non-domain members and DDNS

[Blake]

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

I am getting the error on a couple of servers (some domain members, some
not)

The system could not register the DNS update request because of a security
related problem.

Blake

 

[Kevin D. Goodknecht Sr. [MVP]]

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No, but a DHCP server can register non-domain members in DNS.
How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/kb/816592/


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Herb Martin]

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members, some
not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a security
related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)

 

[Blake]

Everything you guys said makes sense. Currently the IPs are set statically,
even though DHCP reservations would work the same way.

It makes sense that non-domain servers don't support 'secure' updates, as
the 'secure' is a function of the domain.

Thanks
Blake

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members, some
not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a
security related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Blake

 

[Herb Martin]

Everything you guys said makes sense. Currently the IPs are set
statically, even though DHCP reservations would work the same way.

It makes sense that non-domain servers don't support 'secure' updates, as
the 'secure' is a function of the domain.

Exactly. (Technically, any "trusted domain's" machines should
work also, but I cannot remember having tested that since generally
I have them register with a DNS-DC from their own domain.0

Secure means literally that the computer account must be authenticated
on the domain (or a trusted domain).

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks
Blake

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members, some
not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a
security related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Blake

 

[Blake]

We had another machine where the A record just 'went away' even though it is
a domain machine that is configured to register its name in DNS.

The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Adapter Name : {E6505EFF-D308-483C-8679-D47705F6145C}
Host Name : rotunda
Primary Domain Suffix : longwood.edu
DNS server list :
159.230.xx.xx, 159.230.yy.yy
Sent update to server : 159.230.xx.xx
IP Address(es) :
159.230.4.233
The reason the system could not register these RRs during the update request
was because of a system problem. You can manually retry DNS registration of
the network adapter and its settings by typing "ipconfig /registerdns" at
the command prompt. If problems still persist, contact your DNS server or
network systems administrator. For specific error code, see the record data
displayed below.

This event appears on the member server trying to update its A record. It
appears to be a valid domain member (I can log onto a domain account using
this server). Any ideas or troubleshooting steps anyone can suggest?

Everything you guys said makes sense. Currently the IPs are set
statically, even though DHCP reservations would work the same way.

It makes sense that non-domain servers don't support 'secure' updates, as
the 'secure' is a function of the domain.

Exactly. (Technically, any "trusted domain's" machines should
work also, but I cannot remember having tested that since generally
I have them register with a DNS-DC from their own domain.0

Secure means literally that the computer account must be authenticated
on the domain (or a trusted domain).

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks
Blake

If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members,
some not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a
security related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Blake

 

[Herb Martin]

We had another machine where the A record just 'went away' even though it

is a domain machine that is configured to register its name in DNS.

The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Host Name : rotunda
Primary Domain Suffix : longwood.edu
DNS server list : 159.230.xx.xx, 159.230.yy.yy
Sent update to server : 159.230.xx.xx
IP Address(es) : 159.230.4.233
The reason the system could not register these RRs during the update
request was because of a system problem. You can manually retry DNS
registration of the network adapter and its settings by typing "ipconfig
/registerdns" at the command prompt. If problems still persist, contact
your DNS server or network systems administrator. For specific error code,
see the record data displayed below.

One obvious thing to try would be the "ipconfig /registerDNS"
it suggests -- if this works then the problem was some intermittant
or "timing" related issue (e.g., authentication didn't happen before
registration attempt.)

One must assume that it "went away" because the server was not
able to refresh its registration which doesn't sound like an intermittant
issue.

This event appears on the member server trying to update its A record. It
appears to be a valid domain member (I can log onto a domain account using
this server). Any ideas or troubleshooting steps anyone can suggest?

NetDiag is a good tool for checking general network features;
and as to logging into a domain account, does this also work
without further authentication for access domain resources on
another server (shared files etc.)?

The reason this clarification is needed is that one MIGHT be
logging in with "cached credentials" but they don't usually work
for accessing network resources.

The machine is trying to register with DNS server 159.230.xx.xx
so checking this machine to ensure IT is also authenticated, has
the zone, and that the zone is DYNAMIC on this DNS server would
be first steps.

Again, DCDiag on all the DCs it a good idea.

Send your 'IPConfig /all" without editing and as TEXT (no graphics
capture) so I can review it if this doesn't help.

Ultimately I would put Network Monitor and/or use DNS logging
(debug logging if using Win2003) to try to analyze this if not obvious
solution appears.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

We had another machine where the A record just 'went away' even though it
is a domain machine that is configured to register its name in DNS.

The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Adapter Name : {E6505EFF-D308-483C-8679-D47705F6145C}
Host Name : rotunda
Primary Domain Suffix : longwood.edu
DNS server list :
159.230.xx.xx, 159.230.yy.yy
Sent update to server : 159.230.xx.xx
IP Address(es) :
159.230.4.233
The reason the system could not register these RRs during the update
request was because of a system problem. You can manually retry DNS
registration of the network adapter and its settings by typing "ipconfig
/registerdns" at the command prompt. If problems still persist, contact
your DNS server or network systems administrator. For specific error code,
see the record data displayed below.

