I was getting complaints of duplicate A records for a while so starting digging in. The DHCP audit log will show DNS Update Failed with a 9005 error. I had previously cleaned up the structure by rebuilding the _MSDCS zone at the top level and confirming all the SRV records exist (supported by DNS Lint and DCdiag verbose DNS tests). Also set the zones to replicate across the forest and use secure updates and consolidated a bunch of reverse zones into a two-octet one (new one would be 99.172.in-addr.arpa as example). So reading up on it I decided to add all my DHCP servers into the DNSUpdateProxy Group, create an account to bind credentials on my DHCP servers (some happen to be DCs), set the DHCP scopes to "always dynamically update...", "Discard A and PTR records when lease deleted", and "Dynamically update DNS A and PTR for DHCP clients that do not request...". Scavenging is set to 7 days refresh/no-refresh on server and all zones.
The problem is really prevalent on our VPN scope- you know the deal folks are connecting and disconnecting all the time. We had the scope set to a 2 hour lease. So yesterday I changed the lease to 25 hours, and set Scavenging to 1 day. Thought this would resolve it. But we are still getting duplicate A records some even with the same time stamp! Happening in other scopes/networks as well that have longer leases. I've noticed different security on records that were even time-stamped in the last day since the changes. Some have the client name, some have the DHCP server and some have the Dynamic Update account I created. Not really sure what to make of it; wondering if I need to set the security on the actual zone to allow the DNSUpdateProxy group full control or maybe even schedule a script to run against my VPN scope to get rid of the duplicate record that has an older time-stamp or compare against the DHCP lease and delete the other. Any help would be greatly appreciated!