none
Server 2012 R2 clients not registering dynamic DNS

    Question

  • I'm having issues specifically with Windows 2012 R2 operating systems not dynamically registering their network information in my DNS.

    My AD/DNS environment consists of Windows 2008 R2 and Windows 2012 R2 Domain controllers in a 2008 R2 Functional Domain/Forest.

    Windows Server 2003, Windows Server 2008, Win 7/R2, Server 2012, and Windows 8.1 VM/physical are registering DNS dynamically for both DHCP received address as well as statically assigned addresses.

    Windows 2012 R2 is generally running on Gen2 VMs in a 2012R2 host, but the problem exists with the 2012 R2 physical hosts as well.

    Manually registering via ipconfig /registerdns works. DNS scavenging is in place, 1 day / 1 day.

    To summarize - its working for everything else dynamically, but just not for Windows 2012 R2 DHCP/Static networking information.

    Monday, June 23, 2014 4:42 PM

All replies

  • Hi,

    Have you enabled the dynamic registration in the Windows server 2012r2?

    To enable the DNS dynamic registration, please follow the steps  below,

    1. Open the Network Connections folder and view available connections.
    2. Right-click the connection that you want to configure, and then click Properties.
    3. On the General tab, in This connection uses the following items, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
    4. Click Advanced.
    5. Make sure that "Register this connection's addresses in DNS" checkbox is checked.

    If you have enabled the dynamic registration, is there any warning or error in DNS server and Windows server 2012r2? You may check that in event viewer or DNS log.

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Tuesday, June 24, 2014 11:45 AM
    Moderator
  • Hi Steven,

    Thank you for your response. The settings on the adapters are checked, and set for "Register this connection's addresses in DNS". There are not any errors on either of my 2008 R2 or 2012 R2 DNS servers, and they pass the BPA for these roles. Event viewer is clean, and SCOM 2012 monitoring on these servers has not reported anything (default windows server pack).

    At this point, rebooting the machines will end up with their address registered as will doing a manual command line registration. So I'm wondering if it has something to do with my scavenging settings on the zone.

    Does 2012 R2 still update every 24 hours?

    Tuesday, June 24, 2014 1:29 PM
  • Hello Kyle,

    The settings that you have for scavenging is not fine. It should be based on the lease duration provided by the DHCP servers.

    For eg : If the DHCP lease duration is for 6 days. Then the Refresh : 3 days , No Refresh: 3 days and to be on safe side the Scavengng should be 2 days. 

    By default the Servers with Static IP addresses try to register their records for every 24 hours. this could be one of the reasons.

    To dig deeper please enable auditing using the following link:

    http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx

    Enable  auditing and check who deleted the record

    Also install the latest roll ups for the servers.

    Regards.

    Sandeep Suman


    • Edited by Sandeep Suman Tuesday, June 24, 2014 7:38 PM missed a point
    Tuesday, June 24, 2014 7:37 PM
  • Hello Sandeep Suman,

    I didn't mention that my DHCP pool for the network which contains these servers is only set to 8 hours. Either way, if the static information attempt is every 24 hours - then it should be within my 2 days. Which has been working just fine for all other systems operating systems (roughly 6K).

    I enabled the verbose sec policy auditing in order to verify if the attempt is being made, what is happening with it etc per the documentation you referenced.

    Thank you - I will get back if there is any relevant information to update this thread with.

    Kyle

    Tuesday, June 24, 2014 8:18 PM
  • I gave it a couple days, and did find a few authentication errors related to updating the reverse pointer records.

    There were static entries made at some point in the reverse lookup zone which the client machine did not have access to. I've deleted these, and am waiting again.

    Could this have caused the forward lookup zone record to not be registered?

    Friday, June 27, 2014 4:34 PM
  • Hello Kyle,

    I do not think so that this could have caused this issue. As the update methods for host A and PTR are n different packets.

    Please update the 2012 R2 servers with the list of recommended hotfixes and updates. As there is an update for this type of issue.

    regards.

    Sandeep Suman

    Saturday, June 28, 2014 5:21 PM
  • My apologies for not getting back to you sooner. 

    Could you please provide any documentation or reference to a KB for what particular hotfix/patch will affect this issue? The systems in question are fully patched for all applicable public updates.

    Regards,

    Kyle

    Monday, July 07, 2014 12:47 PM
  • Hello Kyle,

    I will update you with KB in few days as i am OOF.

    Regards.

    Sandeep 

    Tuesday, July 08, 2014 4:02 AM
  • Can you please post the KB.
    Wednesday, August 06, 2014 5:30 PM
  • My apologies for not getting back to you sooner. 

    Could you please provide any documentation or reference to a KB for what particular hotfix/patch will affect this issue? The systems in question are fully patched for all applicable public updates.

    Regards,

    Kyle

    There's more to the setup than one thinks.

    Here's a summarization. My blog may not be available at this time (current posting date) due to the blog site is in the middle of a migration. I hope this helps.

