Issues with DHCP DNS updates - events 20319 & 20322

Question

I replaced a 2012 DC (with DNS and DHCP) with a 2019 server. I am now noticing errors in the DHCP event logs on the 2019 server. I still have another 2012 server and that one is not getting these errors.

"Forward record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused."

and

"PTR record registration for IPv4 address [[n.n.n.n]] and FQDN computername.domain failed with error 9005 (DNS operation refused.

• Both DCs are in the DNSProxyUpdade group.
• In DHCP, I am using a DHCP account for updates to the DNS.
• In DHCP, I enabled Name Protection for all scopes.
• I ran dnscmd /config /OpenAclOnProxyUpdates 0 on both DCs.

If I look at the DNS records, 99% of them have the ComputerName as the owner under the Security tab. This is the way it was before I replaced the 2012 DC. The other 1% shows the DHCP account I setup... which is the way they all should be.

What could be causing this?

Answer 1

Hi,

Welcome to Q&A platform.

Based on provided information, my understanding is we have configured a new DNS & DHCP server in Windows server 2019 and configured Always dynamically update DNS records in DNS tab of IPv4 properties in DHCP server. Both DNSProxyUpdade group and corresponded credentials have been configured on DNS & DHCP server. The issue now is both A record and PTR record cannot be updated by the new DHCP server in dedicate DNS zone. Please correct me if there is any misunderstanding.

Before we go further, I would like to confirm the following information with you:

1.

I still have another 2012 server and that one is not getting these errors.

What's the relationship among 2012 DC, this another 2012 server and the new DNS & DHCP server 2019?

2. Was the issue only happened in a specific scope or happened in all scopes on DHCP server?

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Sunny. You are correct in your first paragraph but, because I enabled Name Protection, the setting you show is greyed out. It does that when Name Protection is enabled. For question 1, my other DC is a 2102 server and it is not getting these errors. Only two servers here, one 2019 Server and one 2012 Server. For question 2, these errors happen on all scopes.

Thank you.

Answer 3

Hi. Yes, I have DHCP failover configured between the two DHCP servers. It's configured as a 50/50 load balance failover.

I see now that the PTR record is being updated by the dhcp account... and the account is showing up in the ACL of the record... but only if I delete the existing PTR record that has the machine account in it. This doesn't work for the Forward record though.

EDIT: the PTR record is not consistently updating. Sometimes it is updated (and owned) by the dhcp account, other times by the machine account. Perhaps it depends on what DC is handling it (2012 or the new 2019).

Answer 4

Still having problems with this. Anyone else know what's causing this?

Answer 5

Do any have luck resolving this? We are having this also :(