Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 22, 2010 5:48 PM
I have a Windows 2003 DNS server that has suddently stopped accepting Dynamic DNS update from two Windows 2000 servers.
I get no error/critical event logs or error messages on either the 2003 DNS or 2000 servers. I do get one standard Warning DNSApi event on the Windows 2000 servers in question.
Event ID: 11151
The system failed to register network adapter with settings:
Adapter Name : {C68CDBA5-132D-4B35-B35E-55447437E5C1}
Host Name : servername1
Adapter-specific Domain Suffix : domain.net
DNS server list :
192.10.1.10
Sent update to server : None
IP Address(es) :
192.10.1.24
I setup a packet capture and i capture the DNS dynamic update request and reply. However, in the reply from the DNS server i get the following error returned.
RR set that ought to exist, does not exist
All servers are fully patched on a monthly basis, the last time being this past weekend when this problem occurred (4/18/2010).
I rebooted both servers multple times to no avail, short of blaming the most recent patches and attempting to uninstall them i was hoping someone else would have an idea on the cause of this really difficult issue. It appears the DNS server is to blame since it is refusing the update and returning the error.
I found the link below as an example of what a Dynamic DNS update should look like, and my request matches exactly, the response from the DNS server differs only by the error code (in bits) 1000 = RR set that ought to exist, does not exist.
This seems to only affect these two Windows 2000 computers (we have others, but i have not had any reports of issues with missing DNS records).
Secure updates are enabled on the DNS zone, and the Windows 2000 server can properly communicate with the Domain and Domain Controllers.
All replies (7)
Tuesday, April 27, 2010 8:59 PM âś…Answered
It appeears I found the issue. The dual homed connectioned to our DMZ is causing the issue....but this server has always been configured this way....i even have old setup documentation that proves this. Weird.
Anyway, the DMZ NIC has external DNS servers configured, and the internal NIC has internal DNS servers configured as well. If i disable the DMZ NIC or remove the DMZ NIC DNS settings then all works fine.
Internet < DMZ NIC1 Computer NIC2 > Internal Network
Since these are Windows 2000 server will be rebuild as 2003 or 2008 and try the same configuration to see if the same thing happens or not.
Thursday, April 22, 2010 8:44 PM
I did some more digging, still haven't found a solution yet, but i did find the following
The only patches applied on 4/18/2009 for both 2000 and 2003 servers were for KB980182 (IE6 patch) and the Malicious software removal tool. I don't think those apply to this issue....I hope not anyway.
I used ADSI to look at the underlying DNS partition information and discovered that while DNS showed no Host (A) records for these servers, ADSI showed that records existed. Thinking this was the problem I verified that the records existed on all the DNS servers, then deleted the records on one DNS server. I then verified that the deletion was replicated to the other DNS servers. I then tried to re-register the DNS settings....same error!#*^!% Rebooted as the servers, still no not fixed. Oh, well back to the drawing board.
Other resources i found talking about the packets and their format, still not clear why this 0x8 (1000 in bits) return code is being returned.
http://technet.microsoft.com/en-us/library/bb726935.aspx
Friday, April 23, 2010 4:12 PM
Anyone of the MVPs from Microsoft have any ideas why this is happening? I guess as a work around I will create the records manually.
Tuesday, April 27, 2010 8:12 AM
Hi Gunner ,
can you open the zone file and check if the correponding entry for the windows 2000 server is being listed along with the TTL , owner info ( c:\system32\dns)
Have you verified the DNS update message format in the netmon trace / wireshark trace ?, i am more interested in the return code flags of the packet. which is i guess 0x8 as you mentioned earlier
Have you done any windows upgrade on windows 2003 server ?
Manually adding the record would be alternative but not the fix for the problem. Also does this happens to all the windows 2000 clients ?
Tuesday, April 27, 2010 12:09 PM
Hello,
was there everused a single label domain name before?
http://support.microsoft.com/kb/300684
Is the DHCP client service running on the machines, needed for DNS registration?
Are the machines using the correct DNS server on the NIC settings?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
Tuesday, April 27, 2010 4:55 PM
Sainiath,
The zones in question are AD integrated, and Secure only. I will use the DNS cmd to export the AD zone to a flat file after lunch, and let you know the results.
Yes, i verified the DNS update message format using a Netmon packet capture directly on the problem server. The packets match perfectly the ones shown in the google book link above....except for the 0x8 return code.
The Windows 2003 server was built new 3-4 years ago, it was not upgraded. It is fully patched on monthly basis.
No, these two servers are the only ones that seem to be affected. The difference between these an the other Win2000 servers seems to be they are dual homed....but given the packet capture proves that the packet leaves the correct NIC, is received by the DNS server, and the DNS server responds appropirately
Menolf,
We use a dns/AD domain in the following format dom1.domain.net. This is not a single lable domain.
Static IP addresses are configured on all network interfaces, so no the DHCP client service should not be needed.
Yes, the machines in question are using the correct DNS server, this is proven by the packet capture showing the communication with the correct DNS server.
More Information:
In hopes of completely ruling out obvious issues i will test the following as possible causes.
1) Dual Home: i will disable one NIC on one server and test the DNS registration.
2) Server Authentication Issue: The DC/DNS server shows successful authentication in the Security Log and no failed security audit events occur for the DNS zone. However, as a final test i will enable Non-Secure and Secure updates to this zone and re-test.
Here are excepts from the DNS.log file, which show the Forward Zone update FAIL with NXRRSET (0x8) and the Reverse successfull
168100422 16:54:21 B64 PACKET 02D53750 UDP Rcv 192.168.1.23 87b0 U [0028 NOERROR] SOA (4)dom1(6)domain(3)net(0)
168100422 16:54:21 5CC PACKET 02D53750 UDP Snd 192.168.1.23 87b0 R U [08a8 NXRRSET] SOA (4)dom1(6)domain(3)net(0)
168100422 16:54:21 B14 PACKET 0325F510 UDP Rcv 192.168.1.23 3f72 U [0028 NOERROR] SOA (2)168(3)192(7)in-addr(4)arpa(0)
168100422 16:54:21 1108 PACKET 0325F510 UDP Snd 192.168.1.23 3f72 R U [00a8 NOERROR] SOA (2)168(3)192(7)in-addr(4)arpa(0)
Wednesday, April 28, 2010 2:55 AM
Hi Gunner,
Glad to the resolution.
In your scenario, the resolver was queriying the correct name server configured on its tcp/ip interface and the name server upon looking at its namespace was providing the response and the name server used to store the zone data accordingly in its database.
I suspect the caching behavior of dns server. DNS maintains 2 types of data one is zone and other is cached data. But the strange thing is DNS server reloads the zone whenever from the master file record located locally and updates the informaiton about the clients.
So either of 2 might cause the problem
a) resolver which is querying the cache to provide you the ping
b) the request is hitting the dns server, but now dns server doesnt understand how to process the request.