HTTPS, DNS and dynamically updating DNS records

Similar Messages

• Could not reuse TKEY established till expiry, Microsoft DNS refuses Dynamic updates after some minutes

  We are using a DHCP Server that is sending secure (GSS-TSIG based) dynamic updates to Microsoft DNS.
  After successful TKEY negotiation, the dynamic updates are accepted/success.
  Established context is valid for more than 10hours in client side(Based on InitializeSecurityContext output parameter ptsExpiry
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa375507%28v=vs.85%29.aspx)
  But, when we try to use the same TKEY name ( the established context  is not expired)  we are getting "Query Refused error" after some time say 8-10 minutes. Is there any transaction timeout after which client should not reuse the TKEY
  context established ? Whether Microsoft DNS supports TKEY RR with mode 5 ( Delete Security Context/ Key Deletion ) so that client will delete and establish a new context for further DNS updates. Also why BADNAME/BADKEY error is not returned while refusing
  the updates?
  As per the RFC 3645, 
  <RFC snip>
  4.2.1. Terminating a Context
  A server can terminate any established context at any time. The
  server MAY hint to the client that the context is being deleted by
  including a TKEY RR in a response with the Mode field set to 5, i.e.,
  "key deletion" [RFC2930]. An active context is deleted by calling
  GSS_Delete_sec_context providing the associated context_handle.
  </RFC Snip>
  1. Configured Forward Zone aswin.com
  2. Not configured Reverse Zone, so that reverse updates get NOT AUTH ( just to test error case )
  3. TKEY negotiation is successful.
  4. Sent 2 updates say at 19:52 one forward and reverse updates. Forward update is success, Reverse update failed due to reverse zone not configured, which is expected.
  5. Sent 2 updates say at 19:55 using the previously established key, Forward update is success, Reverse update failed due to reverse zone not configured, which is expected.
  6. Sent 2 updates say at 20:01(approximately after 5 minutes), Forward Dynamic update failed with Query Refused. Until  new TKEY negotiation is done all updates are failed with Query Refused. Why the same key could not be used for 10 hours(based on
  Initialize security context output value). Is there any way to find how long key can be reused ?
  Statisctics details from Microsoft DNS
  dnscmd localhost /statistics 00000100
  DNS Server localhost statistics:
  Packet Dynamic Update:
  Updates Received         =          2
      Forwarded            =          0
      Empty (PreCon Only)  =          0
      NoOps (Dups)         =          0
      Rejected             =          1
      Completed            =          1
      Timed Out            =          0
      In Queue             =          0
  Updates Rejected         =          1
      FormError            =          0
      NameError            =          0
      NotImpl              =          0  (Non-Update Zone)
      Refused              =          0
        NonSecure Packet   =          0
        AccessDenied       =          0
      YxDomain             =          0
      YxRRSet              =          0
      NxRRSet              =          0
      NotAuth              =          1
      NotZone              =          0
  Queue
      Queued               =          1
      Retried              =          0
      Timeout              =          0
      In Queue             =          0
  Secure Update
      Success              =          1
      Continue             =          0
      Failure              =          0
        DS Write Failure   =          0
  Update Forwarding
      Forwards             =          0
      TCP Forwards         =          0
      Responses            =          0
      Timed Out            =          0
      In Queue             =          0
  Update Types:
      ZERO       = 0
      A          = 0
      NS         = 0
      CNAME      = 0
      SOA        = 0
      MB         = 0
      MG         = 0
      MR         = 0
      NULL       = 0
      WKS        = 0
      PTR        = 0
      HINFO      = 0
      MINFO      = 0
      MX         = 0
      TXT        = 0
      RP         = 0
      AFSDB      = 0
      X25        = 0
      ISDN       = 0
      RT         = 0
      NSAP       = 0
      NSAPPTR    = 0
      SIG        = 0
      KEY        = 0
      PX         = 0
      GPOS       = 0
      AAAA       = 0
      LOC        = 0
      NXT        = 0
      EID        = 0
      NIMLOC     = 0
      SRV        = 0
      ATMA       = 0
      NAPTR      = 0
      KX         = 0
      CERT       = 0
      A6         = 0
      Unknown    = 0
      Mixed      = 1
  Command completed successfully.
  dnscmd localhost /statistics 00000100
  DNS Server localhost statistics:
  Packet Dynamic Update:
  Updates Received         =         31
      Forwarded            =          0
      Empty (PreCon Only)  =          0
      NoOps (Dups)         =         24
      Rejected             =          3
      Completed            =          4
      Timed Out            =          0
      In Queue             =          0
  Updates Rejected         =          3
      FormError            =          0
      NameError            =          0
      NotImpl              =          0  (Non-Update Zone)
      Refused              =          1
        NonSecure Packet   =          0
        AccessDenied       =          0
      YxDomain             =          0
      YxRRSet              =          0
      NxRRSet              =          0
      NotAuth              =          2
      NotZone              =          0
  Queue
      Queued               =         29
      Retried              =          0
      Timeout              =          0
      In Queue             =          0
  Secure Update
      Success              =          2
      Continue             =          0
      Failure              =          1
        DS Write Failure   =          0
  Update Forwarding
      Forwards             =          0
      TCP Forwards         =          0
      Responses            =          0
      Timed Out            =          0
      In Queue             =          0
  Update Types:
      ZERO       = 0
      A          = 4
      NS         = 0
      CNAME      = 1
      SOA        = 0
      MB         = 0
      MG         = 0
      MR         = 0
      NULL       = 0
      WKS        = 0
      PTR        = 0
      HINFO      = 0
      MINFO      = 0
      MX         = 0
      TXT        = 0
      RP         = 0
      AFSDB      = 0
      X25        = 0
      ISDN       = 0
      RT         = 0
      NSAP       = 0
      NSAPPTR    = 0
      SIG        = 0
      KEY        = 0
      PX         = 0
      GPOS       = 0
      AAAA       = 0
      LOC        = 0
      NXT        = 0
      EID        = 0
      NIMLOC     = 0
      SRV        = 21
      ATMA       = 0
      NAPTR      = 0
      KX         = 0
      CERT       = 0
      A6         = 0
      Unknown    = 0
      Mixed      = 3
  Command completed successfully.
  C:\Users\Administrator>
  -Thanks,
  Devi.U

