DNS/DHCP issues with DNS Servers

I’m having and issue and I’m hoping that i’ve just been starring at it too long, and its easy to sort out. I have a Windows Server 2016 DHCP server that is also a DC. We wanted to put a NX box (really a VM) in for DNS and forward the domain requests via the local network. All of this seems to work perfect until you reboot the machine. The DHCP has the NX box as the DNS and Name Server, but windows will change the IPV4 entries to a manual entry with the DC address. I’m not sure where this is coming from… I’ve tried several things from searches and nothing seems to fix the issue. There are no Group Policies having to do with DNS. This is purely something happening with windows and DC. The odd thing is that I have a few machines that are not DC joined and they do the exact same thing. So i don’t think its a DC issue or an AD issue as these machines wouldn’t have access to it. Is there something going on with Registration that i’m missing. Please help!

What is NX?

Nx Filter it’s a DNS filter

here, do you mean the Windows endpoints/clients will have their DNS set to the domain controller address rather than the NX?

Yes exactly… if you set it back to automatic it goes to nx… but if you reboot or ipconfig /renew it puts the dns entry in manually of the domain controller

very strange, can you post a picture of your DHCP config?

Its a pretty basic setup…



Here is the scope…

.5 is my DC and .207 is my NX

Have you tried this? How to set preferred DNS Servers via DHCP

I read thru that link and i’m not sure that there is anything there that’s different from my existing config. If you look at the scope everything is defined as it should be. So oddly enough… i have some windows machines that are reading the DHCP correctly (about 1 in every 10) but the other ones are still having this DNS override put in. Its only windows that’s doing this. All mac/ios devices work correctly and all linux machines seem to work correctly. I’ve been looking high and low for some sort of reason for this and I cant find anything that should be causing this.

The DC needs to reference itself ( and no other DNS server in it’s IPv4 config if its a sole DC. The Windows clients need the additional domain DNS records to function correctly on the domain. DHCP will also register the client IP with the DNS server by creating an A record and PTR to enable correct resolution.

Use the forwarders in the Windows DNS server to reference your “filtered” DNS server (192.168.x.207). In this example I use Quad9


So this is a single DC and it does only reference itself. I do have a forwarder in for the NX filter, but that groups everyone into a single user coming off the DC. I need to be able to break out users. I have forwarders in NX for it to loop back to the DC and I have all the active directory pointers forwarded from the NX box. So if I static the client everything works fine, no issues with certs, no issues with dns resolution. If I use DHCP tho… it will manual the entry in TCPIP 4 back to the DC. If you set it to automatic it goes back to the NX filter box. So somewhere its deciding to switch the TCPIP 4 entries from automatic to the DC. I cant tell if its on the client side or server side. But this also happens with NON-Domain computers on the network. So i can put a laptop on the network (that is not domain joined) and it will force this same behavior on it. Strangely tho… I have a handful of systems that this works exactly as it should. Some are the exact same hardware layout as others that don’t do it right. As you can imagine its driving me crazy on where this is coming from.

Well I feel kinda stupid, but I’m going to post the solution to this issue in case it ever comes back for someone else. So the solution is easy… just make sure you have both the DC and the NX filter box in the DHCP DNS entries. If you primary the NX filter and secondary the DC… every thing is happy. I have the DC forwarded to the NX filter as a restricted user anyway. So any requests by a non-restricted user get zero’ed by the PC → DC → NX then it backs up and tries the secondary PC-> NX which see’s the IP and allows the request. Thank you everyone who tried to sort this out… I knew it had to be something simple that i was missing, so it came to me last night and i put it in place this morning and everything is working perfectly!