We have a Windows Server 2003 SP2 machine that is a domain controller, DNS server, and DHCP server. (We realize that having all three roles running on the same computer is not the optimal configuration but there are no other machines available.)

There is another DNS server on the network, but this particular server is listed as the primary for client workstations. All zones are Active Directory Integrated and are configured for secure dynamic updates.

The server is the only authorized DHCP server on the network. It is enabled for Dynamic DNS updates.

We've been experiencing some strangeness. Sometimes, client workstations will lose access to the Internet. The resolution appears to be manually changing the IP address to a different one. Moreover, bad address entries are starting to appear in DHCP. We've been manually deleting them, but they keep on appearing.

This lead us to believe the problem is caused by the DHCP server. I took a look at the audit logs for DHCP. The log showed a whole bunch of Event ID error code 31: DNS Update Failed

31,07/01/09,11:47:26,DNS Update Failed,,TEST.private.local,-1,

After researching the issue, we found that if DHCP is installed on a domain controller that is also a DNS server, we should create a specific user account for dynamic DNS registration credentials. We did that but the errors are not stopping.

Any suggestions? Any help would be appreciated.

4 Answers4


SUGGESTION: You need to make sure that the reverse DNS is properly setup for the zone. I believe DNS auto-update populates both the forward (name to IP) and the reverse (IP to name) zones. If the reverse zone is not setup properly, the update could fail and give this errors. Bed reverse DNS can also trigger other strange behavior.

ALSO: It is not a problem to have DC, DNS and DHCP on the same server, unless the network is huge. However, you absolutely need to setup a second DC. Without a working DC, your network becomes a bunch of paperweights.

  • 5,964
  • 1
  • 15
  • 26

I had this similar issue and performed the below checks before coming up with a fix.

  1. Verify if the server or the service account that is used to dynamically update dns from DHCP is added into the inbuilt security group "DnsUpdateProxy". The latter option would be the suggested and preferred one.

  2. Make sure that the dhcp credentials are present on the server to dynamically update the dns. You can verify it using the command "netsh dhcp server show dnscredentials". If the credentials are not updated ,you can do the same using command "netsh dhcp server set dnscredentials". Also note that the correct credentials have to be updated here same as they have been updated through the rest of the domain environment.

  3. Verify if the service account has adequate permissions on the PTR record for which the dynamic update is failing. This in my case fixed the issue. I had a check on the ACL permissions of one PTR record on the reverse lookup zone for which the dynamic update was failing. It only had read permissions. I manually updated the permissions for the service account with write privileges on the PTR record. Later I flushed the dns of the client machine running under that ip using "ipconfig /flushdns", registered it back with "ipconfig /regdns" and BAAM !!!, the dynamic update passed. Later i was able to correct the security settings for the service account on the reverse lookup zone where the dns update was failing and the issue has now been resolved.

  • 11
  • 2

Have you tried unauthorizing and re-authorizing the DCHP server, now that you have different credentials?

Adam Brand
  • 6,057
  • 2
  • 28
  • 40
  • no i haven't. would this be preferable to simply restarting the dhcp server service? –  Jul 01 '09 at 16:12
  • I have unauthorized and then re-authorized the DHCP server. Unfortunately, I'm still seeing code 31 DNS Update Failed in the Audit log for DHCP. –  Jul 01 '09 at 16:37

Note that a critical piece of getting this to work is that the DHCP and DNS server must be joined to Active Directory. I realize this isn't part of this specific issue, because it's mentioned that they are both joined to the domain, but it's still a requirement.

Please see my recent question...

Jared Oberhaus
  • 596
  • 6
  • 14