  Hi Devi,
  Based on this issue, would you please provide the netmon trace to us? I suggest taking a look at this packet. Moreover, please let me know if you tired to update the DNS record via DHCP manually.
  Thank you.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• DNS question and no name available via DNS and no reverse DNS errors

  We are running an OS X server, 10.4.11, OD Master. We are getting some error messages, and we have setup DNS to forward requests for example.com. (our website) to our web developer's external web server where our website is being hosted.
  Oct 15 10:29:05 [server name omitted] servermgrd: servermgr_dns: no name available via DNS for 192.168.0.5
  Oct 15 10:29:05 [server name omitted] servermgrd: servermgr_dns: no reverse DNS entry for server, various services may not function properly
  Oct 15 10:31:48 [server name omitted] /usr/sbin/PasswordService: incorrect digest response
  - and -
  Oct 15 09:54:00 [server name omitted] DirectoryService[103]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
  Some Background:
  We are running internal DNS services only. We have a domain, example.com. and our OS X Server, server.example.com. We have a website that is being hosted offsite by our web developer. Long ago when they were setting up the SSL certificate for the site, they obtained a certificate for example.com INSTEAD of www.example.com. So, our web developer setup a redirect to redirect web requests to www.example.com to example.com.
  Now, this brings us to our OS X server (server.example.com). We are hosting internal DNS with the same domain, example.com. When employees inside our LAN would put in our web address, example.com, or www.example.com, it would take them to our OS X server. As a workaround, in the DNS settings for the zone in server Admin, I set the Server IP address for the zone to "Other" and specified the external address to the server where the site is hosted by our developer then setup an A record for our server. (We cannot forward requests to www.example.com since our web developer automatically redirects these requests to example.com since that is where the SSL certificate and the search engines are linked to).
  Well obviously this had serious repercussions for server stability. So, I set the server IP address back to the address of our OS X server itself, 192.168.0.5.
  Now, I then went into command line and manually edited the zone files. Here's part of our zone file:
  $TTL 3600
  example.com. IN SOA server.example.com. sysadmin.example.com. (
  2008031015 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  example.com. IN NS server.example.com.
  example.com. IN A [external IP address of web server]
  server IN A 192.168.0.5
  We are getting the following error messages regularly:
  Oct 15 10:29:05 [server name omitted] servermgrd: servermgr_dns: no name available via DNS for 192.168.0.5
  Oct 15 10:29:05 [server name omitted] servermgrd: servermgr_dns: no reverse DNS entry for server, various services may not function properly
  Oct 15 10:31:48 [server name omitted] /usr/sbin/PasswordService: incorrect digest response
  - and -
  Oct 15 09:54:00 [server name omitted] DirectoryService[103]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
  Questions:
  Do I need to go back to our zone file and change the A record for example.com. to match our OS X server's address: 192.168.0.5?
  Secondly, is there anything I can do in DNS or elsewhere on the server to redirect web requests to example.com to our web developer's offsite server since the developer's server redirects www.example.com to example.com?
  Thanks in advance? I am stumped.
  Thanks,
  Tyler

