DHCP Server in DCs and DNS Registrations
One common deployment scenario for the DHCP Server service is to have it installed in domain controllers. When this scenario is used it is necessary to define the alternate credentials to be used by DHCP when doing DNS registrations on behalf of the DHCP clients. I wanted to blog about the effects on the registration of the A and PTR records if the DHCP Server is running in a DCs without alternate credentials.
The default DHCP configuration is that clients register their A records and the DHCP Server registers the PTR records. The idea is that the client is the owner of its name, so it is responsible of registering it the DNS namespace, but the owner of the IP is the DHCP server, then it should control its registration in DNS.
This default configuration of this option can be seen in the following screenshot:
The configuration can be done at the server, scope and reservation level. The precedence order is: reservation then scope then server (configuration at the reservation level takes precedence over what is defined at the scope level, which takes precedence over what is configured at the server level). For Windows Server 2003 this dialog can be opened by right-clicking over the server name and choosing properties. For Windows Server 2008 and Windows Server 2008 R2 the dialog can be opened by right-clicking over IPv4 and the selecting properties. For all the versions of the OS, the scope and reservation properties can be opened by right-clicking over them and choosing Properties and changing to the DNS tab.
The alternate credentials to be used by the DHCP Server for the DNS registrations are configured under the Advanced tab of the server properties:
What happens when the DHCP Server service is installed in a DC and no alternate credentials are configured?
A common error is to think that the DHCP Server service running in a DC will use its service account security context to register records in DNS if no alternate credentials are configured, and then there is security risk. In fact, this is not the behavior of the DHCP Server in a DC.
If the DHCP Server service detects that it is running in a domain controller, and no alternate credentials for DNS registrations have been configured, then it decides to not do any registrations for DHCP clients and logs event DHCP/1056.
NOTE: this does not affect other registrations being done by the computer where the DHCP Server service is running, it only affects the registration of DNS records by the DHCP Server on behalf of the DHCP clients.
What is the side-effect of this?
When the DHCP Server decides that it is not going to do registrations for DHCP clients, it stops setting option 81 in the responses to clients (option 81 is used to negotiate who registers what between the DHCP Server and the DHCP Client). If the client does not get this option in the response from the server then it goes and does its own registrations.
- If the DHCP Server is configured to run in a DC, make sure that the alternate credentials for DNS registrations are correctly configured.
- Use a “normal” user account, not an administrative or privileged account, for the alternate credentials. Just make sure to use the Password Never Expires option. There is not need to add this account to any special group. The steps to configure these credentials are documented in https://support.microsoft.com/kb/282001.
- If there are more than one DHCP Server in the environment, try to use the same account for the alternate credentials in all of them.