Symptom: In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 you receive the following Warning when running the Microsoft Best Practices Analyzer.
DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.
What does this mean?
If you have the DHCP service installed on your domain controller without a service account configured, by default, DNS registrations from DHCP clients will be prevented from being registered and will log event 1056 in event viewer.
Solution: Complete the following steps below to change the credentials of the service account used for DHCP.
- Before beginning, make sure you have a service account you can use to set the DHCP Server to run as. This account should be a domain account (not a local account) and should not have any fancy privileges (standard user account, not an administrator).
- Open up Server Manager
- Click Tools and select DHCP
- Expand your DHCP server and right click on the IPv4 service and select Properties
- Select the Advanced tab and then click the Credentials... button
- Enter in the User name, domain, password, and confirmation password to the user and click OK
- Click OK on the IPv4 Properties screen
- Repeat this step on each of the DHCP servers in your domain. It is recommended to use the same service account on each of the machines.
Notes: The official KB article from Microsoft on this subject can be found here: http://technet.microsoft.com/en-us/library/ee941181(v=ws.10).aspx
Another very good Technet article written by karammasri on this subject can be found here: http://blogs.technet.com/b/stdqry/archive/2012/04/03/dhcp-server-in-dcs-and-dns-registrations.aspx
I did as described in the article, but the error hadn't gone when running PBA scan after the change. Do I need to restart DHCP service on DHCP server ? Should I set some special permission for this account in DNS server to make it work?
You will need to restart the service so that it runs under the credentials of the new user account. Downtime should be very minimal, especially if you have DHCP clustered in Server 2012.
Please let me know how it goes,
I created a standard domain user and entered it to start the dhcp service. With this the user got rights to logon as service on the DC but it needs some more rights to start the dhcp service.
Do you know whats the best way to give the needed rights?
Thanks for your help.
The permissions needed can be found here: https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
Hope this helps!