  Problem was resolved.
  All I ended up doing was edition my reverse lookup file, db.192.168.0. It was correct, and I simply re-saved it without making any changes. Strangely enough, that did it. No idea why. Maybe a permissions issue with the file?
  I'm still running the server with address record for the domain (example.com.) mapped to our external web server. no problems.
  Tyler

• Install AD Without DNS and use other dns

  hello evrybody
  i have dns server for local network + my users + and web site domain
  now , i need install active directory .but ad install dns and must set ad dns for all domain users
  how to install AD and use my dns server ?

  Install AD with DNS on domain controller (better is two DCs) and use public DNS to refer to for public names. Redirect DNS settings on clients to domain controller(s).
  DNS that AD is using should contain resource records that allow cliets to find domain controller. As you have not specified your current DNS, it seems more direct procedure to do it in the above way.
  REad some info in Technet before you start change of your system to avoid problems.
  Rgds
  Milos

• Active Directory client not dynamically updating DNS

  Hi,
  There has been some other issues mentioned on other threads regarding the Active Directory Plugin within Lion, it does appear to be flaky.
  I just wanted to make sure that the issue I'm having is not down to a mis-config by myself.
  We have several Macs running 10.7.1 and are bound into Active directory (Windows 2008 r2) however, it appears that the DNS records for these machines are not being dynamically created within AD. (All Zones are AD intergrated) All 10.6.x clients seem to work fine and records are created and updated dynamically as IPs change etc.
  Is anybody else having this issue? If not, any ideas why this is happening?
  Thanks in advance.

  Hi!
  I'm having exactly the same problem and nobody seems to have an answer.
  Regarding the reply you got, this has nothing to do with Lion Server. We're talking about Lion clients bound to an AD (Windows Server 2008 R2, in my case) not dynamically registering their DNS entries.
  I also noticed that the DHCP entries for those clients are missing the "Name" property, which is already symptomatic of something going wrong.
  Anyone?

• How can I add news articles to website and dynamically update headlines without MySQL?

  Hi guys,
  I update a number of website for athletes with news articles...
  I'm doing it manually at the moment so I have to update:
      1. news.php (with date and article title which links to the article)
      2. News Article (with title, date and article text)
      3. includes/latestNews.php (an include latest 3-4 article dates and headline which links to the article - displays on every page via include)
  The News Article is a plain and simple PHP file which is stored in a folder 'assets/news/' and the file is named according to date i.e. a news article today would be 130420 (as in 2013 year, 04 month, 20 day) so they sit in chronological order in the 'news' folder. There is a template page file called viewArticle.php which drags in the appropriate news article by link i.e. viewArticle.php?id=130420
  At the moment, I have to update news.php, latestNews.php and the individual article individually and manually.
  What I would like to do is...
  ...create, edit and add the News Article file (130420) to the 'news' foler as I am currently doing. But, with PHP, set news.php and latestNews.php to read the files in the 'assets/news/' folder to display the latest 4 article dates and linked headlines (for latestNews.php) and display all the dates and linked headlines (for news.php).
  I don't know anything about databases and can't get my head around them so I would rather do it with PHP code. Is this possible?
  Thank you very much and I hope to hear from you.
  SM

  This seems like a follow up question to your earlier one
  http://forums.adobe.com/thread/1195549
  Have you considered setting this site up as a blog such as Wordpress?
  You could then automate much of what you're attempting with a few well chosen point-and-click plugins without touching any code.

• LMS duplictae events; one with dns and one with dns(ip) in component name

  Hello all,
  we have LMS 4.2 installed and added devices;
  Now if for example a device is not reachable we get two messages with same failure ;
  only the componente name is different
  -     one event with "dns" in component name
  -     one with "dns(ip)"  in component name
  dns == hostname
  Thans in advance

  Is it possible you have the devices twice in fault management?
  Once with the IP address as their name and once with their dns name?
  If that is the case you will find the same in the DCR.
  Try to delete the devices that only have ip address as name.
  Cheers,
  Michel

• OS X 10.6.1:  bootpd, named, and dynamic DNS zone updates

  I have OS X 10.6.1 installed on a Mac Pro. It is configured to be the name server and DHCP server for my home network, i.e. /etc/named.conf and /etc/bootpd.plist have been modified to provide these services.
  I've encountered no problems with either the name server or the DHCP component of bootpd after upgrading to OS X 10.6(.1); however, one thing that continues to bug me is how to configure bootpd to dynamically update the DNS zone files whenever a lease is issued, released, or expires.
  At work, I use the Internet System Consortium's DHCP software and have it configured to dynamically update DNS whenever leases change state. I would really like to have DNS done the same way at home.
  What changes need to be made to /etc/bootpd.plist that would allow dynamic DNS updates to occur?

