Windows 2012 R2 DHCP Policies

In Windows 2012 R2 DHCP services, is it possible to create a policy that would block an IP from attempting to be register in DNS if the client DNS suffix does not make two domain names?

In case others are wondering our scopes are set to hand out the DNS suffix name but we are running into an issue with not non-domain joined vendor appliances that have a present DNS suffix. When the devices gets an IP from our DHCP server, the server is reaching out the the remote domain ( I know this because I have a case open with MS support on this) and causes the DHCP queue to fillup out blocking other clients from registering having their DNS records updated by the DHCP server.
LVL 20
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
Yes, that will work as long as you set DNS DHCP integration option as suggested in earlier comment

You can setup DNS dynamic update as you want as long as you configure DNS zone for secure dynamic update and DNS scavenging
You may skip DNS-DHCP integration and domain joined computers continue to update their Host(A) and PTR records in DNS because of dynamic updates - this will resolve your problem quickly

By default when you install DHCP server role, DNS integration is enabled by default for clients with the setting:
Dynamically register dns records only if requested by DHCP clients - enabled
dynamically update dns records for clients that do not support dynamic updates - disabled
In addition to above you must set standard AD service account as DHCP credentials (DHCP Console\IPv4\advanced\credentials) and should add this account to DNSUpdateproxyGroup on domain controller
This will also achieve what you are trying to do.
DNS-DHCP integration works well if its configured correctly, otherwise you may face issues like clients may not able to update their records in DNS etc

One would use DNS-DHCP integration (Always dynamically register dns records setting enabled and dynamically update dns records for clients that do not support dynamic updates settings enabled) when he wanted that non domain joined clients / other devices such as non windows devices (android) etc to register their records in DNS regardless update request in addition to standard domain joined devices

is it possible to create a policy that would block an IP from attempting to be register in DNS if the client DNS suffix does not make two domain names?

Really unable to understand what you are trying to say

If vendor device having existing DNS suffixes, what it to do with your DHCP server? what do you mean by server is reaching out to remote domain? clients just need IP address to communicate with....
Are you saying that because of vendor devices, your scope is running out of IP addresses?
compdigit44Author Commented:
The vendor devices are getting DHCP leases from our server and all scopes are set to register records for the clients. These devices do not have our DNS suffix and the DHCP services tryes to connect to the remote domain for registration, takes to long and causes the DHCP queue to get backed up which was confirmed with MS support.

Also these  vendor devices are locked devices and can only be changed by the vendor. I have never us ed DHCP policies and was wondering if a policy could be created the would block DHCP server from trying to register an address if it was it did not match our domain name
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

How about stop having DHCP server trying to register in DNS? Domain joined Windows clients will register in DNS on their own anyway.
compdigit44Author Commented:
I have thought about that...
Usually the MS best practice is to have the DHCP to the registration in DNS. What are the pros/cons of disabling this and having the clients update themselves?
If you turned off DNS registration by the DHCP servers, then non-Windows 2000 or better domain members wouldn't appear in DNS. Do you need non-Windows DHCP clients in DNS? For example, my IP phones are not in DNS. That's fine by me. If I need to look up the IP address of those devices, I look at my DHCP server.

I have never considered DNS registration by DHCP servers to be a best practice; certainly not a strong best practice.
Thanks for explanation

Ideally you could configure DNS-DHCP advanced integration option like below:
Dynamically register dns records only if requested by DHCP clients - select this setting - by default only authenticated users group (computers in your case) can register records in DNS, unauthenticated users (vendor devices) won't force for registration of host records,
Secondly, unselect dynamically update dns records for clients that do not support dynamic updates

This two options above should suffice request

Alternatively, You can create "" AD integrated DNS zone (one must be set for secure dynamic update) on DNS server and force external vendor devices to register in that specific DNS zone to avoid searching of remote domain suffixes. for that You need to create DHCP policy and need to point guest devices to guest domain
The steps are mentioned in below article

The policy can be created for specific scope or for entire server (applicable to all scopes on that server)

compdigit44Author Commented:
Thank you very much for your great feed back. Just to make sure I am understand things correctly.. Right now my scopes are set to "Always update DNS...." when selecting "Update DNS only if client request".. This means that only domain joined devices would be updated correct? My zone is set for secure and not secure updates.
Yes, that's right
Client can update own Host(A) record in DNS only if its authenticated, since workgroup / external devise can't authenticate with domain, Ideally they can't do registration

You need to ensure that zone would be set for secure dynamic update only, so that DNS mandate that client must be authenticated before it can make attempt to update /register Host (A) record in DNS

compdigit44Author Commented: sound like this would be the ideal setting to have in place regardless. So a client that is not on the domain but getting a DHCP lease would not register with the DNS server even though it is listed in the DHCP lease information.

Also what are the pros / cons of have the dHCP server handle DNS registration vs the client. What are risk of doing either one.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.