After having upgraded a Windows Server 2003 Active Directory Domain to Server 2008, and upgraded client PCs from Windows XP to Windows 7, I'm seeing inconsistent dynamic DNS update behaviour.
Two domain controllers also have a DHCP and DNS role. Each DHCP server has the 'DNS dynamic updates registration credentials' setting populated with a user account which is a member of the 'DnsUpdateProxy' group, and (although I've seen arguments for and against) I've added the servers themselves to the 'DnsUpdateProxy' group.
The DHCP servers are configured with the following settings ticked:
'Enable DNS dynamic updates according to the settings below'
'Always dynamically update DNS A and PTR records'
'Discard A and PTR records when a lease is deleted'
Some PCs seem to work fine. They request a DHCP address, and the DHCP server hands them one and updates DNS. If I check the security of the 'A' record created through the dynamic update, the record is owned by the account created for DNS dynamic update registration and populated in the DHCP server.
Some PCs on the other hand appear to register their own 'A' records directly with the DNS server. This results in an 'A' record owned by either 'system' or the PC's AD computer account. When this happens, the 'A' record becomes unwriteable by the DHCP server due to its security settings.
The only way I can think around this, is to give full control of the zone to the account used by the DHCP server to dynamically update the DHCP server. This would then allow it to delete/modify any 'A' record, even those it has not created.
A better way would be to figure out why PCs sometimes register 'A' records instead of the DHCP server.
I'd really appreciate some advice if anyone has come across this before.
Best Answer
I believe what you are wanting to do is simply tell all your DHCP clients to not register their own DNS records in AD. The dynamic update GPO controls this behaviour on a per-computer basis; when it is disabled, the per-connection "register this connection's address in DNS" option has no effect and dynamic registration does not occur, leaving the DHCP server to take care of it without interference. You should set this GPO only on computers which should be DHCP clients.
If you find it useful, here is a reference for GPOs which apply to the Windows DNS client.
You will find this specific GPO at computer scope, under administrative templates and network, in DNS settings. Set the dynamic update policy to disabled, wait for the GPO to be applied, and the behaviour should stop.