DNS DHCP Interaction

11/08/2007, 16h05

Hi All
Server 2003 SP2 AD FFL Server 2003
DC1 and DC2 Running DNS AD-Integrated, Secure updates only
DC2 Running DHCP
Primary Domain Suffix matches on clients and desired forward lookup
Zone

I've been having an issue lately with error 31 in my dhcp logs stating
that dynamic updates from DHCP to DNS have been failing. I've followed
all of the KBs, added both my DHCP server and my dedicated DHCP proxy
account to the "DNSUpdateProxy Group", removed my DHCP server from the
group for security reasons (and it didn't resolve the issue). The DHCP
Update DNS settings are set to "Always Update DNS" in the DHCP MMC.

What finally did resolve the error 31's and allowed trhe requesting
clients DNS updates to succeed was making my dedicated DNS proxy
account a member of domain admins. All outstanding requests succeeded
on their next interval and the DHCP Icons for the affected clients
changed from dns update-pending state to normal.

I'd rather not grant my proxy account this level of access and am
wondering if I should add the DNSUpdateProxy group to the ACL of my
DNS servers as it is not currently listed there nor is it listed in
the ACL of any of the A and/or PTR records. Anyone have any
suggestions on how to reolve this issue?
Thanks in advance.

13/08/2007, 15h32

Update with more information

I thought it might be ful to anyone looking at this post to have
the other steps that I have taken over the weekend to attempt to
resolve this issue. None have been successful, adding my dedicated
dnsupdate proxy account to the domain admins group is still the only
working solution so far, which for security reasons is not a viable
fional solution.

Other steps:
Addedd DNSUpdateProxy group (of which my dedicated account is a member
to DNSAdmins Global Group
Added DNSUpdateProxy group to the ACL of both DNS Servers with Full
control perms
Added DNSUpdateProxyGroup to the ACL of the reverse lookup zones with
Full control perms
All of these steps were followed by a combination of stopping and
restarting DNS and DHCP services, forced replication of directory
partitions with replmon to ensure rights propagation and waitning and
praying.

anyone have any thoughts on this?
Thanks

11/08/2007, 16h05	#1
musicman Messages: n/a Hébergeur:	DNS DHCP Interaction Hi All Server 2003 SP2 AD FFL Server 2003 DC1 and DC2 Running DNS AD-Integrated, Secure updates only DC2 Running DHCP Primary Domain Suffix matches on clients and desired forward lookup Zone I've been having an issue lately with error 31 in my dhcp logs stating that dynamic updates from DHCP to DNS have been failing. I've followed all of the KBs, added both my DHCP server and my dedicated DHCP proxy account to the "DNSUpdateProxy Group", removed my DHCP server from the group for security reasons (and it didn't resolve the issue). The DHCP Update DNS settings are set to "Always Update DNS" in the DHCP MMC. What finally did resolve the error 31's and allowed trhe requesting clients DNS updates to succeed was making my dedicated DNS proxy account a member of domain admins. All outstanding requests succeeded on their next interval and the DHCP Icons for the affected clients changed from dns update-pending state to normal. I'd rather not grant my proxy account this level of access and am wondering if I should add the DNSUpdateProxy group to the ACL of my DNS servers as it is not currently listed there nor is it listed in the ACL of any of the A and/or PTR records. Anyone have any suggestions on how to reolve this issue? Thanks in advance.

13/08/2007, 15h32	#2
musicman Messages: n/a Hébergeur:	Re: DNS DHCP Interaction Update with more information I thought it might be ful to anyone looking at this post to have the other steps that I have taken over the weekend to attempt to resolve this issue. None have been successful, adding my dedicated dnsupdate proxy account to the domain admins group is still the only working solution so far, which for security reasons is not a viable fional solution. Other steps: Addedd DNSUpdateProxy group (of which my dedicated account is a member to DNSAdmins Global Group Added DNSUpdateProxy group to the ACL of both DNS Servers with Full control perms Added DNSUpdateProxyGroup to the ACL of the reverse lookup zones with Full control perms All of these steps were followed by a combination of stopping and restarting DNS and DHCP services, forced replication of directory partitions with replmon to ensure rights propagation and waitning and praying. anyone have any thoughts on this? Thanks

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email