2008 Dhcp server log errors

Looking for resolution for the following error messages I am getting in dhcp  server logs..I think it is PTR ownership issue... Don't know how to get resolution to it.

31,01/10/10,14:25:05,DNS Update Failed,1xx.xx.xxx.23,  WXPusr.pcdmain1.com,,,0,6,,,
31,,01/10/10,14:25:09,DNS Update Failed,1xx.xx.xxx.24,W7user.pcdomain1.com,,,0,6,,,
31,,01/10/10,14:27:05,DNS Update Failed,1xx.xx.xxx.25,W7user2.pcdomain1.com,,,0,6

I switched dhcp servers from windws 2003 to 2008 . Exported the scopes along with leases to 2008 dhcp servers. deactivated/Disabled 2003 dhcp servers and activated successfullly 2008 dhcp servers
I am using the following...
1)DHCP server is a member server, not a domain controller
2) Service account with domain access ,provided account credentails in DHCP servers for updating dns
3)2008 dhcp servers and service account are members of dnsupdateproxy group
4)The service account was added in the secuirty tab on the DNS server(s) properties
5)Reverse lookup exists for all the subnets

The leases are renewed but  DNS is not getting updated, and generating the above error
Does the error goes away automatically once the PTR ownership issue gets resolved?.
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

> 2) Service account with domain access ,provided account credentails in
> DHCP servers for updating dns

Under the credentials tab? Is the the same account as was used with 2003?

> 3)2008 dhcp servers and service account are members of dnsupdateproxy group

This will not help unless the 2003 server was also a member of that group. And besides, if you used credentials as above it does no good anyway.

Either way, I advise you remove the server from that group. Records are written with no security while in that group.

> 4)The service account was added in the secuirty tab on the DNS server(s) properties

Granting it permission over existing records? Have you verified that the right has been assigned to records within the zone?

Vinamilk1001Connect With a Mentor Commented:

As i see your parameters , i have theses opinions :
point 3) There are no need to put 2008 DHCP server on the dnsupdateproxy if the account service is already member of this group
point 4) The service account not need to be on DNS server(s) properties , better is to let the default rights .
these part are sensible
point 5) check the DNS tab of your scope properties that DHCP update DNS record (A and PTR ) on client request.
And finally , test your update process .  Delete one host record on your DNS server , and on the computer client type an Ipconfig /registerdns
check if your record have been correctly created.
If the record is created , check your dns zone properties , notice that the Norefresh intervall have not to be greater than DHCP lease time.
lbeach94Author Commented:
Hi Chris,

We never used credentials on 2003 dhcp servers, as those servers were  DC,DNS & DHCP all were running on it. Now we have separated the dhcp server as a member server , therefore we using the credentials for the 1st time. Does the service account should have domain access ..?. It has domain access, but want to confirm.
To answer your question, I  don't see the rights for the service account on the PTR records, even for the PTR records which were successful updates
But  I noticed alot DNS updates were successful in dhcp logs last nigth around 11:30 PM , usually after lease cleanup, plus we have dns scalvaning enabled also on dns servers. Does this issue correct it self after few cycles ? or there is a another solution to it

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Chris DentPowerShell DeveloperCommented:

It will correct itself if you have Scavenging running. Records that cannot be updated will be Scavenged, then the records will register correctly.

There are other solutions of course, but scavenging is good enough if you can afford to be patient.

lbeach94Author Commented:
Hi Chris,

Thanks for the quick response. Does the service account should have domain admin access , or it should be a member of built-in dnsAdmin group.
Chris DentPowerShell DeveloperCommented:

Neither, just a regular user if you've set it in the Credentials option. If you set it up to run the service itself (Services console) it would be a bit different, but that's a change I would advise undoing.

lbeach94Author Commented:
Chris, thanks for the response , i will re remove this service account from domain admin/dnsadmin groups..and see how it goes... thanks . Will update back
lbeach94Author Commented:
Excellent solution and comments provided
All Courses

From novice to tech pro — start learning today.