I'm looking for some solid best practices for configuring DHCP and DNS within an Active Directory environment. I see a lot of conflicting guides and I'm wondering how everyone else handles it. We have multiple VLANs and DHCP scopes set up for each VLAN. Most of our clients are running Windows 11, but we also have some Linux machines, printers, and various IoT devices. We're facing issues where some Windows devices get registered in AD DNS under the Dynamic DNS Update credentials associated with the VLAN they last connected to. When they switch to a different VLAN, it seems like their DNS records aren't updated properly because the devices are trying to register using their own credentials, which conflicts with the existing records they don't own. Removing the problematic DNS record and refreshing the lease allows a new record to be created with the machine account as the owner. It seems to be related to how the DHCP scopes are configured. I suspect that the 'always dynamically update DNS records' option is causing conflicts with devices trying to register themselves. I haven't found clear documentation on how the Dynamic DNS Update credentials are used for such clients in an AD setup. Can anyone clarify this for me?
2 Answers
You're seeing this issue because when the DHCP server creates a reservation, it registers the record under its own account. If Windows tries to update the DNS, it can fail if that account doesn't own the record. This often happens when the option 'always dynamically update DNS records' is enabled. Instead, you should consider using Option 81. This way, the DHCP server leaves the devices that can register themselves alone, while it handles the registration for those that can't like IoT devices and printers. The recommendations for your settings would include: 'Dynamically update DNS records only if requested by DHCP clients' and 'Discard A and PTR records when lease is deleted.' This setup lets your capable devices manage their own updates more efficiently without conflicts! Check out Jason Murray's guide for more details on Option 81: [link].
You might be running into problems because the DHCP is housed on a domain controller, or maybe your DHCP server isn't part of the Dynamic Updates group. Without proper setup, the DHCP server's records are owned by the DC and cannot be modified by other devices. A solid fix would be to run the DHCP service with a dedicated user account instead of the system account. Also, make sure the permissions are properly set on your DNS records! Here's a helpful resource: [link].
That account is set up as a domain user, but it looks like different scopes might register using either that account or the PC account. I'm not quite sure what dictates that in my AD environment.