  Did you ever get an answer to this? Would rather not change the DHCP server in Snow Leopard....
  Thanks

• [Forum FAQ] DNS Dynamic Update Troubleshooting Guide

  As we all known,
  DNS Client service and DNS Server services support dynamic updates. With dynamic updates, the DNS client computer is allowed to dynamically register and update this resource
  records based on their fully qualified domain name by default. However, in some scenarios,
  we may find that
  the DNS records are not updated.
  To analyze this issue clearly, this kind of issue is divided into two parts in this article:
  Non-AD integrated zone with DHCP and DNS unintegrated
  AD-integrated zone with DHCP and DNS Integrated
  Next, we begin to troubleshoot this issue from the above two classes separately.
  Non-AD integrated zone with DHCP and DNS unintegrated
  1. Check if Dynamic Updates is enabled or not
  If you have encountered this kind of issues, firstly, Please check if dynamic updates is enabled in DNS server or not. You can right-click the domain in the
  Forward Lookup Zones, then select Properties. In the dialog, click
  General tab and choose Nonsecure and secure
  in the Dynamic updates box, then click OK. Please refer to Figure 1 and Figure 2
  Figure 1: Check DNS Server Settings-1
  Figure 2: Check DNS Server Settings-2
  2. Check DNS Suffix
  Besides, since all computers register records based on their fully qualified domain name, and the fully qualified domain name is based on the primary DNS suffix of a computer appended to its Computer name. We also need to check the DNS panel of Advanced TCP/IP
  settings in TCP/IP properties.
  Just as Figure 3, if Register this connection's address in DNS is selected and
  Use this connection's DNS suffix in DNS registration
  is not selected. This default configuration causes the client to request that the client register the Host resource record and the server register the PTR resource record. In these scenarios, please make sure the primary DNS suffix portion of a computer's FQDN
  is the same as the name of the Active Directory domain to which the computer is joined.
  Figure 3: Check DNS Client settings-1
  You can run “ipconfig/all” at the command prompt to check the Primary DNS suffix. From Figure 4, we can see that the Primary DNS suffix is blank.
  Figure 4: Check DNS Client settings-2
  To set the Primary DNS suffix, you can follow the steps below (Figure 5):
  Right-click
  My computer and then click Properties.
  In the
  System Properties dialog, click Computer Name tab and then click
  Change….
  In the
  Computer Name Changes panel, click More…, then you can type the domain name into the
  Primary DNS suffix of this computer and then click
  OK.
  Figure 5: Set the Primary DNS Suffix
  After set the primary DNS suffix, we can see that the Primary DNS suffix is demo.com in Figure 6.
  Figure 6: Primary DNS Suffix-demo.com
  If both
  Register this connection's address in DNS and Use this connection's DNS suffix in DNS registration are selected. You need to check the primary DNS suffix and connection-specific DNS suffix at the same time and make sure that
  the connection-specific domain name of this connection is the DNS suffix for this connection appended to the computer name. In the picture above, we can see that the Primary
  DNS suffix and Connection-specific DNS suffix are the same.
  AD-integrated zone with DHCP and DNS Integrated
  In some cases,
  this issue may happen when the DNS zone is AD-integrated and DHCP server is configured to register and update the A resource records and PTR records on behalf of the DHCP-enabled clients.
  1. Check if secure dynamic updates is enabled or not
  As everyone knows, DNS update security is available only for zones that are integrated into Active Directory Domain Services (we
  can see the difference from Figure 7 and Figure 2). Since secure dynamic updates can prevent unauthorized computers from overwriting existing names in DNS, generally, we recommend
  using only secure dynamic updates for AD-integrated zone.
  For AD-integrated zone, we can check if secure dynamic updates is enabled in DNS server or not firstly.
  You can right-click the domain in the Forward Lookup Zones, then select
  Properties. In the dialog, click General tab and choose
  Secure only in the Dynamic updates box, then click OK. Please refer to Figure 7.
