. Finally, the DHCP server will not register records for clients that request it, unless you have also enabled Option 81 allowing the client to send its FQDN in the DHCP request.

Issues with DHCP DNS updates - events 20319 & 20322

MISAdmin 381

I replaced a 2012 DC (with DNS and DHCP) with a 2019 server. I am now noticing errors in the DHCP event logs on the 2019 server. I still have another 2012 server and that one is not getting these errors.

"Forward record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused."

and

"PTR record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused.

Both DCs are in the DNSProxyUpdade group.
In DHCP, I am using a DHCP account for updates to the DNS.
In DHCP, I enabled Name Protection for all scopes.
I ran dnscmd /config /OpenAclOnProxyUpdates 0 on both DCs.

If I look at the DNS records, 99% of them have the ComputerName as the owner under the Security tab. This is the way it was before I replaced the 2012 DC. The other 1% shows the DHCP account I setup... which is the way they all should be.

What could be causing this?

Anshul Kumar (MINDTREE LIMITED) 6 Reputation points

2021-10-11T14:26:44.45+00:00

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

6 answers

Appleoddity 91 Reputation points

2024-03-19T16:28:47.1633333+00:00

If you do not want clients updating their own DNS A and PTR records, you need to tell them not to. Specifically, Windows 8.1+ clients ignore your DHCP server settings and will update their records even if you set the DHCP server to always update A records (which, btw, is not a standard practice).

Standard practice is to allow the client to update its own A record and have the DHCP server update the PTR record. The client owns the hostname, and the DHCP server owns the IP address.

It is not necessary to use the DNSProxyUpdate group. And if you don't do that, then you also don't need dnscmd /config /OpenAclOnProxyUpdates 0. The best practice is to simply create an unprivileged domain user account and configure the DHCP servers to use this credential for updating DNS. This makes the DHCP server secure even if it is running on a DC and allows multiple DHCP servers to run in failover mode.

Most of this behavior is explained here: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003

To change the behavior of the Windows clients so that they do not update A or PTR records use a combination of the group policies found here:

Computer\Administrative Templates\DNS Client

You may be interested in:

RegisterPTRRecords (Windows computers will, by default, try to register PTR records)
Dynamic Update (Windows computers will, by default, try to register A records)

I recommend setting the DHCP server the following way:

Then set the RegisterPTRRecords GPO to Do not register.

If you want your DHCP server to perform all the DNS updates, then change it to:

And set both GPOs:

RegisterPTRRecords = Do not register

Dynamic update = Disabled

If you enable Name Protection, it will disable your ability to change the DNS options on the DHCP server and will set it to only update DNS records if requested by the client. However, the DHCP server is already prevented from overwriting records that are owned by the client, so name protection has limited use. However, if you want DHCP to register all DNS records, then you have to disable name protection, essentially allowing any system to request a record be overwritten. It's kind of a catch 22, and further re-iterates why you should not be setting DHCP to register all records. Again, the client owns the hostname, the DHCP server owns the IP addresses.

Finally, the DHCP server will not register records for clients that request it, unless you have also enabled Option 81 allowing the client to send its FQDN in the DHCP request.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Issues with DHCP DNS updates - events 20319 & 20322

6 answers

Your answer