BIND DNS and Windows 2008 R2
-
Wednesday, August 26, 2009 4:25 PM
I am in the process of replacing all the Windows 2003 DCs in our Domain with new Windows 2008 R2 servers. The current setup consists of three domain controllers that use BIND for DNS. The existing DCs update their srv records in DNS dynamicly with no errors. This configuration has been in production for more than 5+ years with no DNS problems.
After promoting one of the Windows 2008 servers, I started seeing multiple DNS dynamic registration failures (event 5774) on the 2008 server only. There is one event logged for each of the 13 srv records that netologon is trying to register. The error value for each event is "Bad DNS packet."
The 2003 DCs are still able to dynamically register with DNS and BIND is configured to allow dynamic updates from the new 2008 DC.
The strange thing is that when I check the DNS server zone files the new 2008 DC is correctly registered in DNS. Also replication works with no errors. The only errors I see in the event log are the 5774 errors.
The BIND server is set to accept non secure updates from only the three old DCs and the three new DCs. Does Windows 2008 only register DNS with DNS servers that only accept secure updates?
Since the DNS records are registered correctly can I ignore the 5774 errors or is there something else that I should look at.
Thanks for any help
Answers
-
Saturday, August 29, 2009 12:51 PM
Hello,
in the Default domain controllers policy check:
Computer Configuration, Administrative templates, Network, DNS Client - Update Security level-Enable and set to Unsecure followed by secure. Maybe this prevents the entries.
If you have no other issues about replciation and registration within the domain, i think this belongs to the BIND DNS servers. MS of course is prepared for running it's own DNS servers.
But i have no experience with BIND DNS, maybe you find in this forum something about BIND in MS environment also.
http://social.technet.microsoft.com/Forums/en/winserverNIS/threads
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer by Mervyn ZhangModerator Monday, August 31, 2009 2:48 AM
-
Tuesday, November 17, 2009 10:48 AM This seems to be a Code Bug in Wndows7/Server 2008 R2!
We had a Call with MS Support: here the answer: see ( http://support.microsoft.com/kb/977158 )
If a Domain Controller points to a BIND DNS server that accepts non secure DNS dynamic updates Netlogon 5774 events
will be logged for every DNS record update attempt by Netlogon service.
Event:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs.ad.oenb.co.at. 600 IN SRV 0 100 88 ANASV01.ad.oenb.co.at.' failed on the following DNS server:
DNS server IP address: 10.115.221.36
Returned Response Code (RCODE): 0
Returned Status Code: 9502
ADDITIONAL DATA
Error Value: Bad DNS packet.
Independent from this the DNS records will be registered on the BIND successfuly.
Objective:
=======
Network trace: Bad DNS Packet means that the response of the BIND cannot be validated by the core DNS component.
The Request for Comments (RFC) 2136 allows for a dynamic update response to be formed by using the following two methods:
1. Respond by using the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields copied.
2. Respond by using the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields set to 0.
The problem lies in the way that Windows Server 2008 R2 computers interpret the response packet received from a DNS server after you try to dynamically register SRV records. Microsoft Server 2008 R2 DNS Servers use method 1. The third-party DNS Servers use method 2.
Windows Server 2008 R2 DC Locator treats a response with format #2 as a bad packet, even though the returned status code for the update is “success”.
This causes the NETLOGON error Event 5774 with status code 9502 (DNS_ERROR_BAD_PACKET) to be logged.
Assesment:
=========
N/A
Plan/Resolution
============
This is a code bug in the dns client of 2008 R2/Windows 7.
We have fixed this, so that we accept both response formats.
You have successfully applied and tested the hotfix:
<http://support.microsoft.com/kb/977158>
Note the KB article is not yet available, it takes a couple of more days to publish it, so the link will not work until then.- Marked As Answer by Mervyn ZhangModerator Wednesday, November 18, 2009 2:46 AM
All Replies
-
Thursday, August 27, 2009 12:40 PMHello,
are the BIND servers listed on the 2008 machines NIC, Advanced, DNS tab?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. -
Thursday, August 27, 2009 2:47 PM Yes. We have three BIND DNS servers and all three are in the DNS tab on the NIC. I also disabled the second NIC thinking that maybe it was trying to register that NIC in DNS, but that didn't get ride of the errors. Just for fun yesterday, I promoted another Windows 2008 server to see what would happen. The same thing occured. The server promoted fine, registered itself in DNS and replicated with the other DCs. But in the event log the 5774 event appeared for every srv and a record netlogon tried to register with DNS. So I check the bind server for errors and found none. Then to go one step further, I set this server as a GC. Again I got a bunch of 5774 events concerning the gc srv and a records. Despite the errors, all the gc srv and a records appeard in the appropriate zone files on the DNS servers.
It's strange. It looks like either 2008 is expecting a response from the DNS server that it does not get. Or the DNS server is sending a response back to 2008 that 2008 does not like. We are running BIND version 9.2.2 if that makes any difference.
Thanks- Proposed As Answer by DimiterS Friday, August 28, 2009 5:36 PM
-
Friday, August 28, 2009 5:44 PMI am sorry, I made accidental mouse click on "Proposed As Answer".
Anyway, I already have started to write here, let me try to give you an idea:
On the Windows 2008 servers with DNS-server, in the DNS tab on the NICs write 127.0.0.1 only -
Saturday, August 29, 2009 12:51 PM
Hello,
in the Default domain controllers policy check:
Computer Configuration, Administrative templates, Network, DNS Client - Update Security level-Enable and set to Unsecure followed by secure. Maybe this prevents the entries.
