DHCP Server in DCs and DNS Registrations

One common deployment scenario for the DHCP Server service is to have it installed in domain controllers. When this scenario is used it is necessary to define the alternate credentials to be used by DHCP when doing DNS registrations on behalf of the DHCP clients. I wanted to blog about the effects on the registration of the A and PTR records if the DHCP Server is running in a DCs without alternate credentials.

The default DHCP configuration is that clients register their A records and the DHCP Server registers the PTR records. The idea is that the client is the owner of its name, so it is responsible of registering it the DNS namespace, but the owner of the IP is the DHCP server, then it should control its registration in DNS.

This default configuration of this option can be seen in the following screenshot:


The configuration can be done at the server, scope and reservation level. The precedence order is: reservation then scope then server (configuration at the reservation level takes precedence over what is defined at the scope level, which takes precedence over what is configured at the server level). For Windows Server 2003 this dialog can be opened by right-clicking over the server name and choosing properties. For Windows Server 2008 and Windows Server 2008 R2 the dialog can be opened by right-clicking over IPv4 and the selecting properties. For all the versions of the OS, the scope and reservation properties can be opened by right-clicking over them and choosing Properties and changing to the DNS tab.

The alternate credentials to be used by the DHCP Server for the DNS registrations are configured under the Advanced tab of the server properties:





What happens when the DHCP Server service is installed in a DC and no alternate credentials are configured?

A common error is to think that the DHCP Server service running in a DC will use its service account security context to register records in DNS if no alternate credentials are configured, and then there is security risk. In fact, this is not the behavior of the DHCP Server in a DC.

If the DHCP Server service detects that it is running in a domain controller, and no alternate credentials for DNS registrations have been configured, then it decides to not do any registrations for DHCP clients and logs event DHCP/1056.

NOTE: this does not affect other registrations being done by the computer where the DHCP Server service is running, it only affects the registration of DNS records by the DHCP Server on behalf of the DHCP clients.

What is the side-effect of this?

When the DHCP Server decides that it is not going to do registrations for DHCP clients, it stops setting option 81 in the responses to clients (option 81 is used to negotiate who registers what between the DHCP Server and the DHCP Client). If the client does not get this option in the response from the server then it goes and does its own registrations.


  • If the DHCP Server is configured to run in a DC, make sure that the alternate credentials for DNS registrations are correctly configured.
  • Use a “normal” user account, not an administrative or privileged account, for the alternate credentials. Just make sure to use the Password Never Expires option. There is not need to add this account to any special group. The steps to configure these credentials are documented in http://support.microsoft.com/kb/282001.
  • If there are more than one DHCP Server in the environment, try to use the same account for the alternate credentials in all of them.


Comments (16)
  1. karammasri says:

    @Peter: domain account

  2. halap says:

    Cool stuff, Karam. I wonder how you came across this…

  3. Peter says:

    Great write up…Had question, does the account have to be a domain account or a local account.

  4. vadim says:

    I have 2 sites under my AD and one of the sites using DHCP, while the second site is using static IPs with DNSs. I have 2 Domain Controllers with DNS running on both of them and DHCP running one. How should I configure DHCP on the second to use it only as an emergency and sync with the original DHCP server?

  5. vaddyspyglass says:

    the DHCP can set up in DC itself?

  6. Sunil says:


  7. soprak chhun says:

    why dhcp error when i install dhcp with dns server

  8. evenmoreconfused says:

    Thanks for this, but one thing still isn't clear: from the above I understand that I should add a standard user (e.g. DNS-updater) in AD, and enter this user with non-expiring password in the DHCP setup. So do I also need to give DNS-updater rights in
    security tab of the DNS setup? And if so, what rights and on which nodes (server, forward, reverse, etc.)?

  9. Charlie Kaiser says:

    Curious if this works with untrusted domains. DHCP server is DC on new domain, workstations are in old domain. No trust. Old domain going away in 3 months, but need DHCP migration early for various reasons. Can I use creds from untrusted domain for alternate?

  10. naryfa says:

    Why do you specify to use normal account, when Microsoft's article says this:

    "Membership in the Administrators or DHCP Administrators group is the minimum required to complete this procedure."

  11. Jen says:

    Narfya – The person setting the credentials needs admin rights to perform the steps, but the account entered doesn't need to be an admin.

  12. Beth says:

    Broken Link Reference for KB 282001:

    Should be (for US-EN):

  13. Daemo says:

    Many thanks for this, but I have concerns about my environment…

    I can see all of our DNS records that have been registered by DHCP (running on our 2012 R2 domain controllers with 2012 R2 forest functional level) being owned by the domain controller computer object. I don’t think any credentials have been configured in DHCP (the field is blank), but it still seems to log entries?

    I don’t see any event 1056, perhaps DHCP doesn’t detect it’s running on a DC, or someone has gone and configured some awful setting that breaks the above protection.

    If I am at risk, what’s the best step to move off of it? If I start running DHCP as a normal account, it will lose all rights to DNS records it has created in the past and they will get scavenged…

    1. SHe says:

      This works even if the domain controller is in the active directory group DnsUpdateProxy.

Comments are closed.

Skip to main content