locked
DNS problem RRS feed

  • Question

  • Helo,

    I have DC/DNS on Windows Server 2012 (not R2) and some clients with OS Windows 7 and some 8.1.

    All Windows 8.1 clients not registerd to DNS with DNS Client Events ID 8018 ?

    Window 7 clients registered to DNS OK.

    I must have DC on Windows Server 2012 R2 ?

    Event details:

    The system failed to register host (A or AAAA) resource records (RRs) for network adapter

    with settings:

               Adapter Name : {DF71F97C-9B9D-4DA4-8209-0C02978E8D3D}

               Host Name : PC02

               Primary Domain Suffix : faf.cuni.cz

               DNS server list :

                 2001:718:1201:100::1, 2001:718:1201:100::17, 172.18.100.1, 172.18.100.17

               Sent update to server : <?>

               IP Address(es) :

                 2001:718:1201:128:44f0:a314:f663:373a, 172.18.152.7

    The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

    To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

    Thanks,

    Snake AG


    • Edited by SnakeAG Wednesday, December 18, 2013 5:27 PM
    Wednesday, December 18, 2013 1:29 PM

Answers

  • After change domain functional level problem is resolved.

    Dynamic DNS registration working on Windows 8.1 fine.

    Thanks.

    • Marked as answer by SnakeAG Thursday, January 2, 2014 1:15 PM
    Thursday, January 2, 2014 1:15 PM

All replies

  • Hi,

    Please try to double check your DNS server and client s’ configuration.

    http://support.simpledns.com/KB/a182/the-system-failed-to-register-host-resource-records.aspx

    If you need further assistance, please feel free to contact me.

    Best Regards

    Quan Gu

    Thursday, December 19, 2013 3:23 AM
  • I use DNS server from Windows Server 2012 (active directory integrated).

    This is not solution for me.

    Thursday, December 19, 2013 6:32 AM
  • Hi,

    Some tweaks at Client and DNS site.

    http://support.simpledns.com/KB/a182/the-system-failed-to-register-host-resource-records.aspx


    Regards Suman B. Singh

    Thursday, December 19, 2013 6:43 AM
  • This tweaks not help me.
    Thursday, December 19, 2013 6:49 AM
  • On this URL: http://technet.microsoft.com/en-us/library/cc735771(WS.10).aspx

    not exist event. ID 8018

    Second URL not help me, Windows 7 client registered on this DNS correctly.

    This is bug in Windows 8.1 ?

    Thursday, December 19, 2013 7:16 AM
  • I doubt very much it is a bug in Windows 8.1.

    Are the 8.1 clients members of the same domain as the Windows 7 clients?  Are the 8.1 clients on the same subnet as the 7 clients?

    It sounds like you have some sort of configuration of your DNS that is preventing the 8.1 clients to register.


    .:|:.:|:. tim

    Monday, December 23, 2013 10:44 PM
  • Hi,

    Is there update? Does the problem persist?

    Best Regards

    Quan Gu

    Tuesday, December 24, 2013 1:42 AM
  • Yes, Windows 8.1 and Windows 7 in the same domain and the same subnets.

    Tuesday, December 24, 2013 7:53 AM
  • Problem persist.
    Tuesday, December 24, 2013 7:54 AM
  • hi SnakeAG.

    how many VLANS are there in you environment? how many related DHCP scopes?

    are your windows 7 & windows 8.1 clients on the same VLAN?

    how many DHCP servers have you got & what OS?

    are all your clients receiving their IP configuration from the same DHCP?

    how have you configured dynamic update settings on your DHCP server?

    is there any GPO configured that relates to dynamic DNS registeration? (DNSSEC Policies & stuff)

    are you using IPv6 in your environment also? if not, then try to disable IPv6.

    plus check the advanced NIC configuration of your Windows 8.1 clients , check the priority of your NICs & network protocols.


    this post is provided as is, with no warranties/guarantees



    Wednesday, December 25, 2013 8:32 PM
  • Hi Saeed,

    I use two VLANs, one for Windows 7+8.1 and one for server (DC+DNS , DHCP ...WS2012)

    I use one DHCP scope for Windows 7+8.1, other scopes for Wifi, ...

