locked
Clients not registered in Forward lookup DNS RRS feed

  • Question

  • Hi,

    We have several computers in the company not registered in the DNS.The DNS Server is 2008 Std SP1.

    Under the Server Manager, DNS Server -> ServerName -> Forward Lookup -> Domain.com, some computers are not in the list.

    I have checked the TCP/IP setting, is set to Automatic for IP and DNS. Also use ipconfig/all to verify the IP settings.

    These computers can obtain IP, DNS with DHCP all right. Also tried ipconfig /RegisterDNS

    Please advise why they are registered in DNS?

    Thanks

    Hannah

     

    Monday, February 7, 2011 3:17 AM

Answers

  • Pei Wai,

    As mentioned, there are a number of reasons a machine may not register. The basic one is the DNS address on the client, as Meinolf said. Another basic one is the Primary DNS Suffix is missing, or if one is not conifgured,  the 'Register this connection" is empty. As Brent said, you can also force DHCP to register for a client. I have more on that after step# 13 below.

    Just an FYI, here are the basics to get DNS Dynamic registration to work and the problems that may occur if one or more of these points are not configured properly:

    ==================================================================
    AD & Dynamic DNS Registration Rules of engagement. Keep in mind, for the most part it automatically works "out of the box" without much administrative overhead.


    ======
    Summary Explanation

    1. The machine's DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone.
    2. The Primary DNS Suffix on the machine must match the zone name in DNS.
      a. For joined machines, this is default.
      b. For non-joined machines, it must be manually configured, or configured under IP properties, Advanced, DNS tab.
    2. The Zone must be configured to allow updates.
    3. For AD Integrated Zones and Secure Only Updates:
     a. If the machine's DNS is statically configured:
        - It must only point to the internal DNS
        - It must be joined to the domain in order to authenticate using Kerberos to update.
     b. If statically configured and not joined to the domain, the client can't update if the zone is set to Secure Only.
     c. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.
    4. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.
    5. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.
    6. If the zone is single label name, such as 'domain' instead of the proper minimal format of 'domain.com,' 'domain.net,' etc, it will NOT update.


    ======
    Full explaination:


    1. Active Directory's DNS Domain Name is NOT a single label name ("DOMAIN" vs the minimal requirement of "domain.com." "domain.local," etc).

    2. The Primary DNS Suffix MUST matche the zone name that is allowing updates. Otherwise the client doesn't know what zone name to register in. You can also have a different Conneciton Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.

    3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.

    4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP's, an external DNS adddress, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it's recommended to configure a forwarder for efficient Internet resolution. .

    5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).

    6. The DNS addresses configured in the client's IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.

    This means that you must NOT use an external DNS in any machine's IP property in an AD environment. You can't mix them either. That's because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP's DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn't get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP's DNS for efficient Internet resolution.

    This is the reg entry to cut the query to 0 TTL:

    The DNS Client service does not revert to using the first server ...The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers ...
    http://support.microsoft.com/kb/286834

    For more info, please read the following on the client side resolver service:

    DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx 

    7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.

    8. If using DHCP, DHCP server must only be referencing the same exact DNS server(s) in it's own IP properties in order for it to 'force' (if you set that setting) registration into DNS. Otherwise, how would it know which DNS to send the reg data to?

    9. If the AD DNS Domain name is a single label name, such as "EXAMPLE", and not the proper format of "example.com" and/or any child of that format, such as "child1.example.com", then we have a real big problem. DNS will not allow registration into a single label domain name.
    This is for rwo reasons:
           1. It's not the proper hierachal format. DNS is
               hierarchal, but a single label name has no hierarchy.
               It's just a single name.
           2. Registration attempts causes major Internet queries
               to the Root servers. Why? Because it thinks the
               single label name, such as "EXAMPLE", is a TLD
              (Top LEvel Domain), such as "com", "net", etc. It
              will now try to find what Root name server out there
              handles that TLD. In the end it comes back to itself
             and then attempts to register. Unfortunately it doe NOT
             ask itself first for the mere reason it thinks it's a TLD.
    Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?

    10. 'Register this connection's address" on the client is not enabled under the NIC's IP properties, DNS tab.

    11. Maybe there's a GPO set to force Secure updates and the machine isn't a joined member of the domain.

    12. "DHCP client" Service not running.  This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.

    13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:

    DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
    Published by acefekay on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
    ==================================================================

    If none of the citieria above was helpful, or there was something that was not understood, please post a complete ipconfig /all from two of your DCs, as well as from a good working workstation that is registering, and from a workstation that is having the problem registering, along with any event log errors including the Source Name in the events.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Tuesday, February 8, 2011 7:01 AM
  • Hello,

    on the machines make sure thye use only the domain DNS server on the NIC, please post an unedited ipconfig /all from a client with problems and the DC/DNS servers.

