Clients can't register in DNS server.
-
Wednesday, November 04, 2009 3:25 PMHi everyone, actually i have a problem to my XP (SP2 and SP3) clients get registered in DNS servers, I have a Windows Server 2003 R2 forest of a single domain, I have 5 domain controllers and 3 sites the problem is the same for all sites. I have enabled Only Secure Update in the zone of the domain in all the 5 DNS servers, they are domain controllers too. I have run the ipconfig /registerdns command in the XP clients and i don´t get any error, also I couldn't find errors in the event log. The same is happening in the servers Windows Server 2003 R2 when i run the command. Something weird is that when i connect through VPN from the Internet my laptop can register in the DNS and When I am in the internal network the laptop can't register itself.
Mi clients are pointing to pdc and second domain controller like primary and secundary DNS's and they have the optión to register in DNS in the TCP IP configuration.
I have configured Dynamic Updates in DHCP with the next options:
- Enable DNS Dynamic updates according to the settings below
- Always dynamically update DNS A and PTR records
- Discard A and PTR records when lease is deleted
Some body can help me with this issue please? Thanks in advance.
Regards
Felxs
Felx
Felx
All Replies
-
Thursday, November 05, 2009 3:01 AM
To use DHCP to registry client you need to add the DHCP server(s) to the DNSUpdateProxy group in the domain...and reboot them.
http://technet.microsoft.com/en-us/library/cc961412.aspx
If you want the clients to register themselves then you need to check to make sure they have the appropriate configuration.
Make sure the Register this connection’s addresses in DNS is checked on the client's DNS properties page.
I would recommend you change your DHCP configuration to only register clients that can't register themselves....that way you have a secure DNS impelementation, otherwise records can be over written. -
Thursday, November 05, 2009 5:50 PMHi Gunner999, thanks a lot for your answer, but i don't think this is the issue (add the DHCP to the group DNSUpdateProxy), because of some clients machines and some servers can register succesfully and the most can't register, if this were the problem noone could register in the DNS, it's that correct? and I have enabled the Register this connection’s addresses in DNS option. When I use my VPN connection mi machine gets registered in DNS with mi public IP, but when I am in the internal network my machine can't get registered in the DNS.
In the other hand, the "only register clients that can't register themselves...." option I have understood that is only for old versions of windows like Win98, Win95 that can't get registered for themselfs, it will be useful to enable here?
thanks a lot
Felxs
Felx -
Thursday, November 05, 2009 6:12 PMIf you can register when VPN'd in but can not register DNS while on the LAN, it may be a network issue.
Verify that all the required ports for AD and DNS from the internal network to the DC/DNS servers are open. PortQryUI is a good tool to test with as is the good 'ol telnet client. Make sure port 53 is available, will also need to verify that both 53/tcp and 53/udp are available, use either NetMon or PortQry to verify udp. -
Thursday, November 05, 2009 7:39 PMPaulShaf, thanks for your answer, I tryed with PortQry but the UDP and TCP 53 port are listening correctly, the problem is with some machines, at the begining the clients works properly after some time don't works, I don't know if there is some detailed log that i can enable to get the error, additionally i don't know if the problem is in the client or in the server.
Regards
Felipe C.
Felx -
Thursday, November 05, 2009 9:46 PMIncorrect, depends on your configuration. If the workstation registrers then then workstation needs rights, but it appears you have been changing your DHCP settings to try and the issue. If you want DHCP to register records, then it must be a member of DNSUpdateProxy.
Look on the clients for errors in the event log for failure to register like this.
Event ID: 11166
Source: DnsApi
Description:
The system failed to register host (A) resource records (RRs) for network adapter
with settings:
Adapter Name : {5CC9F918-82B4-45A3-B684-C84A57BFCCCC}
Host Name : SERVER1
Primary Domain Suffix : domain.com
DNS server list :
10.1.1.1, 10.1.1.2
Sent update to server : 10.1.1.1
IP Address(es) :
10.2.2.2
I have seen issues where the DNS records are secured by other users/computer accounts, resulting in client DNS failures. Do a spot check of security on the DNS records of ones that are known to work and ones that are failing to check if security is an issue. The mathcin workstation or DHCP server should be assigned.
Read this post for more information:
http://networkadminkb.com/kb/Knowledge%20Base/DNS/How%20to%20find%20who%20manually%20created%20host%20records%20in%20Secure%20DNS%20Zones.aspx -
Friday, November 06, 2009 2:06 AMthanks for your advices Gunner999, but i think the problem is much more hard, I search for 11166 event ID's in my client and servers and I couldn't find any instance of this error, in addition when I run the command Ipconfig /registerdns in clients and servers It don't show me errors, I think is not the membership of the DNSUpdateProxy, because of, when I connect through VPN my DHCP is in the firewall and that DHCP is not in that group, however in that case the client can register itself, also I have verified that every computer owns his own record in the DNS, they are registering by itself (those that works, some of them can register but the most can´t), the new installed machines can register succesfully, but after some time they can't do it, I think it could be some update, I discard the antivirus and windows firewall. Thanks in advance.
Regards
Felxs
Felx -
Tuesday, November 10, 2009 6:29 PMHello, everybody, untill now I couldn't fix my problem, but I have noted that in one of my DHCP's, the principal (DHCP01) with more scopes, the container Address Leases of the most of scopes show the icon records with the computer and the pencil over it, that means this records are pending to register in the DNS, in the other hand in the second DHCP (DHCP02) with only 2 scopes, the registries in the Address Leases container appear with the icon of the computer only.
In addtion I have noted that the services DHCP CLient and DNS Client in the principal DHCP server (DHCP01) are in automatic mode but the DCHP Client service is not started, and the DNS Client service is started, should this services be started and running in the domain controller and DHCP server? This services DHCP CLient or/and DNS Client are needed to dinamic updates works?
When I tried to start the DHCP Client service in DHCP01, I get and error: "Error 1079: The account specified for this service is different from the account specified for other services running in the same process." But if I stop the DNS Client service and then try to start the DHCP Client service this works, but the DNS Client show the same error if a try to start it. So this services can be enabled and running together in the DHCP Server?
Thanks for your comments.
Regards
Felxs
Felx -
Thursday, November 12, 2009 9:59 PM On the DHCP server properties there is an option to configure user credentials. If that is set to a user account make of the following.
1) The account is enabled
2) The account password is set correctly
3) The account is a member the DNSUpdateProxy group.
4) The account is configured on all DHCP servers.
If you don't set a user account (left blank), the DHCP Server themselves should be a member of the DNSUpdateProxy.- Marked As Answer by David Shen Friday, November 20, 2009 2:47 AM
.png)
