DNS Operation Refused

[Rob]

I recently decided to move the DHCP from the Win2000
server to the Netgear Router on our network. In the
process I also disabled the DNS and Router's running on
the Win2000 box ( I am now using the DNS of the DSL
service).
The problem is that in Event Viewer I am still getting
NetLogon errors, ending with 'DNS Operation Refused'. It
looks like zones are trying to register but since I
disabled the DNS why are these errors still happening?

Confused
Rob

 

[Herb Martin]

I recently decided to move the DHCP from the Win2000
server to the Netgear Router on our network. In the
process I also disabled the DNS and Router's running on
the Win2000 box ( I am now using the DNS of the DSL
service).
The problem is that in Event Viewer I am still getting
NetLogon errors, ending with 'DNS Operation Refused'. It
looks like zones are trying to register but since I
disabled the DNS why are these errors still happening?

That is NetLogon trying to act as a CLIENT to DNS and
register the DC with DNS, but since you moved DNS this
is likely the wrong target DNS server.

Make sure the NIC\IP\DNS server properties of the DC
(or any client for that matter) do not point to the missing/removed
DNS server but only to an available internal DNS server that
can either accept or arrange for the correct server(s) to accept the
dynamic registration.

 

[J.C. Hornbeck [MSFT]]

Netlogon will still try and dynamically register on whichever DNS it is
configured to use. If this is an Active Directory environment then you need
to make sure your DNS supports SRV records and dynamic registrations. If
not, and you're sure you don't need dynamic DNS registrations then you can
disable dynamic registrations and the errors will no longer show up.

To disable dynamic updates on a server (assuming it's not also a RAS
client), there are three services which are responsible for dynamic DNS
registrations. If you wish to disable dynamic updates then the properties
of all services that register records will have to modified via the
registry. For example, here are the services involved in different
scenarios:

Stand alone server:
DHCP client service

Domain controller (DC):
DHCP client service
Netlogon service

Domain Controller (DC) running DNS:
DHCP client service
Netlogon service
DNS server service

In the case where we have a DC or a DC running DNS, there is no single
setting or registry entry that will disable all dynamic DNS registrations.
Each service will have to be individually modified to prevent these
registrations from occurring. Here are the registry values involved and
what can be controlled:

The DHCP client service:
------------------------
- All adapters - forward (hostname A) and reverse (PTR) records -
DisableDynamicUpdate.
- All adapters - reverse (PTR) records - DisableReverseAddressRegistrations.
- Per adapter - forward (hostname A) and reverse (PTR) records - advanced
TCP/IP properties on the DNS tab.
- Per adapter - forward and reverse (hostname A and PTR) records -
DisableDynamicUpdate.

The Netlogon service:
---------------------
- All adapters - all records - UseDynamicDns.
- All adapters - forward (hostname A) records - RegisterDnsARecords.

The DNS server service:
-----------------------
- Per adapter - forward (hostname A) records - PublishAddresses.
- Per adapter - forward (hostname A) records - DNS server listening
addresses (found in properties)


What the above also implies is that it is not possible to disable all
registrations on a DC for a particular adapter on a multihomed system. The
only recourse is to disable all registrations after making sure the proper
records exist within DNS.

For more information on these registry values and other details on dynamic
registrations see these knowledge base articles:

1. 178148 (http://support.microsoft.com/?id=178148). This describes how to
disable registrations done by the DHCP client service for all interfaces.

2. 816592 (http://support.microsoft.com/?id=816592). This describes dynamic
registrations for Windows Server 2003 and how to disable DHCP client service
registrations on a per adapter basis.

3. 246804 (http://support.microsoft.com/?id=246804). This describes the
services that register records and the registry keys that effect their
respective behavior.

--
J.C. Hornbeck, MCSE
Microsoft Product Support

NOTE: Please reply to the newsgroup and not directly to me. This allows
others to add to and benefit from these threads and also helps to ensure a
more timely response. Thank you!

This posting is provided "AS IS" without warranty either expressed or
implied, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose.

 

[Ace Fekay [MVP]]

In

I recently decided to move the DHCP from the Win2000
server to the Netgear Router on our network. In the
process I also disabled the DNS and Router's running on
the Win2000 box ( I am now using the DNS of the DSL
service).
The problem is that in Event Viewer I am still getting
NetLogon errors, ending with 'DNS Operation Refused'. It
looks like zones are trying to register but since I
disabled the DNS why are these errors still happening?

Confused
Rob

Basically as JC and Herb pretty much mentioned, don't use your ISP's DNS
servers in your internal machine IP properties. Must only use your own
internal DNS on all AD members (DCs and clients). That is *usually* the
cause of this, unless you have your machines already configured this way and
just forgot to allow dynamic updates in your zone properties.

FOr efficient Internet resolution, configure a forwarder. If the option is
grayed out, delete the Root zone. This article explains these two steps:
http://support.microsoft.com/?id=300202



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[ObiWan]

Basically as JC and Herb pretty much mentioned, don't use your ISP's DNS

servers in your internal machine IP properties. Must only use your own
internal DNS on all AD members (DCs and clients). That is *usually* the
cause of this, unless you have your machines already configured this way and
just forgot to allow dynamic updates in your zone properties.

FOr efficient Internet resolution, configure a forwarder. If the option is
grayed out, delete the Root zone. This article explains these two steps:
http://support.microsoft.com/?id=300202

Right, also, disabling the win2000 dns and using the router "DNS"
(it isn't a DNS just a forwarder/cache) isn't really a good idea imo
if you really want to use the router "DNS" then you'd better setup
the win2000 dns to forward queries to the router and configure the
clients to use the win2000 dns as the ONLY dns; btw I prefer using
the config suggested by Ace or (better) avoiding forwarders at all
and using root-hints so that your DNS will carry on the whole query
resolution process on its own

Regards


--

* ObiWan

DNS "fail-safe" for Windows 2000 and 9X clients.
http://ntcanuck.com

Support and discussions forum
http://ntcanuck.com/net/board

408 XP/2000 tweaks and tips
http://ntcanuck.com/tq/Tip_Quarry.htm

 

[Ace Fekay [MVP]]

In

Right, also, disabling the win2000 dns and using the router "DNS"
(it isn't a DNS just a forwarder/cache) isn't really a good idea imo
if you really want to use the router "DNS" then you'd better setup
the win2000 dns to forward queries to the router and configure the
clients to use the win2000 dns as the ONLY dns; btw I prefer using
the config suggested by Ace or (better) avoiding forwarders at all
and using root-hints so that your DNS will carry on the whole query
resolution process on its own

Regards

Thanks for the plug! I kind of still lean towards forwarding as to offload
the resolution process to the ISP.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory