If the Machine is not generating a unique SID, then an Active Directory integrated DNS will have the option to be set as allowing secure updates only.
Have them set to be secure and non-secure on both the forward and reverse lookup zones.
Using Netflow, I could see the ip address of the offender but couldnt see the hostname of the computer/workstation that was the offender.
Here is my config for DHCP on the switch -ip dhcp pool PC network 10.1.70.0 255.255.255.0 domain-name dns-server 10.1.1.1 10.1.1.2 default-router 10.1.70.1 lease 8This is an office across the street from the main building.
It might be easier to drop your scope lease time really low, then delete all the dynamic DNS records and let them get re-created.