none
Unable to update record dynamically RRS feed

  • Question

  • A windows 2003 server is unable to update its A record after its ip address was changed. Getting error:

    Event Type: Warning
    Event Source: DnsApi
    Event Category: None
    Event ID: 11166

    The system failed to register host (A) resource records (RRs) for network adapter with settings.The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

    When checking in DNS, the server has a static record ( with the old ip address).

    Wednesday, February 24, 2016 6:49 PM

Answers

  • By default, a computer can only update a record it created on it's own, not a static record created by another entity (such as a human administrator).  The problem statement suggests a DNS or Domain admin statically created the record for the Windows 2003 server, leaving it unable to statically update the record on it's own.  To check this, go to the properties of the record in DDNS, then go to the security tab, and look for an ACL entry showing the computer name (it will be appended with a "$").  If that is there with the permissions of "Full Control", "Read" and "Write", the computer will be able to dynamically update it's own record.  If the computer name is not there, then it will not be able to do that.  You could compare these ACL entries to another known statically created record for comparison.  You can delete the old static record, and the Windows 2003 server will register it's new one into DDNS, assuming default environmental conditions (AD-integrated DDNS which allow secure dynamic updates, and server is joined to the AD domain).  After deleting the record, to re-register the record manually, you can run this command:

    ipconfig /registerdns



    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, February 25, 2016 12:25 PM
  • Hi samb789, you can delete the old static record, and the Windows 2003 server will register it's new one into DDNS, assuming default environmental conditions (AD-integrated DDNS which allow secure dynamic updates, and server is joined to the AD domain).  To re-register the record manually, you can run this command:

    ipconfig /registerdns


    Best Regards, Todd Heron | Active Directory Consultant

    Wednesday, February 24, 2016 9:35 PM

All replies

  • Hi samb789, you can delete the old static record, and the Windows 2003 server will register it's new one into DDNS, assuming default environmental conditions (AD-integrated DDNS which allow secure dynamic updates, and server is joined to the AD domain).  To re-register the record manually, you can run this command:

    ipconfig /registerdns


    Best Regards, Todd Heron | Active Directory Consultant

    Wednesday, February 24, 2016 9:35 PM
  • Yes, I understand that. However I wanted to know why the server is not able to update the static record with the new ip address. Is there a permission difference between the dynamically created and static created record.
    Thursday, February 25, 2016 6:54 AM
  • Hi Samb,

    1. Please try to run ‘ipconfig /registerdns’ register manully,does it work?
    2. Are you using AD-integrated zone?if you do ,dynamic update should set as Secure only.
    3. Are you using DHCP server to dynamic update?The DHCP server must have permissions to register.

    Read this for more informaiton about Secury DNS Update:

    http://social.technet.microsoft.com/wiki/contents/articles/21984.how-to-secure-dns-updates-on-microsoft-dns-servers.aspx

     

      Best Regards,

    Cartman

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, February 25, 2016 7:40 AM
  • By default, a computer can only update a record it created on it's own, not a static record created by another entity (such as a human administrator).  The problem statement suggests a DNS or Domain admin statically created the record for the Windows 2003 server, leaving it unable to statically update the record on it's own.  To check this, go to the properties of the record in DDNS, then go to the security tab, and look for an ACL entry showing the computer name (it will be appended with a "$").  If that is there with the permissions of "Full Control", "Read" and "Write", the computer will be able to dynamically update it's own record.  If the computer name is not there, then it will not be able to do that.  You could compare these ACL entries to another known statically created record for comparison.  You can delete the old static record, and the Windows 2003 server will register it's new one into DDNS, assuming default environmental conditions (AD-integrated DDNS which allow secure dynamic updates, and server is joined to the AD domain).  After deleting the record, to re-register the record manually, you can run this command:

    ipconfig /registerdns



    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, February 25, 2016 12:25 PM