  Figure 7: Check DNS Server Settings-2
  2. Check the DNS configuration and options settings on DHCP server
  We need to make sure
  that DHCP server is configured to register and to update client information with its configured DNS servers. You can check by right-clicking the
  IPv4 under your domain and choosing DNS in IPv4 properties.
  By default,
  the
  Enable DNS dynamic updates according to the settings below and
  the Dynamically update DNS A and PTR records only if requested by the DHCP clients box is checked. 
  You can also select Always dynamically update DNS A and PTR records box so that the DHCP server
  always registers and updates client information with its configured DNS servers. (Figure 8)
  Figure 8: DHCP Server Settings
  In addition, you need to check that the configuration 006 DNS server option in DHCP option is correct.
  You can check that by clicking
  Server Options in DHCP console. If the setting is incorrect, you can right-click the option and then choose
  Properties, then you can remove the wrong DNS server and add a correct one. (Figure 9)
  Figure 9: Check DHCP Options
  3.
  Check if the DHCP server is added to the DnsUpdateProxy security group
  Furthermore, as the DHCP server becomes the owner of the name since the DHCP server performs a secure dynamic
  update on that name, only that DHCP server can update the name. We would make sure the DHCP server is available. If the DHCP server fails, even other DHCP servers are online, they still have no right to update the client’s record because the other DHCP
  server are not the owner of the client name.
  To solve this, it is necessary to add the DHCP server to the DnsUpdateProxy security group in AD. You can follow the steps below to achieve that: (Figure 10 and Figure 11)
  Open ADUC, click
  Computers under your domain.
  Right-click your DHCP server and select
  Add to a group tab.
  Enter
  DnsUpdateProxy in the object name box and click
  Ok.
  Figure 10: Add DHCP Server to the DnsUpdateProxy security group – 1
  Figure 11: Add DHCP Server to the DnsUpdateProxy security group – 2
  After that, you can find that the DHCP server (In this demo, the DHCP server is W2K12R2) is a member of the DnsUpdateProxy group. (Figure 12)
  Figure 12: DHCP server is a member of the DnsUpdateProxy group
  4.
  Check the
  Credentials configuration for DNS update
  Furthermore, if
  a domain controller is running on the same host as the DHCP server and secure dynamic DNS update has been configured, you need to configure
  Credentials for DNS update.
  You can
  open DHCP console tree, right-click
  IPv4 and then click Properties. In the IPv4 Properties
  dialog, click Advanced, click
  Credentials, type the credentials that the DHCP server supplies when registering names using DNS dynamic updates, and then click
  OK. (Figure 13)
  Figure 13: Configure DNS dynamic update credentials
  More information:
  DHCP, Dynamic DNS Updates , Scavenging, static entries & timestamps, the DnsUpdateProxy Group, and DHCP Name Protection (Published by Ace Fekay, MVP)
  http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
  Integrating DHCP with DNS
  http://technet.microsoft.com/en-us/library/cc771732.aspx
  Using DNS servers with DHCP
  http://technet.microsoft.com/en-us/library/cc787034(v=ws.10).aspx
  How to configure DNS dynamic updates
  http://support.microsoft.com/kb/816592/en-us
  Keyword: Dynamic Update, Troubleshooting 
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  I have created one STATIC DNS Entry, for Example "ROSE" and
  1.                   Open
  the DNS snap-in.
  2.                   Right
  click the individual record (ROSE) and open the Properties dialog.
  3.                   Uncheck
  the Delete this record when it becomes stale option
  and click OK
  For
  the moment the time stamp will show as BLANK
  Then
  I logged in to server "ROSE" and restarted DHCP Client
  Service on server or restarted server, the time stamp is automatically setting as current date and "DELETE THIS RECORD WHEN IT BECOME STALE" check box also selected automatically
  and gets deleted after a week or so when the scavenging runs
  Is
  there any way to avoid the static entries become dynamic automatically. 
  Domain Controller or DNS OS is Windows server 2003 R2 Standard Edition SP2
  Thanks & Regards
  Dinesh Cholekkavil

