none
Server 2008 R2 Name Protection - Won't register DNS in forward zone

    Question

  • Here's the scenario, I have a Server 2008 R2 DC with DNS and DHCP roles. DHCP is configured with:
    Credentials (standard user account)
    Name Protection
    Multiple Scopes e.g. 10.0.0.0, 10.0.1.0, etc
    I've configured a Superscope, but to be honest not sure what it does or why its needed?

    DNS is configured with:
    Is AD integrated
    Secure updates only
    Has a forward zone domain.local
    Has multiple reverse zones

    Firewall / Router: Sonicwall TZ210
    The firewall has different subnets configured and assigned to LAN ports, so port X0 has 10.0.0.0, port X2 has 10.0.1.0.
    DHCP Relay is configured on the Sonicwall to relay DHCP requests to the DHCP (DC) server.

    Some subnets will have non-domain joined Windows and Linux machines, including some lab kit that has some embedded *nix OS. I need all machines to be reachable from their names.

    The problem is that the test machines get an IP address from the DHCP server and also have a PTR record, but there is no forward record created. I've searched event logs on the client (at least the Windows one) and the server but found nothing obvious. I have a basic knowledge of DHCP and DNS in that I've setup the standard stuff and it 'just works', but never anything like this. The documentation for the Sonicwall shows that I've correctly configured the DHCP relay and I'm fairly confident its not causing the issue.

    UPDATE: the Linux based machine has had two DNS records created in the forward zone, one is an A record and the other is a DHCID record and a record in the reverse zone. The Windows 7 machine still doesn't get a record created in the forward zone but does in the reverse zone.

    I've followed various articles and blogs including the following http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

    I've tried not using Name Protection and also used secure and non-secure updates, nothing helps. Any help would be greatly appreciated.

    Aftab

    Friday, March 30, 2012 4:18 PM

All replies

  • Does all machines have a Primary DNS Suffix configured? That's one of the requirements for updates. It has to match the zone name, and of course the zones needs to have updates allowed.

    Also, pls post this query in Network Infrastructure Servers forum for better answers.

    http://social.technet.microsoft.com/Forums/en/winserverNIS/threads


    Knowledge Seeker

    Saturday, March 31, 2012 6:36 AM
  • Did you configure Option 81 on DHCP to register Host Records and PTR records on DNS?

    Check this by right click on DHCP server name->Properties->DNS server tab.

    If not configured cofigure it.

    Also, Did you configure DNS suffix option in DHCP? IF not configure it and then check

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2bfa85ab-a013-4b53-b593-1bf5e13dcd35/

    http://www.tech-faq.com/configuring-dns-clients.html

    Hope this helps.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, March 31, 2012 6:56 AM
  • @K Seeker: Primary DNS Suffix is not configured on the clients, only Option 015 on the DHCP server.
    My understanding was that the name protection feature would not require this, is that incorrect? Also I did add the DNS suffix to the specific NIC on the client machine but that didn't help.

    Is it OK for me to copy this post into the Network forum or should I ask (Where, Who?) to have this post moved.

    @Prashant: I've tried it both ways, either configuring the normal Option 81 tab or enabling Option 81 and then Name Protection. See attached image.

    Again just to confirm the embedded Linux based lab kit had its name registered under DNS by the DHCP server.

    Aftab

    Saturday, March 31, 2012 10:15 PM
  • Hi,

    Is your Win7 client not joined to the domain? Does any domain joined Windows clients facing the same problem? Please uncheck the Enable Name Protection, and select Always dynamically update DNS A and PTR records in DHCP server. In addition, for the AD-integrated zone, change dynamic updates to Nonsecure and secure. At client side, run ipconfig /renew to see if the Win7 client can register A record on DNS forward zone.


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Tuesday, April 03, 2012 6:34 AM
    Moderator
  • AftabHussain,

    DHCP Option 015 is just a connection specific Search Suffix, not a Primary DNS Suffix. The machine will request registration for its hostname prefixed to the Primary DNS SUffix, not the Search Suffix. The Search Suffix is just used by the client side resolver service to resolve DNS queries.

    A Primary DNS Suffix must exist. Either you can join the machine to the domain (as Aiden mentioned), manually enter it, or programmatically (script) create it for all machines.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Tuesday, April 03, 2012 12:27 PM
  • I wasn't having much luck so opened a case with Microsoft. Currently we have realised two things:

    1. Configuring a Connection Specific Suffix resolves the problem but Name Protection has to be disabled, DNS updates are set to secure.

    Is the only difference between a connection specific suffix and a primary DNS suffix, is the a primary DNS suffix is for all connections not just the one?

