DHCP DNS dynamic updates

Aaron Street
Aaron Street used Ask the Experts™

Where is the best place to look to see why a dhcp server is failing to update DNS recourds?

the DHCP server is set to update every thing.
it is a member of the DNSproxy groups
the dns proxy group is in the security settings for the forward and reverse zones
the DHCP server has a AD account associated with the DHCP update service for the subnet in question.
the DNS server is set to accept secure and non secure updates

some times (like one in 100 times I see a "successful" reported in the DHCP logs in the DHCP server

32,03/07/16,06:42:23,DNS Update Successful,,Aarons-Desktop.iahtest.ac.uk,,,0,6,,,,,,,,

but most times I see

31,03/08/16,12:11:31,DNS Update Failed,,Aarons-Desktop.iahtest.ac.uk,,,0,6,,,,,,,,
30,03/08/16,12:11:31,DNS Update Request,,Aarons-Desktop.iahtest.ac.uk,,,0,6,,,,,,,,

What I cant find is the logs showing my why this is happening? I want a log that says "update failed due to security/could not find DNS server/etc....

Any thoughts?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Joshua UnderwoodMobile Developer
You should be seeing your logs in Event Viewer.

However, in the case that you aren't seeing these logs...please turn logging on for DHCP and then view

To enable DHCP server logging

Open the DHCP Microsoft Management Console (MMC) snap-in.
In the console tree, click the DHCP server you want to configure.
On the Action menu, click Properties.
On the General tab, select Enable DHCP audit logging, and then click OK.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager



the audit logging is where I posted the outputs above from. (windows/system32/dhcp/....)

or does it create a log file some where else?
Natty GregIn Theory (IT)
check your A record sometimes you have top dhcp, clear it then restart dns and dhcp to rewrite a new one
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Aaron StreetTechnical Infrastructure Architecture and Global Network Manager


OK so I have a empty Forwarding zone and reverse zone and both services have been reset (separate servers)

no event logs and no meaningful logs in DHCP log folder

try turning on DNS logging in the DNS console. this writes all DNS requests to a file so you can check the DHCP server is making the requests and you can see the responses etc. may point you in the right direction.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager



So this is what I see in the logs of the DHCP and DNS servers


28/03/2016 23:32:10 0D68 PACKET  000000000291F460 UDP Rcv xxx.xxx.224.45  988b   U [0028       NOERROR] SOA    (3)test(2)ac(2)uk(0)
UDP question info at 000000000291F460
  Socket = 332
  Remote addr xxx.xxx.224.45, port 60979
  Time Query=1687101, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x003e (62)
    XID       0x988b
    Flags     0x2800
      QR        0 (QUESTION)
      OPCODE    5 (UPDATE)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     0 (NOERROR)
    ZCOUNT    1
    UPCOUNT   1
    ARCOUNT   0
    Offset = 0x000c, RR count = 0
    Name      "(3)test(2)ac(2)uk(0)"
      ZTYPE   SOA (6)
      ZCLASS  1
    Offset = 0x001b, RR count = 0
    Name      "(9)FE22B(3)test(2)ac(2)uk(0)"
      TYPE   A  (1)
      CLASS  254
      TTL    0
      DLEN   4
      DATA   xx.xx.253.143

so all seems to say "no Error"

but on the dhcp server

31,03/28/16,00:23:30,DNS Update Failed,xxx.xxx.253.143,DP1-FE22B.iah.ac.uk,,,0,6,,,,,,,,
30,03/28/16,00:23:30,DNS Update Request,xxx.xxx.253.143,DP1-FE22B.iah.ac.uk,,,0,6,,,,,,,,

So whats going on? the record is not created on the DNS server that is all I know.

Would it matter that the FQDN appears to be different?

DHCP log: DP1-FE22B.iah.ac.uk,,,0,6,,,,,,,,

DNS log: "(9)FE22B(3)test(2)ac(2)uk(0)"
(ignore the numbers they are effectively just the full stops.)

Anyway, whats the layout here please?

Are the DHCP, DNS and DC different servers, or all the same box? What IP have you got set as DNS server?
Have you specified credentials in DHCP for DNS update or have you set your DNS to accept 'unsecured' DNS updates?
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager



Opps that was me attempting to remove personal details, all of the FQDN are iah.ac.uk, i missed it on the DHCP log.

So the set up is

3 X DNS servers (also DC's) running on windows 2008 server
2 X DHCP servers running on 2012 boxes

DNS servers have got IP's of .11 .12 and .13 and DHCP are .45 and .120 (all in same subnet)

DNS has all zones (forward and reverse)set to allow secure updates
DHCP servers have a domain admin account (this was purly for testing using DA) set in the dynamic up date credentials.

As above this updates are some times successful, and I will see the same entry some times work and some times fail.
That's interesting. So it does work sometimes, and not others?
If it works sometimes it suggests your settings are correct. Do you notice it generally fails where there are a large number of updates at once?
Is it generally the same ones that fail or does it appear random?
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager


It does seem to fail more when there are lots of updates, I read about extending the queue but it already seemed to done.

it seems very random, the same device I might see a number of times in the DHCP logs some times working some times not. but I don't see a pattern.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager


I do see this on the DHCP server also

DHCP: A forward lookup zone should be configured for the DNS domain used to register DNS records for IPv4 clients.


09/03/2016 17:24:17


A forward lookup zone has not been configured for the following domains (Domain Name, Server/Scope): iah.ac.uk   Server ,  

Domain Name System (DNS) registration of A records for client computers will fail resulting in the inability to connect to these client computers using host names.

By using the DNS MMC snap-in, configure a forward lookup zone for these domains or configure the correct domain name on the DHCP server as a scope option or server option.


however the zone iah.ac.uk is created on the DNS server and has all the same permissions as the rest.
Technical Infrastructure Architecture and Global Network Manager

Sorry I think I have worked it out. One of the scopes (the one used for users devices) is set to use the external DNS servers. It was set to dynamical update the records but we dont allow updates from inside the network.

So on one of the busiest subnets for leases and updates, the DHCP was trying and failing to update the DNS records. this congestion was causing other updates to fail.

Now I have stopped the DHCP server trying to update the (rogue) scopes, the other scopes seem to be working correctly. need to monitor but think its sorted now.
Aaron StreetTechnical Infrastructure Architecture and Global Network Manager


Thanks for the ideas guys, and for helping dertermin the final root casue

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial