Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, July 23, 2015 10:36 PM
I recently set up a Server 2012 r2 Active Directory with DNS. None of my member servers (all Server 2012 r2, same subnet) are able to do a "Secure registration" in DNS. All member servers are domain joined to the same domain as the DNS server. The DNS Server is also the Domain Controller.
Landscape:
-POCDOM001 - Forest Root Domain Controller, DNS.
Domain name is abclab.internal
-ABCPOCSQL001 - SQL Server and Remote Desktop
-ABCPOCDSP001 - Application server running IIS.
DNS is AD Integrated. All IPs are DHCP from a non-Microsoft DHCP server.
IPCONFIG /registerdns doesn't fix anything.
Has anyone else run into this? Any suggestions on resolution?
This is the error in the Windows Event Log.
Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 7/23/2015 10:05:07 PM
Event ID: 8020
Task Category: (1028)
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: ABCPOCDSP001.poclab.internal
Description:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : {E2ACAB24-2C72-40EE-875B-4DDA6CB99999}
Host Name : ABCPOCDSP001
Primary Domain Suffix : poclab.internal
DNS server list :
10.0.0.90
Sent update to server : <?>
IP Address(es) :
10.0.0.226
The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>8020</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1028</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-23T22:05:07.581689100Z" />
<EventRecordID>47832</EventRecordID>
<Correlation />
<Execution ProcessID="756" ThreadID="1060" />
<Channel>System</Channel>
<Computer>ABCPOCDSP001.poclab.internal</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="AdapterName">{E2ACAB24-2C72-40EE-875B-4DDA6CB88004}</Data>
<Data Name="HostName">ABCPOCDSP001</Data>
<Data Name="AdapterSuffixName">poclab.internal</Data>
<Data Name="DnsServerList"> 10.0.0.90</Data>
<Data Name="Sent UpdateServer"><?></Data>
<Data Name="Ipaddress">10.0.0.226</Data>
<Data Name="ErrorCode">4294967295</Data>
</EventData>
</Event>
All replies (6)
Thursday, August 6, 2015 2:14 PM ✅Answered
Hi Anne,
I haven't had a chance to get into this in detail yet. For the short term I've allowed secure and un-secure updates to the DNS zones and everything is happy. I've locked down firewall ports to help mitigate risk.
-Jake Cohen
Friday, July 24, 2015 8:22 AM
Hi Jake,
The client failed to update a name in a zone that is configured for secure dynamic update could be caused by the following conditions:
- The system time on the client and the system time on the DNS server are not in sync.
- You have modified the updatesecuritylevel registry entry to disallow the use of secure dynamic update on the client.
- The client does not have the appropriate rights to update the resource record . You can confirm this by checking the ACL associated with the name to be updated.
If the client does not have the appropriate rights to update the resource record, check whether the DHCP server registered the name of the client and that the DHCP server is the owner of the corresponding dnsNode object. If so, you might consider placing the DHCP server in the DNSUpdateProxy security group. Any object created by a member of the DNSUpdateProxy security group has no security.
For more information about security dynamic update, you may click the link:
https://technet.microsoft.com/en-us/library/cc961412.aspx
Best regards,
Anne he
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Friday, July 24, 2015 2:37 PM
Hi Anne,
Thanks for replying, here's my answers to your questions.
- The system time on the client and the system time on the DNS server are not in sync.
Not an issue, these are Amazon Web Services VMs and I've confirmed they are all in-sync.
- You have modified the **updatesecuritylevel **registry entry to disallow the use of secure dynamic update on the client.
So this registry key doesn't exist. I'm testing setting it on the client and/or DNS Server. I'll update you when I'm done testing.
https://technet.microsoft.com/en-us/library/Cc959275.aspx?f=255&MSPPError=-2147217396
- The client does not have the appropriate rights to update the resource record . You can confirm this by checking the ACL associated with the name to be updated.
If the client does not have the appropriate rights to update the resource record, check whether the DHCP server registered the name of the client and that the DHCP server is the owner of the corresponding dnsNode object. If so, you might consider placing the DHCP server in the DNSUpdateProxy security group. Any object created by a member of the DNSUpdateProxy security group has no security.
This definitely could be part of it. DHCP is provided external from my servers and I can't change that. There is no feed from the DHCP server to DNS. I need the clients to update DNS directly. None of the clients are listed in DNS.
-Jake Cohen
Saturday, July 25, 2015 1:16 PM
The UpdateSecurityLevel registry entry didn't do anything. I was using a decimal value of 256 (Hex 100).
I did notice that if I allow unsecure updates to DNS I do have systems that will register their DNS records.
-Jake Cohen
Tuesday, July 28, 2015 4:46 AM
Hi Jake,
Since we have ruled out several above possibilities, we could narrow down the problem further by performing a network traffic capture on the client. The process of secure dynamic update is described detailledly in the following document.
https://technet.microsoft.com/en-us/library/cc961412.aspx
Step1: client sends DNS queries to find the authoritative DNS server; step2: client attempt a non-secure update, and the server refuses the non-secure update; step3: the client and server begin TKEY negotiation; step4: the client sends dynamic update request to the server; step5: server attempts to modify RRs in AD; step6: the server sends a reply to the client whether or not it was able to make the update.
We may check if the client has send out query packets to the DNS server. If the client can’t send the query packet to the authoritative DNS server, we may check if the DNS sever address configured on the client is right. If the DNS server sent back response-refused packet to the client, we may check the configurations on DNS. It is recommended to check the “security” property, verify if the client has rights to “write” RRs.
If you want to download network monitor, you may click the link:
https://www.microsoft.com/en-us/download/details.aspx?id=4865
Best Regards,
Anne He
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, September 16, 2015 2:16 AM
Hi Jake,
I‘m glad that you have solved your problem and feed back here to share the soultion with others. If you have other problems related with windows server, please feel free to contact us.
Best regards,
Anne He
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].