    Windows 7 and 8.1 clients on the same VLAN

    Clients recived IPv4 configuration from DHCP and IPv6 from RA

    DHCP server is configured for dynamic update

    I not have any GPO for dynamic DNS reregistration

    I use IPv6

    I try disable IPv6 and problém presist

    I check all NIC configuration but without any visioble problem

    Thursday, December 26, 2013 5:48 PM
  • tnx for the reply.

    is there any filtering set in your DHCP server?


    this post is provided as is, with no warranties/guarantees

    Friday, December 27, 2013 9:10 PM
  • No, I not set any filtering in DHCP server.

    Saturday, December 28, 2013 7:07 AM
  • Let's see an ipconfig /all from a couple of your machines for comparison.

    Also\:

    1. Does the issue just occur on wireless or on wired and wireless?
    2. Is it just with DHCP clients, or DHCP and static clients (such as your DCs and member servers)?
    3. Is the zone set to Secure Only? If it is, and you set the zone to Unsecure, does it work?

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, December 30, 2013 7:20 AM
  • Windows 8.1 ipconfig /all

    Q:\>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : PCUVT1
       Primary Dns Suffix  . . . . . . . : faf.cuni.cz
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : faf.cuni.cz
       System Quarantine State . . . . . : Not Restricted


    Ethernet adapter Síť Ethernet:

       Connection-specific DNS Suffix  . : faf.cuni.cz
       Description . . . . . . . . . . . : Intel(R) 82566DM-2 - gigabitové síťové připojení
       Physical Address. . . . . . . . . : 00-1E-4F-E3-2E-12
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:718:1201:128:15c3:3160:f281:2038(Preferred)
       Temporary IPv6 Address. . . . . . : 2001:718:1201:128:9e8:61a9:1826:3ac1(Preferred)
       Link-local IPv6 Address . . . . . : fe80::15c3:3160:f281:2038%3(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.18.130.1(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.224.0
       Lease Obtained. . . . . . . . . . : Friday, December 27, 2013 1:05:29 PM
       Lease Expires . . . . . . . . . . : Thursday, February 5, 2150 5:39:04 PM
       Default Gateway . . . . . . . . . : fe80::eab7:48ff:fee5:f17f%3
                                           172.18.128.10
       DHCP Server . . . . . . . . . . . : 172.18.100.241
       DHCPv6 IAID . . . . . . . . . . . : 50339407
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-3C-A4-45-00-1E-4F-E3-2E-12

       DNS Servers . . . . . . . . . . . : 2001:718:1201:100::1
                                           2001:718:1201:100::17
                                           172.18.100.1
                                           172.18.100.17
       Quarantine State. . . . . . . . . : Not Restricted

       NetBIOS over Tcpip. . . . . . . . : Enabled
       Connection-specific DNS Suffix Search List :
                                           faf.cuni.cz

    Tunnel adapter isatap.faf.cuni.cz:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : faf.cuni.cz
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Monday, December 30, 2013 10:13 AM
  • This issue is on wired clients.

    I have DCHP static clients (MAC reservations)

    This zone is set secure only.

    (The same working fine for Windows 7 clients)

    Monday, December 30, 2013 10:16 AM
  • Windows 7 ipconfig /all

    C:\Users\rudisar>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : PCUVT2

       Primary Dns Suffix  . . . . . . . : faf.cuni.cz

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . : faf.cuni.cz

       System Quarantine State . . . . . : Not Restricted

    Ethernet adapter Připojení k místní síti:

       Connection-specific DNS Suffix  . : faf.cuni.cz

       Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection

       Physical Address. . . . . . . . . : 00-01-80-7C-ED-6E

       DHCP Enabled. . . . . . . . . . . : Yes

       Autoconfiguration Enabled . . . . : Yes

       IPv6 Address. . . . . . . . . . . : 2001:718:1201:128:201:80ff:fe7c:ed6e(Preferred)

       Link-local IPv6 Address . . . . . : fe80::201:80ff:fe7c:ed6e%11(Preferred)

       IPv4 Address. . . . . . . . . . . : 172.18.130.2(Preferred)

