Partager via

DHCP Server in DCs and DNS Registrations

  • Article

One common deployment scenario for the DHCP Server service is to have it installed in domain controllers. When this scenario is used it is necessary to define the alternate credentials to be used by DHCP when doing DNS registrations on behalf of the DHCP clients. I wanted to blog about the effects on the registration of the A and PTR records if the DHCP Server is running in a DCs without alternate credentials.

The default DHCP configuration is that clients register their A records and the DHCP Server registers the PTR records. The idea is that the client is the owner of its name, so it is responsible of registering it the DNS namespace, but the owner of the IP is the DHCP server, then it should control its registration in DNS.

This default configuration of this option can be seen in the following screenshot:

image

The configuration can be done at the server, scope and reservation level. The precedence order is: reservation then scope then server (configuration at the reservation level takes precedence over what is defined at the scope level, which takes precedence over what is configured at the server level). For Windows Server 2003 this dialog can be opened by right-clicking over the server name and choosing properties. For Windows Server 2008 and Windows Server 2008 R2 the dialog can be opened by right-clicking over IPv4 and the selecting properties. For all the versions of the OS, the scope and reservation properties can be opened by right-clicking over them and choosing Properties and changing to the DNS tab.

The alternate credentials to be used by the DHCP Server for the DNS registrations are configured under the Advanced tab of the server properties:

 

image

 

image

What happens when the DHCP Server service is installed in a DC and no alternate credentials are configured?

A common error is to think that the DHCP Server service running in a DC will use its service account security context to register records in DNS if no alternate credentials are configured, and then there is security risk. In fact, this is not the behavior of the DHCP Server in a DC.

If the DHCP Server service detects that it is running in a domain controller, and no alternate credentials for DNS registrations have been configured, then it decides to not do any registrations for DHCP clients and logs event DHCP/1056.

NOTE: this does not affect other registrations being done by the computer where the DHCP Server service is running, it only affects the registration of DNS records by the DHCP Server on behalf of the DHCP clients.

What is the side-effect of this?

When the DHCP Server decides that it is not going to do registrations for DHCP clients, it stops setting option 81 in the responses to clients (option 81 is used to negotiate who registers what between the DHCP Server and the DHCP Client). If the client does not get this option in the response from the server then it goes and does its own registrations.

Recommendations

  • If the DHCP Server is configured to run in a DC, make sure that the alternate credentials for DNS registrations are correctly configured.
  • Use a “normal” user account, not an administrative or privileged account, for the alternate credentials. Just make sure to use the Password Never Expires option. There is not need to add this account to any special group. The steps to configure these credentials are documented in https://support.microsoft.com/kb/282001.
  • If there are more than one DHCP Server in the environment, try to use the same account for the alternate credentials in all of them.

Comments

  • Anonymous
    January 01, 2003
    just awesome post

  • Anonymous
    January 01, 2003
    @Peter: domain account

  • Anonymous
    April 03, 2012
    Cool stuff, Karam. I wonder how you came across this...

  • Anonymous
    February 14, 2013
    Great write up...Had question, does the account have to be a domain account or a local account.

  • Anonymous
    March 21, 2014
    The comment has been removed

  • Anonymous
    January 20, 2015
    the DHCP can set up in DC itself?

  • Anonymous
    March 11, 2015
    informative

  • Anonymous
    March 31, 2015
    The comment has been removed

  • Anonymous
    August 03, 2015
    The comment has been removed

  • Anonymous
    August 14, 2015
    Curious if this works with untrusted domains. DHCP server is DC on new domain, workstations are in old domain. No trust. Old domain going away in 3 months, but need DHCP migration early for various reasons. Can I use creds from untrusted domain for alternate?

  • Anonymous
    September 16, 2015
    Why do you specify to use normal account, when Microsoft's article says this:

    "Membership in the Administrators or DHCP Administrators group is the minimum required to complete this procedure."

  • Anonymous
    September 16, 2015
    Here's the article:

    https://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx

  • Anonymous
    September 24, 2015
    Narfya - The person setting the credentials needs admin rights to perform the steps, but the account entered doesn't need to be an admin.

  • Anonymous
    November 22, 2015
    Broken Link Reference for KB 282001:

    Should be (for US-EN):
    https://support.microsoft.com/en-us/kb/282001

  • Anonymous
    September 18, 2016
    The comment has been removed

    • Anonymous
      May 15, 2017
      This works even if the domain controller is in the active directory group DnsUpdateProxy.