• Oracle RAC 11.2 on Windows without DNS and DOMAIN

  I am trying to install Oracle RAC 11.2 in windows 2008R2 64 bit which is on workgroup and no available DNS.
  I read that SCAN requires DNS and in case DNS is not available, then host file will do but only one SCAN address will do.
  Can anyone help me out on this set up. Any steps/procedure is highlyh appreciated.
  thanks..

  Remember you can only resolve one scan IP if you're using hosts file
  example
  192.168.100.1 node1
  192.168.100.2 node2
  192.168.110.1 node1-private
  192.168.110.2 node2-private
  192.168.100.10 node1vip
  192.168.100.20 node2vip
  192.168.100.100 racscan
  all nodes must have the same hosts file entries

• DNS dynamic updates don't work

  Hi,
  I am currently troubleshooting a DNS dynamic update issue that I am having in my production environment. I had to change the subnet mask on a DHCP scope, so according to
  http://www.windowstricks.in/2009/06/how-to-change-subnet-mask-of-dhcp-scope.html I deleted the scope and recreated it. After one day I noticed that a lot of A records (Linux and Mac clients) were gone, and that non-Windows DHCP clients would no longer register
  their A record with DNS as they did before. It seems that the DHCP server does no longer communicate with DNS because before the change was made, there were DHCP log entries about successful registrations but afterwards there are no such entries
  in the log, neither success nor failure.
  The DHCP server is configured to always dynamically update A and PTR records, the DNS server accepts secure and nonsecure dynamic updates. DHCP is installed on one of my two domain controllers (Windows Server 2008 R2, AD in 2003 mode).
  I then set up a basic test environment with just one DC which has DHCP and DNS with default settings, added a reverse lookup zone to the DNS, one Windows and one Linux client. In that environment, the Windows client registers its A record with
  the DNS but not the PTR record, but the Linux client still will not be registered in DNS. Allowing nonsecure DNS doesn't resolve the issue.
  What am I missing? Any help is appreciated...
  Georg.

  From the Store menu, select
            Check for Unfinished Downloads...

• DNS replicating but not being dynamically updated by other DCs

  Background on setup:
  Our campus runs BIND for the DNS solution
  Campus servers do not allow for dynamic updates of the root zone (school.university.edu), but are set to allow dynamic updates of the AD-related zones (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones)
  We run Active Directory (2008R2/2012R2 Mixed Mode) with DNS
  Our DCs are all listed in the NS tab of our zones, but are not truly authoritative...campus BIND servers are
  We only have the default zones setup in our DNS, all allow for Dynamic updates (Secure Only)
  DNS zones are ADI and replicate to all DNS servers in the domain (All 6 DCs are DNS servers)
  Clients do not register with our DNS, they use the campus BIND servers.  Only AD domain controllers are registered in our zones and allowed to dynamically update
  Once upon a time, this setup worked without an issue.  Dynamic updates worked without an issue within our ADI zones, as well in the campus BIND servers.  When we started to add the new 2012R2 domain controllers into the mix, we noticed that this
  was no longer the case.  Since we don't often add or remove DCs from our setup, we do not know exactly when this broke.
  The issue is that our campus BIND DNS servers show all of the appropriate DNS records flawlessly.  We manually requested entries at the root (looks fine) and all AD zones updated dynamically with all expected records.  Our AD DNS servers on the
  other hand have a fair number of incorrect and missing records.  The only one of the three new servers to have records in our AD DNS is the server we moved all of our FSMO roles to before our technician noticed the DNS issues.  The other two have
  no records dynamically generated in our AD DNS zones.  We pulled one of the old 2008R2 DCs out of the domain using dcpromo since it had some other issues.  As expected, it pulled all of its records out of campus BIND cleanly but left all of its records
  in our AD DNS.
  If we manually add/remove an entry (PTR, CNAME, A, SRV), the change replicates appropriately across the domain.  However, we do not want to put a Band-Aid fix on this and manually enter all of the records.  We want to figure out why these two servers
  are not pushing their records into AD DNS despite updating them flawlessly in campus BIND servers.
  DNS is not my forte, so I'd welcome any advice on what I can as my best next steps.  I have played around a lot with modifying DNS servers listed in the DC network settings, and register this connection.  We can confirm that replication seems to
  be working fine.  We can manually add records.  DNS shows no errors in event log.  When using dcdiag dns test, it shows that we have missing records in our DNS but no other issues are displayed.  NSLOOKUP reveals campus DNS to be correct. 
  Any assistance would be appreciated...even if just to point me to a better tool for diagnostics.  We have not yet tried reinstalling DNS on any of the DCs and wish to avoid that if possible.

  Greg:
  Thank you for taking the time to respond.  I believe I have found a pseudo-solution earlier this week, but I find myself slightly confused by the solution.  On our network connections for the DCs, we had been making the BIND servers the primary
  and secondary DNS servers, then each of our DCs point to two of the other DCs for their tertiary and quaternary DNS servers.  Since the BIND servers have all of the correct records, we flipped those to make the DCs our primary and secondary before BIND
  servers.  This got all of the records into our AD correctly.
  It was my understanding that if you checked the "Register this connection in DNS" checkbox that it would register itself in all of the DNS servers in the list, but based off the above it seems it only registers in the first DNS server it successfully connects
  to; assuming it expects that primary server to replicate the records to others.  If this new assumption is true, then I am trying to figure out how I am supposed to get my DCs to dynamically update both AD-DNS and BIND when I make changes.  This
  may be best suited in another thread, so I'll gladly break it out into another if needed.  I do not have control over the BIND DNS servers, except for the fact that my DCs are allowed to dynamically update the AD subzones.  I have full control over
  my AD-DNS, but my clients computers are required to point to BIND for their DNS.