       Subnet Mask . . . . . . . . . . . : 255.255.224.0

       Lease Obtained. . . . . . . . . . : 30. prosince 2013 11:22:02

       Lease Expires . . . . . . . . . . : 5. února 2150 17:53:29

       Default Gateway . . . . . . . . . : fe80::eab7:48ff:fee5:f17f%11

                                           172.18.128.10

       DHCP Server . . . . . . . . . . . : 172.18.100.241

       DHCPv6 IAID . . . . . . . . . . . : 234881408

       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DD-29-B0-00-01-80-7C-ED-6E

       DNS Servers . . . . . . . . . . . : 2001:718:1201:100::1

                                           2001:718:1201:100::17

                                           172.18.100.1

                                           172.18.100.17

       Quarantine State. . . . . . . . . : Not Restricted

       NetBIOS over Tcpip. . . . . . . . : Enabled

       Connection-specific DNS Suffix Search List :

                                           faf.cuni.cz

    Monday, December 30, 2013 10:33 AM
  • Thank you for the detailed info. A couple of more questions:

    1. Have you tried setting the zone faf.cuni.cz, to Unsecure to see if that works? If it does work, then it's a Kerberos Authentication issue on the Windows 8.1 clients.
    2. I assume it does not occur with statically configured machines, such as your servers (any of them), and which I do not mean DHCP MAC reservations.

    *

    DHCP server configuration?

    Do you have DHCP configured with Credentials, the DHCP servers added to the DnsUpdateProxy group, and have set DHCP to update ALL clients whether they can or not?

    If you haven't configured DHCP this way, I recommend going this route, because this setup will take care of registering all clients.

    The reason I say this, is because with this setup, we are altering the default registration mechanism, whereas the client is trying to register so instead, we force DHCP to register.

    Here's the default registration mechanism:

    1. By default, a Windows 2000 and newer statically configured machines will
    register their own A record (hostname) and PTR (reverse entry) into DNS.
    2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
    the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
    (reverse entry) record.
    3. If Windows 2008 or newer, the DHCP server always registers and updates client information in DNS.
       Note: "This is a modified configuration supported for DHCP servers
             running Windows Server 2008 and DHCP clients. In this mode,
             the DHCP server always performs updates of the client's FQDN,
             leased IP address information, and both its host (A) and
             pointer (PTR) resource records, regardless of whether the
             client has requested to perform its own updates."
             Quoted from, and more info on this, see:
             http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
    4. The entity that registers the record in DNS, owns the record.
       Note "With secure dynamic update, only the computers and users you specify
            in an ACL can create or modify dnsNode objects within the zone.
            By default, the ACL gives Create permission to all members of the
            Authenticated User group, the group of all authenticated computers
            and users in an Active Directory forest This means that any
            authenticated user or computer can create a new object in the zone.
            Also by default, the creator owns the new object and is given full control of it."
            Quoted from, and more info on this:
            http://technet.microsoft.com/en-us/library/cc961412.aspx

    *

    Therefore, to set it all up, in summary:

    • Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
    • Set DHCP to update everything, whether the clients can or cannot.
    • Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    • Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
    • On Windows 2008 R2 or newer, DISABLE Name Protection.
    • If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
              dnscmd /config /OpenAclOnProxyUpdates 0
    • Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

    *

    Details on how to set it up with screenshots:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Another good discussion that Microsoft support concurred with my settings for a poster that called in to Support, which verified my settings are correct:
    DHCP Server Not Registering A Records for Windows Clients
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/

    *

    More reading on DNS registration:

    D & Dynamic DNS Updates Registration Rules of engagement
    http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, December 30, 2013 6:00 PM
  • Thanks Ace.

    After I set zone to unsecure DNS registration working.

    How I resolve problem with Kerberos authentication ?

    Monday, December 30, 2013 6:48 PM
  • I have in "Default Domain Policy" GPO this:

    Account Policies/Kerberos
    Policy
    Policy Setting
    Enforce user logon restrictions Enabled
    Maximum lifetime for service ticket 600 minutes
    Maximum lifetime for user ticket 10 hours
    Maximum lifetime for user ticket renewal 7 days
    Maximum tolerance for computer clock synchronization 5 minutes

    for computer configuration (Windows 7 and Windows 8.1).

    Monday, December 30, 2013 6:59 PM
  • I usually don't recommend changing Kerberos settings. Those setting you posted look like the default settings. I

    Late edit: In some cases with Kerberos auth settings, it's not just in the domain policy, rather it may also need to be changed in the security settings in the Default Domain Controller Policy for all DCs. Now you see why I don't usually recommend changes in this area and try to resolve the issue first.

    I assume the Windows 8 and 8.1 machines clocks are within 5 minutes skew with the DCs and all other machines.