This event appears on the member server trying to update its A record. It
appears to be a valid domain member (I can log onto a domain account using
this server). Any ideas or troubleshooting steps anyone can suggest?

Everything you guys said makes sense. Currently the IPs are set
statically, even though DHCP reservations would work the same way.

It makes sense that non-domain servers don't support 'secure' updates,
as the 'secure' is a function of the domain.

Exactly. (Technically, any "trusted domain's" machines should
work also, but I cannot remember having tested that since generally
I have them register with a DNS-DC from their own domain.0

Secure means literally that the computer account must be authenticated
on the domain (or a trusted domain).

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks
Blake


If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can a
non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members,
some not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a
security related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Blake

 

[Blake]

Thanks, Herb.

I tried the registerdns flag on ipconfig - that is when I get the error. I
think our firewall people are blocking TCP 53 between the registering server
and my DC/DNS box. I am yelling at them.

Thanks for your input - I'll work through your steps after I rule out the
firewall.

Blake

We had another machine where the A record just 'went away' even though it
is a domain machine that is configured to register its name in DNS.

The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Host Name : rotunda
Primary Domain Suffix : longwood.edu
DNS server list : 159.230.xx.xx, 159.230.yy.yy
Sent update to server : 159.230.xx.xx
IP Address(es) : 159.230.4.233
The reason the system could not register these RRs during the update
request was because of a system problem. You can manually retry DNS
registration of the network adapter and its settings by typing "ipconfig
/registerdns" at the command prompt. If problems still persist, contact
your DNS server or network systems administrator. For specific error
code, see the record data displayed below.

One obvious thing to try would be the "ipconfig /registerDNS"
it suggests -- if this works then the problem was some intermittant
or "timing" related issue (e.g., authentication didn't happen before
registration attempt.)

One must assume that it "went away" because the server was not
able to refresh its registration which doesn't sound like an intermittant
issue.

This event appears on the member server trying to update its A record.
It appears to be a valid domain member (I can log onto a domain account
using this server). Any ideas or troubleshooting steps anyone can
suggest?

NetDiag is a good tool for checking general network features;
and as to logging into a domain account, does this also work
without further authentication for access domain resources on
another server (shared files etc.)?

The reason this clarification is needed is that one MIGHT be
logging in with "cached credentials" but they don't usually work
for accessing network resources.

The machine is trying to register with DNS server 159.230.xx.xx
so checking this machine to ensure IT is also authenticated, has
the zone, and that the zone is DYNAMIC on this DNS server would
be first steps.

Again, DCDiag on all the DCs it a good idea.

Send your 'IPConfig /all" without editing and as TEXT (no graphics
capture) so I can review it if this doesn't help.

Ultimately I would put Network Monitor and/or use DNS logging
(debug logging if using Win2003) to try to analyze this if not obvious
solution appears.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

We had another machine where the A record just 'went away' even though it
is a domain machine that is configured to register its name in DNS.

The system failed to register host (A) resource records (RRs) for network
adapter
with settings:
Adapter Name : {E6505EFF-D308-483C-8679-D47705F6145C}
Host Name : rotunda
Primary Domain Suffix : longwood.edu
DNS server list :
159.230.xx.xx, 159.230.yy.yy
Sent update to server : 159.230.xx.xx
IP Address(es) :
159.230.4.233
The reason the system could not register these RRs during the update
request was because of a system problem. You can manually retry DNS
registration of the network adapter and its settings by typing "ipconfig
/registerdns" at the command prompt. If problems still persist, contact
your DNS server or network systems administrator. For specific error
code, see the record data displayed below.

This event appears on the member server trying to update its A record.
It appears to be a valid domain member (I can log onto a domain account
using this server). Any ideas or troubleshooting steps anyone can
suggest?

Everything you guys said makes sense. Currently the IPs are set
statically, even though DHCP reservations would work the same way.

It makes sense that non-domain servers don't support 'secure' updates,
as the 'secure' is a function of the domain.


Exactly. (Technically, any "trusted domain's" machines should
work also, but I cannot remember having tested that since generally
I have them register with a DNS-DC from their own domain.0

Secure means literally that the computer account must be authenticated
on the domain (or a trusted domain).

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Thanks
Blake


If I enable SECURE UPDATES only on a Windows 2003 mixed mode AD, can
a non-domain member dynamically update it's DNS records?

No. (But it has nothing to do with "mixed mode".)

Only machines which can authenticate will be able update their
own records.

I am getting the error on a couple of servers (some domain members,
some not)

Expect the errors on non-domain machines. You either must
use DHCP (a domain server) to do the registration for them,
or you must do this manually.

The system could not register the DNS update request because of a
security related problem.

Generally it is NOT a big issue for servers (most should be in
the domain anyway) since you if you cannot use DHCP for the
server then you already have to manage it manually and adding
it's permanent address is a one-time chore.

Also recognize you can even give out DHCP assigned addresses
to MOST 'servers' requiring permanent addresses (to remain the
same) by using RESERVATIONS.

Once the DHCP server is 'in control' of the address and set to
do the registration only the account of the DHCP server matters.

(And with Win2003, you can even specify an account for the
DHCP servers to use -- although that feature is not in Win2000
it can still do the registrations securely.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Blake