locked
Server 2012 R2 - The system failed to register host (A or AAAA) resource records (RRs) for network adapter RRS feed

  • Question

  • We seem to be having an issue recently after introducing new Windows Server 2012 R2 servers where they fail to register DNS correctly. The Windows Firewall is off and the servers are on the same VLAN with no firewalls between them.

    When I do an ipconfig /registerdns or wait 24 hours for the system to try we get the following error:

    The system failed to register host (A or AAAA) resource records (RRs) for network adapter
    with settings:

               Adapter Name : {4A0ECF05-193F-4BEA-AA46-BEC593BA752B}
               Host Name : SRV-DATA
               Primary Domain Suffix : internal.local
               DNS server list :
                  192.168.0.50, 192.168.0.42
               Sent update to server : <?>
               IP Address(es) :
                 192.168.0.99

    The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

    To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

    On our DNS server we have set for the internal.local zone Secure Updates only so that looks good because it is Active Directory that should be handling this authentication to update the record I assume. Just to mention that when also doing an ipconfig /regsiterdns the update fails within a few seconds. 

    Source: DNS Clients Events

    Event ID: 8018

    User: NETWORK SERVICE

    This issue is only affecting Windows Server 2012 R2 clients and testing with Windows Server 2008 R2 clients works no issues. So is this a mis-configuration or a bug with Windows 2012 R2? I have checked all DNS settings on client / server which all look good to me so reaching out now to see if anyone has any ideas?

    Environment:

    - Windows Server 2012 R2 Domain Controllers (Forest/Domain Levels 2012 R2)

    - Windows Server 2012 R2 Client machines (Physical and Virtual)

    - Windows Server 2008 R2 Client machines (Physical and Virtual)

    Thursday, July 17, 2014 11:21 AM

All replies

  • Decided to do a packet capture and look to see if anything is being blocked. To my surprise I could see that nothing is blocked as I see the SOA dynamic update request hit the DNS Server but then on the dynamic updates response from the DNS Server I see the following in the packet filter:

    Dynamic update response 0xfb38 Refused CNAME

    Transaction ID: 0x97f9
    Flags: 0xa805 Dynamic update response, Refused
    1... .... .... .... = Response: Message is a response
    .010 1... .... .... = Opcode: Dynamic update (5)
    .... .0.. .... .... = Authoritative: Server is not an authority for domain
    .... ..0. .... .... = Truncated: Message is not truncated
    .... ...0 .... .... = Recursion desired: Don't do query recursively
    .... .... 0... .... = Recursion available: Server can't do recursive queries
    .... .... .0.. .... = Z: reserved (0)
    .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
    .... .... ...0 .... = Non-authenticated data: Unacceptable
    .... .... .... 0101 = Reply code: Refused (5)

    So it does look like the request is being denied/refused for some reason which is odd. Looks like the update was not authenticated.. 


    Thursday, July 17, 2014 1:53 PM
  • Is the zone on which the updates are being sent configured to accept secure + non secure updates. Also the server should be authoritative for the zone. Can you paste the result of PS cmd get-dnsServerZone | fl * result here. Also please paste the incoming packet
    Thursday, July 17, 2014 4:59 PM
  • The zone is configured as "Secure Only"

    The PDC is the SOA for the zone

    I dont have a packet capture from the DC, only the client. 

    The query you asked me to run is too long to paste in here, however this is the DNS zone it cannot update:

    NotifyServers                     : 
    SecondaryServers                  : {10.2.0.3, 10.2.0.5}
    AllowedDcForNsRecordsAutoCreation : 
    DistinguishedName                 : DC=internal.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=local
                                       
    IsAutoCreated                     : False
    IsDsIntegrated                    : True
    IsPaused                          : False
    IsReadOnly                        : False
    IsReverseLookupZone               : False
    IsShutdown                        : False
    ZoneName                          : internal.local
    ZoneType                          : Primary
    DirectoryPartitionName            : ForestDnsZones.internal.local
    DynamicUpdate                     : Secure
    IsPluginEnabled                   : False
    IsSigned                          : False
    IsWinsEnabled                     : False
    Notify                            : NoNotify
    ReplicationScope                  : Forest
    SecureSecondaries                 : TransferToSecureServers
    ZoneFile                          : 
    PSComputerName                    : 
    CimClass                          : root/Microsoft/Windows/DNS:DnsServerPrimaryZone
    CimInstanceProperties             : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...}
    CimSystemProperties               : Microsoft.Management.Infrastructure.CimSystemProperties

    Thursday, July 17, 2014 5:17 PM
  • Are the updates being received secure? If they are not you can change the setting to accept secure+ non secure update. you can do this using set-dnsserverprimaryzone -zonename <> -DynamicUpdate NonsecureAndSecure

    Thursday, July 17, 2014 5:22 PM
  • While your idea of changing to "Secure and non-secure" may resolve the issue it is something I am not willing to do. We cannot have machines update DNS that are not members of our domain. Allowing the non-secure updates would really cause us security issues. 

    I am not sure if the updates are being received secure or not though... how can I check if the client is sending the update secure? I dont really know what I am looking for in the packet capture or client settings that send the update secure or not. Do you know?

    Thursday, July 17, 2014 8:03 PM
  • Ditto. I have workstations on a single-DC 2012 R2 network which are recording event 8018 as well. Likewise, I'm not willing to degrade DNS security to accommodate some bug or ?? in the OS.

    What is the resolution to this issue?

    Saturday, August 22, 2015 7:01 PM
  • I am experiencing this same issue with Windows 8.1 and 10 clients.  I am also not willing to allow non-secure updates to DNS.

    Is there any resolution for this issue?

    Thursday, October 8, 2015 2:00 PM
  • I am experiencing the same problem, has anyone found a solution to this?

    www.justechn.com

    Wednesday, November 18, 2015 5:31 AM
  • Same issue here, Server 2012 R2 DC / DNS / DHCP.

    Windows 10 Pro clients.  Get this event id 8018 on the client machines.  What's odd it it says Sent update to server: <?>, so even the event log is not capturing the DNS server its speaking to.

    Secure updates is enabled, but with the clients being a member of the AD Domain and valid computer + user credentials signing in, why is this still happening?

    Wednesday, March 2, 2016 9:12 PM
  • Same issue here, Server 2012 R2 DC / DNS / DHCP.

    Windows 10 Pro clients.  Get this event id 8018 on the client machines.  What's odd it it says Sent update to server: <?>, so even the event log is not capturing the DNS server its speaking to.

    Secure updates is enabled, but with the clients being a member of the AD Domain and valid computer + user credentials signing in, why is this still happening?


    I'm getting exactly the same thing and only on my Win10 Pro machines...all my Win7 boxes don't experience this issue.  I'm almost wondering if this is one of those messages that's safe to ignore as the machines all get DHCP handed out as well as all DNS records are updated when an IP address is changed or the new computer is added to the domain...everything seems ok and I don't see any errors anywhere else...
    Friday, April 22, 2016 5:59 PM
  • Any news?

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help.

    Monday, June 27, 2016 12:51 PM