    If you don't want to implement DHCP as suggested, which is the way that many installations, small and large, have it configured so they have full control of what's being updated, which I know will work, (it also eliminates duplicate A and PTR records), then we have to look deeper into why DNS updates authentication is not working. With Kerberos issues, it's a bit more involved to get to the root of it and will involve packet captures filtering for kerb authentication and DNS client side SOA query and the registration sequence process.

    Is the SOA available? Check the zone to make sure there are no old servers in the NS list. That's the main way registration works, as I assume you took the time to read up on it in my DNS update rules blog.

    What domain functional level is the domain set to?

    Did this all start after a Windows update perhaps?

    In such cases, it's better to get Microsoft support involved where they can run numerous tests to get down to the root of the issue. If you do, please post what they've found.
    http://support.microsoft.com/contactus/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Monday, December 30, 2013 7:47 PM See Late Edit in my reply
    • Proposed as answer by Quan Gu Tuesday, December 31, 2013 9:44 AM
    Monday, December 30, 2013 7:45 PM
  • SOA is available a NS list is correct.

    Domain functional level is Windows Server 2008 R2 - I must change this to Windows Server 2012 ?

    Monday, December 30, 2013 8:23 PM
  • That's what I would have done if I've upgraded the domain. So you can, as long as ALL DCs are now 2012. If there are any 2008 R2 or older DCs, no you can't.


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Quan Gu Tuesday, December 31, 2013 9:44 AM
    Monday, December 30, 2013 8:31 PM
  • After change domain functional level problem is resolved.

    Dynamic DNS registration working on Windows 8.1 fine.

    Thanks.

    • Marked as answer by SnakeAG Thursday, January 2, 2014 1:15 PM
    Thursday, January 2, 2014 1:15 PM
  • After change domain functional level problem is resolved.

    Dynamic DNS registration working on Windows 8.1 fine.

    Thanks.

    I'm happy to hear this worked. Certain authentication and other changes are added with newer domain functional levels.

    I'm also happy to hear our suggestions helped you!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, January 2, 2014 5:10 PM
  •         By default, the ACL gives Create permission to all members of the
            Authenticated User group, the group of all authenticated computers
            and users in an Active Directory forest This means that any
            authenticated user or computer can create a new object in the zone.
            Also by default, the creator owns the new object and is given full control of it."
            Quoted from, and more info on this:
            http://technet.microsoft.com/en-us/library/cc961412.aspx

    Thank you for posting this Ace!  We just came across this problem where Dynamic DNS was not working, and the key in our scenario was the text "By default, the ACL gives Create permission to all members of the Authenticated User group". 

    In our scenario, changing the dynamic updates option to allow insecure updates did work (but we obviously didn't want that).  In digging further I found that someone in our environment had incorrectly changed the "Authenticated Users" group to no longer have the "Create all child objects" permission and this is what prevented Dynamic DNS from working in one of our environments.  Once this was corrected, Dynamic DNS started to work correctly.

    I realize this is an old thread, but I wanted to post this information here since there are other good tips here and will hopefully help someone else.

    Thanks!
    • Edited by Aakash Shah Thursday, July 30, 2015 2:52 AM
    Thursday, July 30, 2015 2:51 AM
  •         By default, the ACL gives Create permission to all members of the
            Authenticated User group, the group of all authenticated computers
            and users in an Active Directory forest This means that any
            authenticated user or computer can create a new object in the zone.
            Also by default, the creator owns the new object and is given full control of it."
            Quoted from, and more info on this:
            http://technet.microsoft.com/en-us/library/cc961412.aspx

    =======================================

    Thank you for posting this Ace!  We just came across this problem where Dynamic DNS was not working, and the key in our scenario was the text "By default, the ACL gives Create permission to all members of the Authenticated User group". 

    In our scenario, changing the dynamic updates option to allow insecure updates did work (but we obviously didn't want that).  In digging further I found that someone in our environment had incorrectly changed the "Authenticated Users" group to no longer have the "Create all child objects" permission and this is what prevented Dynamic DNS from working in one of our environments.  Once this was corrected, Dynamic DNS started to work correctly.

    I realize this is an old thread, but I wanted to post this information here since there are other good tips here and will hopefully help someone else.

    Thanks!

    You are welcome, Aakash! Glad to hear it helped to guide you where to look to resolve it. :-)

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, July 30, 2015 5:01 PM