    Additional make sure the DHCP client service is started and set to automatic on machines with fixed ip address.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Monday, February 7, 2011 7:01 AM
  • Hi Pei Wai,

    Please check whether the DHCP server is authorized in Active Directory. Meanwhile, make sure that you have configured client computers to register with DNS or use the DHCP MMC configure dynamic DNS update on the DHCP server for DHCPv4.

    Authorize a DHCP Server in Active Directory Domain Services
    http://technet.microsoft.com/en-us/library/cc753329(WS.10).aspx

    DHCP: The server should be configured to register DNS records on behalf of DHCPv4 clients
    http://technet.microsoft.com/en-us/library/ee941150(WS.10).aspx

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Monday, February 7, 2011 7:08 AM

All replies

  • Hello,

    on the machines make sure thye use only the domain DNS server on the NIC, please post an unedited ipconfig /all from a client with problems and the DC/DNS servers.

    Additional make sure the DHCP client service is started and set to automatic on machines with fixed ip address.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Monday, February 7, 2011 7:01 AM
  • Hi Pei Wai,

    Please check whether the DHCP server is authorized in Active Directory. Meanwhile, make sure that you have configured client computers to register with DNS or use the DHCP MMC configure dynamic DNS update on the DHCP server for DHCPv4.

    Authorize a DHCP Server in Active Directory Domain Services
    http://technet.microsoft.com/en-us/library/cc753329(WS.10).aspx

    DHCP: The server should be configured to register DNS records on behalf of DHCPv4 clients
    http://technet.microsoft.com/en-us/library/ee941150(WS.10).aspx

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Monday, February 7, 2011 7:08 AM
  • Pei Wai,

    As mentioned, there are a number of reasons a machine may not register. The basic one is the DNS address on the client, as Meinolf said. Another basic one is the Primary DNS Suffix is missing, or if one is not conifgured,  the 'Register this connection" is empty. As Brent said, you can also force DHCP to register for a client. I have more on that after step# 13 below.

    Just an FYI, here are the basics to get DNS Dynamic registration to work and the problems that may occur if one or more of these points are not configured properly:

    ==================================================================
    AD & Dynamic DNS Registration Rules of engagement. Keep in mind, for the most part it automatically works "out of the box" without much administrative overhead.


    ======
    Summary Explanation

    1. The machine's DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone.
    2. The Primary DNS Suffix on the machine must match the zone name in DNS.
      a. For joined machines, this is default.
      b. For non-joined machines, it must be manually configured, or configured under IP properties, Advanced, DNS tab.
    2. The Zone must be configured to allow updates.
    3. For AD Integrated Zones and Secure Only Updates:
     a. If the machine's DNS is statically configured:
        - It must only point to the internal DNS
        - It must be joined to the domain in order to authenticate using Kerberos to update.
     b. If statically configured and not joined to the domain, the client can't update if the zone is set to Secure Only.
     c. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.
    4. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.
    5. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.
    6. If the zone is single label name, such as 'domain' instead of the proper minimal format of 'domain.com,' 'domain.net,' etc, it will NOT update.


    ======
    Full explaination:


    1. Active Directory's DNS Domain Name is NOT a single label name ("DOMAIN" vs the minimal requirement of "domain.com." "domain.local," etc).

    2. The Primary DNS Suffix MUST matche the zone name that is allowing updates. Otherwise the client doesn't know what zone name to register in. You can also have a different Conneciton Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.

    3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.

    4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP's, an external DNS adddress, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it's recommended to configure a forwarder for efficient Internet resolution. .

    5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).

    6. The DNS addresses configured in the client's IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.

    This means that you must NOT use an external DNS in any machine's IP property in an AD environment. You can't mix them either. That's because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP's DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn't get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP's DNS for efficient Internet resolution.

    This is the reg entry to cut the query to 0 TTL:

    The DNS Client service does not revert to using the first server ...The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers ...
    http://support.microsoft.com/kb/286834

    For more info, please read the following on the client side resolver service:

    DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx 

    7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.

    8. If using DHCP, DHCP server must only be referencing the same exact DNS server(s) in it's own IP properties in order for it to 'force' (if you set that setting) registration into DNS. Otherwise, how would it know which DNS to send the reg data to?