• 10.4.4 update and now my DNS zones aren't visible!

  After the 10.4.4 update, I can't see my DNS zones, and the log says there are now errors . for example: servermgr_dns: Bad zone file for zone macs4ever.com MX/CNAME line: "@" before A line. Ignoring.
  This wasn't an issue before. Has something changed in the zone formatting?
  What file can I edit to correct the syntax if needed.
  I appreaciate your time and assistance,
  matt caswell

  Note that I write my own zone files and prefix them with "db." just so that I do not overwrite the default ones. The name of the zone file is in itself not critical, as long as the correct file is referenced in named.conf.
  My zone definitions in /etc/named.conf...
  // a caching only nameserver config
  zone "." IN {
  type hint;
  file "named.ca";
  zone "localhost" IN {
  type master;
  file "db.localhost";
  allow-update { none; };
  zone "0.0.127.in-addr.arpa" IN {
  type master;
  file "db.127.0.0";
  allow-update { none; };
  zone "foo.com" in {
  file "db.foo.com";
  type master;
  zone "0.0.10.in-addr.arpa" IN {
  file "db.10.0.0";
  type master;
  ============================
  The Zone Files in /var/named...
  ============================
  Zone File "db.localhost"
  $TTL 86400
  localhost. IN SOA server.foo.com. postmaster.foo.com. (
  42 ; serial (d. adams)
  3H ; refresh
  15M ; retry
  1W ; expiry
  1D ) ; minimum
  IN NS server.foo.com.
  IN A 127.0.0.1
  ====================
  Zone file "127.0.0" (reverse zone for localhost)
  $TTL 86400
  0.0.127.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
  2006011511 ; Serial
  3h ; Refresh
  1h ; Retry
  1w ; Expire
  1h ) ; Minimum
  0.0.127.in-addr.arpa. IN NS server.foo.com.
  1.0.0.127.in-addr.arpa. IN PTR localhost.foo.com.
  ==========================
  Zone file "db.foo.com"
  $TTL 86400
  foo.com. IN SOA server.foo.com. postmaster.foo.com. (
  2005101301 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  ; NAME SERVERS
  foo.com. IN NS server.foo.com.
  ; ADDRESSES FOR CANONICAL NAMES
  localhost IN A 127.0.0.1
  server IN A 10.0.0.1
  ; ALIASES
  ical.foo.com. IN CNAME server
  mail.foo.com. IN CNAME server
  ftp.foo.com. IN CNAME server
  ; MAIL RECORDS
  foo.com. IN MX 0 server
  ======================
  Zone File db.10.0.0 (reverse zone for foo.com)
  $TTL 86400
  0.0.10.in-addr.arpa. IN SOA server.foo.com. postmaster.foo.com. (
  2006011500 ; serial
  3h ; refresh
  1h ; retry
  1w ; expiry
  1h ) ; minimum
  0.0.10.in-addr.arpa. IN NS server.foo.com.
  ; REVERSE LOOKUPS
  1 IN PTR server.foo.com.
  ========================
  Note that you may have different records but hopefully you get the drift of it.
  "Bad zone file for zone domain.com MX/CNAME..."
  The particular cause, for me, of the above error was that, in db.foo.com, I used to have the following for the MX record...
  foo.com. IN MX 0 mail
  This created the error message as there was not a direct A record for 'mail'. The amended zone file now works... but...
  I still have an issue with this... In my case my DNS is purely for the private LAN but if it was a public DNS then I would have needed to set up the server with a hostname "mail.foo.com" instead of "server..." and then alias 'server' to 'mail'. Something you really should know before setting up the server
  (Actually, I don't even know why I have the MX record in the internal DNS as the mail server can function quite happily without it.)
  Anyway, I find this on-line reference really handy although you can get a bit 'lost' in all the links within it...
  http://www.zytrax.com/books/dns/
  Have fun.
  -david

• New Windows Server 2012 unable connect to Netlogon Service or update DNS records