    ===
    In summary:

    DHCP DNS Update summary:
    - Configure DHCP Credentials.
      The credentials only need to be a plain-Jane, non-administrator, user account.
      But give it a really strong password.
    - Set DHCP to update everything, whether the clients can or cannot.
    - Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
    - Add the DHCP server(s) computer account to the Active Directory,  Built-In DnsUpdateProxy security group.
      Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group.
      For example, some folks believe that the DNS servers or other DCs not be
      running DHCP should be in it.
      They must be removed or it won't work.
      Make sure that NO user accounts are in that group, either.
      (I hope that's crystal clear - you would be surprised how many
      will respond asking if the DHCP credentials should be in this group.)
    - On Windows 2008 R2 or newer, DISABLE Name Protection.
    - If DHCP is co-located on a Windows 2008 R2, Windows 2012, Windows 2012 R2,
     or NEWER DC, you can and must secure the DnsUpdateProxy group by running
     the following command:
      dnscmd /config /OpenAclOnProxyUpdates 0
    - Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway.
    - Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.


    ===
    If there is an old scavenging DNS server specified, which may not allow a new DNS server that scanvenging has been set on, to scavenge records, then running the following command will clear the old scavenging server's IP and allow the scavenging of the zone:

    To see if a DNS server has been specifically assigned to scavenge a zone:

    dnscmd /zoneinfo <zonename>  
    -- you will see something like "Scavenge Servers  Addr Count = 1   Server[0] => <IP>

    dnscmd /zoneresetscavengeservers <zonename>   --This will clear that IP from above, allowing any/all scavenging servers to scavenge this zone.

    Ref:
    Thread: "DNS scavenging zone, but leaving old non static records"
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a18c5a85-c5a1-4c29-b4d5-4c320100c598/

    ==============================================

    Why is the DnsUpdateProxy group needed in conjunction with credentials?

    The technical reason is twofold:
     
    DnsUpdateProxy:
     Objects created by members of the DNSUpdateProxy group have no security; therefore, any authenticated user can take ownership of the objects.
     
    DHCP Credentials:
     Forces ownership to the account used in the credentials, which the DnsUpdateProxy group allowed to take ownership other than the registering client.
     
    The default process is outlined below, and this applies to non-Microsoft
    operating systems, too, but please note that non-Microsoft operating systems
    can't use Kerberos to authenticate to dynbamically update into a Secure Only
    zone, however you can configure Windows DHCP to do that for you.

    Following discussed in:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/6f5b82cf-48df-495e-b628-6b1a9a0876ba/regular-domain-user-uses-rsat-to-create-dns-records?forum=winserverNIS

    *

    *

    And a DHCP lease less than 24 hours will surely cause problems.

    It's recommended to be at least one day (25 hours is more than one day!), or some issues may occur with some apps and services, such as KMS with it's 24 hour refresh cycle. Here's more on why at least 25 hours:

    "When a DNS record is created by a new client, the NoRefresh interval is in effect. When the client dynamically updates its DNS information in this situation, the client's DNS time stamp is not updated until the Refresh interval takes effect. This behavior prevents the replication of lots of DNS objects in the Active Directory directory service.
    During the Refresh interval, the client's DNS time stamp is updated. During the Scavenging interval, old DNS resource records are automatically deleted."
    Above is quoted from below:
    How DNS dynamic updates work together with the DNS "aging and scavenging" process in Windows 2000 and in Windows Server 2003 (applies to all operating systems)
    http://support.microsoft.com/kb/932464

    -

    -

    ===
    Scavenging time and guidelines:

    If you have more than one DHCP server in different locations or sites, it's advised to make the lease lengths the same so these settings properly work, or you will see unexpected results.


    The scavenging total time formula is : NoRefresh + Refresh * 2 + scavenge period.
    Example:
    - DHCP lease duration should match the “no-refresh + refresh" values = 6 Days
    - Zone is set to a 3 day Refresh and a 3 day No-Refresh interval
    - Server Scavenging period is set to 3 days
    - The total time is set  to 3 day No-Refresh + 3 day Refresh + 3 day No-Refresh + 1 to Scavenging period (1 day to 3 day in this example) = Scavenging will occur anytime between Day 10 to Day 12
    Good discussion on it and an example by Rick Tan:
    Thread: "Enable DNS aging and scavenging "
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d4ec8490-60cd-4466-951a-203a1ddbfaff/

    Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx
     
    For any current old records that are not owned by DHCP, you need to manually delete them to kick off scavenging quicker than waiting for it to happen, which depending on your lease length, may take up to 30 days. For example, a 3 day lease will take up to 12 days to kick in. Here's a chart showing a 3 day refresh/norefresh setting:

    -

    -

    I hope this helps and wasn't too confusing. As I said, there are more pieces to this puzzle than one thinks.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, August 07, 2014 1:06 AM
  • Hi Ace,

    Thank you for adding in your blog details. My quandary at this point is that I've been running this environment for 7 years without any issues, and it has only been with specifically server 2012 R2 that I've run into this problem. It is with both dynamic and static addressing, and by which manually refreshing the systems refreshes their appropriate records in DNS. By manually refreshing, I mean either rebooting or simply an ipconfig /registerdns command.

