PTR record registration for IPv4 address [[192.168.1.1]] and COMPUTERNAME failed with error 9017 (DNS bad key.

Hi Iron Man,

The reason you faced that problem is because during the export/import or failover process, the DHCP server’s stored TSIG‐style key (or explicit “credentials” entry) for DNS dynamic updates isn’t transferred. The new server attempts a secure DNS update against your reverse zone but presents an invalid key or no credentials, so DNS rejects it with “bad key." The DHCP address assignment itself still works, because giving out IPs does not depend on the DNS update succeeding.

=> Configure Explicit Credentials:

1. Open DHCP MMC on your Windows 2019 server.
2. Right-click the IPv4 node → Properties → DNS tab.
3. Under “Dynamic update credentials,” click Credentials…
4. Enter a domain user account (or gMSA) with permission to update the reverse zone:
   • Add that user to the built-in DnsUpdateProxy group (recommended) or delegate Create PTR permissions on the specific zone.
   • Click OK, then Apply.
   This ensures DHCP signs its updates with valid credentials.

Remember to confirm the Fix:

From a client, run ipconfig /renew and watch the DHCP logs: The Event ID 20322 errors should stop. You should see successful “DHCPv4: Dynamic DNS Update” entries.

1. In DNS Manager, confirm new PTR records appear without error.

==============================================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.