    2. For some reason Name Protection will only function if Secure and Nonsecure updates is set. The Microsoft Engineer said that this obviously should not be the case, which I agree with.

    He's going to contact me with his findings tomorrow and I'll update here.

    Is it possible to script the addition of a Primary DNS suffix on workgroup machines centrally?

    Also could you possibly point me in the direction of some documentation on the inner workings and requirements of DHCP and DNS. I'm not having much luck on finding information on configuring Name Protection, just the article Ace wrote and a step-by-step from Microsoft. Its more that I need a better understanding of what are the pre-requirements for these features.

    EDIT: I really would like an answer to this although this may not be the place to ask. Why is it that a embedded Linux OS (lab kit) does not need to have a Primary DNS suffix configured for the DHCP to register a DNS record in the forward zone, however a Windows 7 non-domain joined machine requires this to be set on the client?

    Thanks for all the responses,
    Aftab

    Tuesday, April 03, 2012 9:59 PM
  • Glad to hear Option 015 did the trick. Yes, the Primary applies to all interfaces. In the past, the Connection Specific Suffix 015 wasn't used and didn't work for DNS Updates, as you can see in the older article below. Did the engineer give you a link on using this Option? If you can ask him, I would be very interested in seeing an updated technical article on this.

    DHCP Dynamic DNS Registration for Windows 2000 Clients Does Not Work  (using Option 015)
    http://support.microsoft.com/kb/314822

    .

    Regarding #2, it apparently seems that what the engineer found with NameProtection is interesting. I'm definitely curious of the outcome.

    .

    As for programmatically populating the Primary DNS Suffix, if the machine is joined to a domain, it automatically takes on the AD Domain name as the Primary DNS SUffix. To populate it for non-joined machines, you can create a reg script and populate the following keys:

    SET WSHShell = CreateObject("WScript.Shell")
    WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain", "doman.local", "REG_SZ"
    WSHShell.RegWrite "HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain", "doman.local", "REG_SZ"

    .

    If it was an AD scenario, you could push it out with a GPO, but that would assume something's amiss if the PrimaryDNS Suffix never got populated based on the fact when it was joined it should have got populated.

    Group Policy Object
     Computer Configuration
       Administrative Templates
         Network
           DNS Client
             Primary DNS Suffix

    .

    My blog references many docs regarding suffixes and registration. Sounds like you're asking to know more abou the programmatic side of it, possibly the SDK info (Systems Devevlopment Kit)? That question would be better suited for the MSDN forums.

    .

    As far as Linux, even though the client side resolver and registration are similar if not the same, since they follow industry standards, that is for the most part, Linux and Unix are a bit different in how to confgure registration.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Wednesday, April 04, 2012 3:13 AM
  • Hi Ace,

    Sorry to get your hopes up, but the connection specific suffix was configured on the client machine. I did ask the engineer and he's going to check and come back to me if there is any update on the article you mentioned.

    Point 2: The cause for the requirement to have nonsecure updates enabled is that the non Windows machines need to be part of the domain for the registration to be successful. Apparently its not only who is doing the registering in this case a plain Jane domain account but also what you are registering. The engineer made a point to mention that this is due to the fact that the DNS zone is AD integrated, so this means this may not be that case with non integrated zones.

    With regards to the Linux clients, kind of gutted, since it works so much better with them as clients, now i'm going to how to change the Primary suffix on the Windows non domain joined machines, even with a script, it'll have to be executed on all machines manually as there's no way to centrally deploy the script.

    Also I wasn't asking about the programmatic side, just want to know as much about DNS and DHCP as possible, I'll have a look over your blog again.

    Aftab


    Wednesday, April 04, 2012 3:15 PM
  • Thanks for asking him. :-)

    .

    #2: I kind of had a feeling that it has to be joined, because the client uses Kerberos to authenticate for the request because there is that initial authentication between the client and DHCP, and Secure Only uses Kerberos (due to AD Integration meaning that the zone data is actually stored in the physical AD database), even if using DHCP credentials are used, based on that initial session.

    .

    Not sure how to handle Linux and Secure only. As for the script, you can email it out to everyone and have them run it, or create a script using PSEXEC (free Microsoft download) to remotely run it, of course assuming the admin account credentials on all non-joined machines are identical, firewall's disabled, antivirus allows remote connection, and remote administration is turned on.

    .

    As for DNS/DHCP interaction, there is much info in the KB articles, which is how I compiled my blog. I'm always looking out to add or clarify items as much as I can so I know and understand it correctly, as well as for others to learn from it. Programmatically, there's much going on in the background with the DNS and DHCP APIs, and they rely on AD Kerberos authentication, at least for communications.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, April 04, 2012 4:06 PM