If you have no other issues about replciation and registration within the domain, i think this belongs to the BIND DNS servers. MS of course is prepared for running it's own DNS servers.
But i have no experience with BIND DNS, maybe you find in this forum something about BIND in MS environment also.
http://social.technet.microsoft.com/Forums/en/winserverNIS/threads
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer by Mervyn ZhangModerator Monday, August 31, 2009 2:48 AM
-
Monday, August 31, 2009 1:49 PMHi,
we have the same problem in our Windows 2008 R2 test environment and modify the Default Domain Controller GPO doesn't help. The event error return again every ~ 6 hours.
Any other ideas?
-
Wednesday, September 02, 2009 2:49 AMThis doesn't fix the problem. The DNS records are actually registered correctly on the BIND side but the Windows 2008 R2 event log throws an error.
Juraj -
Thursday, September 10, 2009 6:08 PMWe are having the exact same problem with R2, DNS entries are all listed in DNS, but errors reported in system event log
We use a infoblox dns appliance (which is supposed to be Windows 2008 compatible)
The system event log reports the following
Log Name: System
Source: NETLOGON
Date: 10/09/2009 14:54:53
Event ID: 5774
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description:
The dynamic registration of the DNS record '_kpasswd._udp.xghnt.nhs.uk. 600 IN SRV 0 100 464 xxx.xxxx.xxxx' failed on the following DNS server:
DNS server IP address: xxx.xxx.xxx.xxx
Returned Response Code (RCODE): 0
Returned Status Code: 9502
For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION
Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
Or, you can manually add this record to DNS, but it is not recommended.
ADDITIONAL DATA
Error Value: Bad DNS packet.
-
Thursday, September 24, 2009 3:20 PMjonty09,
Please contact me on educhene@infoblox.com. We have some information for you.
Thanks.
Eric Duchene
Director of Product Management
Infoblox (Microsoft Gold Certified Partner) -
Thursday, October 01, 2009 7:55 PMWhat version of BIND are you running?
-
Friday, October 30, 2009 7:02 AMThis is a VERY irritating problem. I do not allow host A record dynamic updates, but do allow the "_" zones by IP. When I try to promote the 2008 R2 domain, it fails on DNS with:
The test for dynamic DNS update support returned:
"Bad DNS packet."
(error code 0x0000251E DNS_ERROR_BAD_PACKET)
I cannot get past this. This procedure has worked in the past with W2K3.
I'm currently running bind 9.5.0P2
I really can't wait too long on this. If I can't get past this soon, we'll just keep on using our existing W2K3 (which I guess saves us money).
-
Tuesday, November 17, 2009 10:48 AM This seems to be a Code Bug in Wndows7/Server 2008 R2!
We had a Call with MS Support: here the answer: see ( http://support.microsoft.com/kb/977158 )
If a Domain Controller points to a BIND DNS server that accepts non secure DNS dynamic updates Netlogon 5774 events
will be logged for every DNS record update attempt by Netlogon service.
Event:
The dynamic registration of the DNS record '_kerberos._tcp.dc._msdcs.ad.oenb.co.at. 600 IN SRV 0 100 88 ANASV01.ad.oenb.co.at.' failed on the following DNS server:
DNS server IP address: 10.115.221.36
Returned Response Code (RCODE): 0
Returned Status Code: 9502
ADDITIONAL DATA
Error Value: Bad DNS packet.
Independent from this the DNS records will be registered on the BIND successfuly.
Objective:
=======
Network trace: Bad DNS Packet means that the response of the BIND cannot be validated by the core DNS component.
The Request for Comments (RFC) 2136 allows for a dynamic update response to be formed by using the following two methods:
1. Respond by using the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields copied.
2. Respond by using the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields set to 0.
The problem lies in the way that Windows Server 2008 R2 computers interpret the response packet received from a DNS server after you try to dynamically register SRV records. Microsoft Server 2008 R2 DNS Servers use method 1. The third-party DNS Servers use method 2.
Windows Server 2008 R2 DC Locator treats a response with format #2 as a bad packet, even though the returned status code for the update is “success”.
This causes the NETLOGON error Event 5774 with status code 9502 (DNS_ERROR_BAD_PACKET) to be logged.
Assesment:
=========
N/A
Plan/Resolution
============
This is a code bug in the dns client of 2008 R2/Windows 7.
We have fixed this, so that we accept both response formats.
You have successfully applied and tested the hotfix:
<http://support.microsoft.com/kb/977158>
Note the KB article is not yet available, it takes a couple of more days to publish it, so the link will not work until then.- Marked As Answer by Mervyn ZhangModerator Wednesday, November 18, 2009 2:46 AM
-
Wednesday, December 01, 2010 5:53 PM
I am currently experiencing the same as logged here on the 2008 R2 DC's.
These are old posts. Has anyone found a resolution?
Merry Christmas,
J
-
Saturday, February 26, 2011 12:37 AM
This may be a "Code Bug," as previously stated. But check to see if you've run into a problem registering ipv6 dns AAAA records, which could be that your bind isn't configured to do IPV6, etc. Check that. You can also disable IPV6 on your server, or install server 2008 r2 DNS, which with DNSSEC, secure updates, etc, and bind's newly found security flaws is better now anyway.
Regards.
.png){kind=spacer}