    9. If the AD DNS Domain name is a single label name, such as "EXAMPLE", and not the proper format of "example.com" and/or any child of that format, such as "child1.example.com", then we have a real big problem. DNS will not allow registration into a single label domain name.
    This is for rwo reasons:
           1. It's not the proper hierachal format. DNS is
               hierarchal, but a single label name has no hierarchy.
               It's just a single name.
           2. Registration attempts causes major Internet queries
               to the Root servers. Why? Because it thinks the
               single label name, such as "EXAMPLE", is a TLD
              (Top LEvel Domain), such as "com", "net", etc. It
              will now try to find what Root name server out there
              handles that TLD. In the end it comes back to itself
             and then attempts to register. Unfortunately it doe NOT
             ask itself first for the mere reason it thinks it's a TLD.
    Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?

    10. 'Register this connection's address" on the client is not enabled under the NIC's IP properties, DNS tab.

    11. Maybe there's a GPO set to force Secure updates and the machine isn't a joined member of the domain.

    12. "DHCP client" Service not running.  This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.

    13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:

    DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
    Published by acefekay on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
    ==================================================================

    If none of the citieria above was helpful, or there was something that was not understood, please post a complete ipconfig /all from two of your DCs, as well as from a good working workstation that is registering, and from a workstation that is having the problem registering, along with any event log errors including the Source Name in the events.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Brent Hu Monday, February 14, 2011 4:10 AM
    Tuesday, February 8, 2011 7:01 AM
  • Hi, I am having a similar problem. I have tried disabling IPV6 on clients to no avail. If I use ipconfig /registerdns, then and only then do a see it show up in the AD integragted DNS. I have dynamic updates set to secure only. the primary dns suffix is correct and so is the dns server of the client.
    Thursday, March 29, 2012 10:08 PM
  • Hi Beerlimer,

    Actually, you should have started a new thread - this way you can mark helpful posts as answers, etc. Besdes, this one is over a year old.

    To better help, we'll need some background info, such as (which will help us diagnose this):

    •  An ipconfig /all
    • Event log errors on the client or server
    • How you have your DHCP (assuming you're referring to DHCP clients), configured such as if you used credentials or using the DnsUpdateProxy group
    • Is scavenging enabled, etc.
    • Assuming your DHCP server is a DC, is the DC multihomed? An ipronfig /all will tell us that part.
    • Is the zone single label name ("domain" vs the required minimum of "domain.something")?
    • Operating system and SP level of the client
    • Operating system and SP level of the DHCP server
    • Operating system and SP level of the DNS server

    .

    As far as disabling IPv6, that has no bearing on registration, unless that's not working either, but then again that depends on the operating system version of the client, DNS and DHCP server. If you disable IPv6 on a client, and from you saying that it could be either Vista or 7, it can and will break something in the OS. Microsoft specifically recommends to not disable IPv6.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, March 30, 2012 12:34 AM
  • I know is an old thread, but if helpful, in my case there was a problem with time synchronization. Some machines were out of the 5-minutes default time offset.
    Tuesday, May 21, 2013 10:51 AM
  • We usually assume that the time service and other services, ipconfig, only internal DNS is used, etc, are all properly set and functioning. But if the time service is not functioning, that will cause Kerberos to fail, and make this not work, but my bet is it's probably causing other major AD authenticatiin problems system wide, too.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, May 21, 2013 1:28 PM
  • Also, here's a more recent thread with additional info on the registration process:

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a1f0c3ba-5641-4657-a81a-653a1f5ff1c4/


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, May 21, 2013 1:30 PM
  • Very old thread indeed.  In my case credentials for DHCP had not been setup so DHCP could not register non-domain computers.  Hope this helps the next guy because I came here and was very frustrated.  Event logs clued me into the problem.
    Tuesday, May 17, 2016 9:25 PM
  • The explanation that I'm replying to is too technical for me. Also, I am using a single computer and getting the dns error when trying to connect to some websites I have visited frequently in the past (in fact, I visited it one morning and when I went back in the afternoon, I got the error). I'm using Windows 7 and the latest IceDragon.  I am working my way through a list of ways to fix this I found in another forum. I deleted the browser cache (although I'm getting the error in two browsers, one of which I've never used before); I deleted all the files in the windows32/drivers/etc folder; I changed from automatically detect dns to Preferred and Alternate settings from another forum (8888 and 8844); IVP 4 is checked. None of these helped. I checked the drivers on the two devices that looked like they might affect the connection: Microsoft System Management BIOS and the Network Adapter. The drivers are up to date.

    I am going through the dns flush procedure. When I tell it to register, I get an "needs elevation" message. I see online that this means that I need administrator access.  I am logged on as administrator. There is no "command prompt" option in accessories to right click on (presumably because I am an administrator). How do I get dns to register?

    Saturday, November 11, 2017 10:11 PM