none
DHCP-enabled DNS Clients cannot register to w2k8 r2 AD-integrated DNS, security config issue RRS feed

  • Question

  • Helli,

    we run an AD-integrated DNS server env. with yet still 3 DNS servers (and DC's) while one is about to be demoted and deleted from the AD. The two remainig servers are both w2k8 r2 with Windows DNS and Active Directory running. One of them is a DHCP-Server, but just kind of fail-over DHCP since the "main" DCP server is another w2k8 r2 domain member, both are combined into a DHCP superscope, each with the other ones DHCP IP range excluded...

    In my network we are running several AD-membered servers and clients, and some non-joined windows computers. These are some test installations etc, mainly based on w2k3 or w2k8, all members of some workgroups, actually not much connected to the AD domain but DNS and DHCP-wise (if the case). Usually these servers have static IP's but by some reason some are still DHCP-clients and we relay on WINS (NetBIOS over TCP/IP) and their automatic registration to  a certain DNS-domain because of the fact that they are configured TCP-wise in the way to autoregister with a certain domain suffix, which is my AD-domain. This worked fine as long my old w2k3 SBS DNS server (which I am about ro remove soon) was set as primary server for SOA of this DNS-domain. Since I have switched this setting to one of my w2k8 r2 DC's it looks like some security issues are preventing non-domain member hosts to register to the domain DNS zone, particulary w2k3 servers.

    When I force a DNS-registration by performing "ipconfig /registerdns" a 11166 system event occurs sayling like:
    "The system failed to register host (A) resource records (RRs) for network adapter
    with settings:

       Adapter Name : {9B4FB4B3-1D59-4D67-95C2-35AF3816B9EF}
       Host Name : xxxxx
       Primary Domain Suffix : xxxxxx.intra
       DNS server list :
          192.168.0.2, 192.168.0.3
       Sent update to server : 192.168.0.2
       IP Address(es) :
         192.168.3.180

    The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request...."

    Furthermore on a regular base the follwing syytem event 40960 occurs:
    "The Security System detected an authentication error for the server DNS/dc1.mobilex.intra.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request."

    What security setting am I missing on the DNS server side? While googeling arround I found some comments pointing to some DNS client group policy settings in the servers, but none of these, if applicable, are set on my servers.

    Thanks,

    Dieter

    Tuesday, October 4, 2011 7:16 AM

Answers

  • Hello,

    how are the DNS zone properties settings about dynamic updates set on the General tab, secure only or nonsecure and secure?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, October 4, 2011 9:59 AM
  • Hello,

    you can't, dynamic updates for secure only belongs to domain machines.

    Or you have to create ll records manual, which has the disadvantage of not using DHCP for this machines.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, October 4, 2011 10:44 AM

All replies

  • Hello,

    how are the DNS zone properties settings about dynamic updates set on the General tab, secure only or nonsecure and secure?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, October 4, 2011 9:59 AM
  • Hello, great hint. It was set to secure only. I have altered the setting to secure and non-secure and now it works smoothly. But how can I manage to allow only secure updates but in the same time allowing updates of non-domain member computers as well?

    thanks,

    Dieter

    Tuesday, October 4, 2011 10:09 AM
  • Hello,

    you can't, dynamic updates for secure only belongs to domain machines.

    Or you have to create ll records manual, which has the disadvantage of not using DHCP for this machines.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, October 4, 2011 10:44 AM
  • thanks, great support.

    Dieter

    Tuesday, October 4, 2011 10:46 AM