    At first I was concerned that there was something going on with my Hyper-V environment due to a majority of the problems existing on new Gen2 VMs, but then I found issues with the 2012 R2 Hyper-V hosts themselves. This has been one of those annoying sporadic issues that I'm not able to reproduce systematically as it has so far been a random issue.

    Any thoughts? Especially as it relates to statically assigned 2012 R2 servers not registering their DNS records accordingly?

    Regards,

    Kyle

    Thursday, August 07, 2014 2:15 AM
  • Curious, are you seeing any Kerb errors on the clients or servers? Were there any 2003 DCs intermixed at one time? If yes, take a look at this (remember, Kerberos is used to auth the secure reg request):

    It turns out that weird things can happen when you mix Windows Server 2003 and Windows Server 2012 R2 domain controllers - Ask the Directory Services Team
    http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx#pi145002=2

    *

    And I realize that this may have worked for years. But I hope it shows additional benefits in setting it up this way, too.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, August 07, 2014 2:30 AM
  • Hello Kyle,

    We're experiencing the same issue with Windows 2012 (R2) servers having a static IP address, as you also mentioned. Registration at reboot is fine, but the automatic update doesn't seem to work as DNS records are lost due to scavenging when the server hasn't rebooted in a long time.

    The comments on this thread give a solution for DHCP enabled hosts, but none for static IPs. Have you solved this problem on both types of configurations? If so, could you please enlighten us to the fix used for static entries?

    Regards,

    Bart Hoofd


    Bart Hoofd

    Monday, June 15, 2015 12:47 PM
  • Hello Kyle,

    We're experiencing the same issue with Windows 2012 (R2) servers having a static IP address, as you also mentioned. Registration at reboot is fine, but the automatic update doesn't seem to work as DNS records are lost due to scavenging when the server hasn't rebooted in a long time.

    The comments on this thread give a solution for DHCP enabled hosts, but none for static IPs. Have you solved this problem on both types of configurations? If so, could you please enlighten us to the fix used for static entries?

    Regards,

    Bart Hoofd


    Bart Hoofd

    Yes, this thread discusses DHCP clients. There are other discussions about static clients and DNS Dnyamic updates in general. My other blog may be able to help with your question:

    AD & Dynamic DNS Updates Registration Rules of engagement
    Posted on March 12, 2013 
    http://blogs.msmvps.com/acefekay/2013/03/12/ad-dynamic-dns-updates-registration-rules-of-engagement-2/

    -

    As for your situation, you didn't provide any configuration info, including if you are referring to Windows 2012 R2 member servers or DCs? So it will be difficult to assist.

    What I can say is if it works at reboot but not during the normal 24 hour cycle or every 60 minutes for DCs, then it seems there is something else going on that requires a deeper look into your configuration.

    I hope my blog helps. If you need additional assistance, I suggest you start a new thread (this thread is a year old and belongs to someone else) and respond here with the link so I (we) can go directly to it. If unable to post specific configuration data, possibly contacting Microsoft support directly may be better so they can remote into your systems and take a deep dive into it.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, June 22, 2015 4:28 AM
  • If a solution was found for this issue please post it.  I'm experiencing the same issue with our W2K12 servers.

    Thursday, September 17, 2015 8:54 PM
  • Here's your solution:

    Local IP address cannot be registered on DNS server after DNS Client service is restarted in Windows 

    https://support.microsoft.com/en-us/kb/3014170 

    Thursday, October 01, 2015 4:29 PM
  • I'm having the same issue.  I have W2012R2 DCs and member servers.  I have found that a newly setup server's DNS record will be lost/scavenged after some amount of time (assuming the DNS scavenging period but never really took the time to verify).  Then, users complain they are unable to access the server.  "Is the server down?"  I verify the server is running.  I can ping the IP but cannot resolve the host name.  I login to the server and then issue a ipconfig /registerdns.  I have the user flush their local dns cache and try again and everything is good.

    Interestingly, I have found that I only have to /registerdns one time after it initially happens.  From there on out, I don't think I have ever had a repeat issue.  I have tried to make it part of my setup process to issue a /registerdns and see if the issue ever appears.  I'm not consistent and have not tested this.

    I could have sworn that I had this issue with 2008R2 servers as well.  Happens on both physical and virtual.  Definetly a DNS issue and suspect the member server is not interacting with DNS properly....  until a manual /registerdns is performed.

    Anyway, I would like to know why it happens and how to prevent it all together.


    • Edited by Gunther123 Wednesday, April 20, 2016 8:04 PM
    Wednesday, April 20, 2016 7:33 PM
  • Hi all,

    We have not experienced the issue with dynamics DNS entries after (roughly) august 2015 anymore on Windows 2012 R2 with static IPs.

    It's possible where is some hotfix after this period that has solved our problem. Our servers are kept up to date, so the fix suggested by atrayn22 in https://support.microsoft.com/en-us/kb/3014170 was not our solution.

    Regards,

    Bart Hoofd


    Bart Hoofd

    Thursday, April 21, 2016 7:05 PM