Share via

DHCP dns dynamic registration

mulbzh 20 Reputation points
2026-03-17T09:34:10.85+00:00

Hello,

I set credential in DHCP console for DNS dynamic registration.

But after this, the account need permission in DNS console ? i don't find documentation for this...

thanks

Windows for business | Windows Server | Networking | Other
0 comments

Answer accepted by question author

  1. VPHAN 31,510 Reputation points Independent Advisor
    2026-03-17T10:07:40.8566667+00:00

    Hi mulbzh,

    You do not need to manually assign any special permissions to your dedicated account within the DNS management console. As long as the account configured in the DHCP console is a standard domain user, it automatically qualifies as an Authenticated User, which inherently possesses the "Create All Child Objects" permission on your Active Directory-integrated DNS zones. When the DHCP service uses this dedicated credential to register a new A or PTR record, that account becomes the object owner within the DNS Access Control List, securing full control to update or delete that specific record throughout the lifetime of the DHCP lease.

    You must ensure this dedicated account is completely excluded from the DnsUpdateProxy Active Directory security group. Placing the account into that group will strip the security ACLs from any DNS records it creates, leaving your environment vulnerable to name hijacking. Because this new dedicated credential does not own the pre-existing DNS records previously registered by the individual clients or the DHCP server's machine account, the server will log Event ID 31031 access denied errors when attempting to update them. To resolve this, you will need to manually delete the legacy DNS records from the console so the DHCP server can seamlessly recreate them under the new account's ownership as clients renew their network leases.

    Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

    VP

    Was this answer helpful?

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 31,510 Reputation points Independent Advisor
    2026-03-17T11:04:39.9366667+00:00

    mulbzh

    You do not need to assign Full Control at the zone level, and doing so actually introduces a significant security risk to your infrastructure. By granting Full Control, you are allowing this standard DHCP update account to modify or delete critical infrastructure records within the Active Directory-integrated zone, such as your domain controller SRV records. Standard domain user permissions are entirely sufficient because the account only requires the inherent ability to create child objects. You should remove that Full Control assignment immediately to maintain the principle of least privilege and protect your directory.

    You can certainly rely on the automated DNS scavenging process instead of manually deleting the legacy records, but you must be prepared for temporary name resolution failures. The default scavenging cycle typically requires fourteen days to complete its combined no-refresh and refresh intervals, meaning your DHCP server will continuously log Event ID 31031 access denied errors during that lengthy waiting period. If a client receives a new IP address lease before the scavenging engine purges the old record, the DHCP server will be blocked from updating the existing DNS entry. This leads directly to stale DNS data where client hostnames resolve to incorrect IP addresses until the scavenging threshold is finally met and the unowned records are cleared.

    VP

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-03-17T09:34:23.41+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The dedicated DNS credentials account does not require any special manual permissions configured in the DNS console beyond being a normal domain user in the correct forest (or a trusted forest). When configured on the DHCP server, that account is automatically used to securely register and update DNS records on behalf of DHCP clients in secure AD‑integrated zones.

    Key points:

    • The account should be a standard user account created only for DHCP DNS registrations.
    • It must exist in the forest where the primary DNS server for the zone resides, or in a different forest that has a forest trust with that forest.
    • Multiple DHCP servers can share the same dedicated account.
    • No additional ACL changes on DNS zones or records are required in the DNS console; the secure dynamic update mechanism uses the supplied credentials to own and manage the records.

    If the DHCP service is running on a domain controller, configuring these credentials is specifically recommended so the service does not inherit the domain controller’s full DNS permissions.

    You can set or change the credentials either in the DHCP console (Advanced → Credentials) or via:

    Set-DhcpServerDnsCredential -Credential (Get-Credential)

    or with netsh on older systems:

    netsh dhcp server set dnscredentials username domain password

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.