  Hi everybody, all of my Windows Servers 2012 decided to collapse after innocuous group policy update that was meant to make user passwords more secure.
  The AD and DNS seem to be functioning "normally", I am able to add new Windows7 and Windows Server 2008 machines to the domain, I can see them in listed in the AD and DNS record are update correctly, however, as soon as I try to join Windows Server
  2012 it breaks.
  The event log is littered on the new server with:
  The system failed to register host (A or AAAA) resource records (RRs) for network adapter
  with settings:
             Adapter Name : {DB7F73CE-E011-4F3C-BEBC-2CE7A871DF51}
             Host Name : CHEETAH
             Primary Domain Suffix : somedomain.com
             DNS server list :
  192.168.0.5
             Sent update to server : <?>
             IP Address(es) :
  192.168.0.15
  The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running
  at this time.
  You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
  and
  Name resolution for the name _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.somedomain.com. timed out after none of the configured DNS servers responded.
  When I try to ping the primary DC (WS2003) it fails, the Secondary DC (WS2012) responds.
  The >nltest /sc_query:somedomain.com on Windows Servers 2012 returns:
  Flags: 0
  Trusted DC Name
  Trusted DC Connection Status Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
  The command completed successfully
  yet it works on all other machines.
  I tried removing 2012 servers from the domain and rejoining - without success. The cookie crumbled when I added two new installations of Windows Server 2012 & 2008 and 2008 worked fine but 2012 showed same symptoms.
  There is one peculiar thing that I had noticed on all Windows 2012 machines, it constantly showing "Workplace Connection - Connecting" in the networks pane on the right side of the screen, which I can't say i ever noticed before.
  Unfortunately, the secondary DC is a multihoming server with Direct Access role - I am not sure if this may play some part but our existing configuration worked for a year now without any problems. Issue appeared when I changed the password complexity rule,
  which boggles the mind. I wonder if there has been some other changes in GPO that did not propagate from years ago and finally comeback to break things.
  Any suggestions would be really appreciated.
  wmin

  Hello Ace, i wish you a Happy New Year! I hope your break was enjoyable and filled with cheer.
  In the end I had to bite the bullet and reinstall all troublesome servers. Your recommendations from above removed some serious problems with the DA and DNS resolution.
  I was able to attach new server to the domain without any problems and begin painful process of rebuild.
  I have promoted TIGER to full DC controller role, but having some issues with replication. Although running >repadmid /showrepl gives positive
  feedback, the sysvol folder on the secondary DC is empty.
  Also there is a couple of warnings in the event log:
  Event ID 4012
  Log Name: DNS Server
  Source: DNS-Server-Service
  The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial
  synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server
  for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
  - which has not repeated since 3rd of Jan.
  These events occur on the primary DC every few minutes:
  Event ID 1030
  Source: Userenv
  Log Name: NT AUTHORITY\SYSTEM
  Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
  For more information, see Help and Support Center at
  http://go.microsoft.com/fwlink/events.asp.
  Event ID 1058
  Source: Userenv
  Log Name: NT AUTHORITY\SYSTEM
  Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=somedomain,DC=com. The file must be present at the location <\\somedomain.com\sysvol\somedomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
  (The network name cannot be found. ). Group Policy processing aborted.
  For more information, see Help and Support Center at
  http://go.microsoft.com/fwlink/events.asp.
  Should sysvol folder be shared on the secondary DC? Another interesting thing to point out is that
  \\somedomain.com\sysvol\somedomain.com\Policies\ can be access
  from all other machines except the DC1.
  Cheers!
  kind regards,
  wmin

• Microsoft DNS and 3rd Party DHCP (Infoblox)

  We are running Microsoft DNS with Infoblox as our DHCP and IPAM system. We realized that DHCP is not removing PTR and A records when an IP is released. We want to make sure that DHCP does do this but there is no information on how. We believe we need to
  implement Dynamic Updates on Infoblox but we are unsure on how to give it permission to manage the records. Infoblox said there is no place to put domain credentials.  I did find an article where we can use ktpass.exe but didn't give any further information. 
  Any help would be greatly appreciated.

  Hi,
  According to your description, my understanding is that Microsoft DNS server works with Infoblox as DHCP and IPAM. DHCP does not remove PTR and A records when an IP is released.
  Is that an AD-Integrated zone on your DNS server?  And if it is configured with a Secure Dynamic Update, only the “owner” is allowed to update resource records in such zones. Detailed information about
  Secure Dynamic Update you may reference:
  https://technet.microsoft.com/en-us/library/cc961412.aspx
  You may try to configure the zone with non-security update(DNS
  console – right click zone and select Properties – General
  – Dynamic Update, configured as None or Nunsecurity and security).
  Besides, as Microsoft DHCP server, we have related settings to specific the DHCP server to remove DNS RRs on behavior of clients at expiration of the IP address lease. it is better to contact the Infoblox Supporter about this function.
  A work around way to clean these stale RRs – DNS Aging and Scavenging:
  http://social.technet.microsoft.com/wiki/contents/articles/21724.how-dns-aging-and-scavenging-works.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]