Tons of dnsapi failures in client Event logs?

  • Thread starter Thread starter Gerry Hickman
  • Start date Start date
G

Gerry Hickman

Hi,

Win2k Servers SP4 (AD Native Mode)
Win2k D-DNS, NOT "Active Directory Integrated" at this stage
Win2k Clients SP4 using fixed IP addresses - not DHCP
Win2k Clients are told to "register" themselves with DNS

When checking event logs of new client machines, I see a lot of dnsapi
entries, and their A records are missing from DNS.

This has only just come to light, because we also run WINS and we've
therefore not actually been seeing DNS resolution issues. If you use
NSLOOKUP, you get the _correct_ answer (!), but if you look in the zone
file on the server, the client name is NOT there!

However, after some days (?) the records _do_ appear on the DNS server!
I don't know if it's hours or days or what, but somehow they magically
appear when I'm not looking.

Obviously if we wanted to turn off WINS, this would be a serious
problem; any new machine placed on the network would not work properly
for some number of hours/days.

I've read the troubleshooting guide on MSDN, but everything seems in
order. Has anyone else run into this kind of thing?
 
How many DNS servers do you have in use?

If the tcp-ip info is entered statically on the clients, how many DNS
servers do they have entered? Both a primary and a secondary? Do you think
the clients could be using the secondary dns server instead of the primary
for their zone/domain?

Is your DNS server multi-homed? Multiple ip addresses bound to one nic?

What is the exact error recorded on the clients?
 
Just to verify how you have things set up, is the following correct?

You one or more of your Windows 2000 running the DNS service and those
servers point to themselves for their own DNS resolution. You have a
forwarder on the DNS service(s) to forward uncached/unknown requests to your
ISPs DNS server(s). Your clients point to the Windows 2000 DNS and that DNS
only.

Is that correct? If not, could you tell us how things are set up?

Regards

Oli
 
What is the exact error recorded on the clients?

I'm attaching the error text. I replied to this post last night, but I don't
see my reply on the server yet. Here's the error from the Event log;

-----start-----start-----start-----

The system failed to register network adapter with settings:

Adapter Name : {42154863-3477-4233-BFD1-6D22BBB63DF0}
Host Name : SSRU60
Adapter-specific Domain Suffix : ioead
DNS server list :
10.82.37.145, 10.82.37.146
Sent update to server : None
IP Address(es) :
10.82.33.53

The cause of this DNS registration failure was because of DNS server
failure. This may be due to a zone transfer that has locked the DNS server
for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific
Domain Suffix that was indicated above.) You can manually retry registration
of the network adapter and its settings by typing "ipconfig /registerdns" at
the command prompt. If problems still persist, contact your network systems
administrator to verify network conditions.

-----end-----end-----end-----end-----

What does it mean "Sent update to server: None" ?!?
 
Hi Gerry,

By chance, is Active Directory DNS running on NT4 servers? If so, you will
need to tell the tcp-ip settings to stop trying to register with DNS because
NT doesn't support dynamic updates. Same goes with Unix/Linux BIND versions
4.9.7 and earlier.

Please tell us more about your DNS environment.
 
NIC said:
By chance, is Active Directory DNS running on NT4 servers?

No, as I said in my original post, it's all Win2k. The DNS is NOT
running in Active Directory mode; it's running in "Primary" mode (it's
not secure update).

The DNS servers point to themselves for name resolution and then have a
forwarder set for external address resolution. They are not multi-homed
or anything.

Unfortunately, I'm not actually the DNS server admin (and he's not been
much help yet!) but I do have full access to it via MMC.

One thing I did notice, it seems to be only the most newly registered
machines that are having this problem. Only machines built or renamed in
the last 4 weeks are failing to register.

Issuing IPCONFIG /REGISTERDNS on the client doesn't help - same error.
 
I assume that the zone is set to allow dynamic updates.

Try settings the static dns on the client to point only to the primary dns
server and then build a new machine or rename one so it should register.
Try the same thing while pointing to a secondary. Please post back what
youfind out.

Also, check the event logs on both servers after the test and see if there
are errors recorded.

Check the security tab on the zone and see if:

System has f/c
Domain Controllers have f/c
Authenticated Users have both Read and "Create all Client Objects"
 
NIC said:
I assume that the zone is set to allow dynamic updates.
Yup.

Also, check the event logs on both servers after the test and see if there
are errors recorded.

No errors, however I've asked the DNS admin to enable logging - this is
off at the moment.
Check the security tab on the zone and see if:

I'll have a look, but it USED to work 4 weeks ago with same settings.

Actually, I think the clue is in that event entry I posted, it says
"Sent update to server: None"

That's crazy, it should not say "None".

I looked at some other DNSAPI errors from months ago before we had AD. I
note the errors say things like "Sent update to server: 10.82.33.21",
however, that's a UNIX box so the error is expected.
 
Hi,

More observations.

Logging of "updates" is now enabled on the DNS server.

When trying to join a client using dynamic update, no A record gets created,
and no error appears in the DNS server log. However, a PTR record _does_ get
created in the reverse lookup zone shortly after the machine boots up!

How can it create a PTR record but not an A record??

I also note the properties screens are different for A records and PTR
records. There's no "Security" tab when viewing A records, but there is for
PTR records??
 
The "no security tab for A records" is normal for a primary zone, and the
PTR records do have the security tab. If your zone goes Active-Dir
integrated then you get a security tab on both.

What does the security tab say on the forward zone? Please describe the
settings in detail.

So there is a UNIX Server running DNS?

Have you tried making another of the W2000 DNS servers the primary?

--
Scott Baldridge
Windows Server MVP, MCSE
Hi,

More observations.

Logging of "updates" is now enabled on the DNS server.

When trying to join a client using dynamic update, no A record gets created,
and no error appears in the DNS server log. However, a PTR record _does_ get
created in the reverse lookup zone shortly after the machine boots up!

How can it create a PTR record but not an A record??

I also note the properties screens are different for A records and PTR
records. There's no "Security" tab when viewing A records, but there is for
PTR records??
 
Hi Scott,

I've reposted this in the DNS group, I didn't realise there was a
special group for DNS. I did see one other post that looks like my exact
problem, so I'll see if anything comes back.

The Unix server is only accessible as a "forwarder" from the Win2k DNS
server, the clients are not mapped to it in any way.

I'll check the security tab on the forward lookup zone tomorrow.
 
Hi,

The DNS newsgroup came up with the answer. Basically Win2k SP4 makes a
change to client machines that will no longer allow them to update a
"Single-Label" domain name.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300684&FR=1

I did warn our DNS admins about using a non-dotted name for internal DNS
but that advice was ignored. It now seems we either have to rename the
whole AD domain, or hack the registries of EVERY computer, including
ones that haven't been built yet:(

Not amused...
 
In a nutshell:

If you are 2000 native you can rename in 2003 but it ain't straightforward.

If you are 2000 mixed then you can rename if you go back to NT and then go
to 2000 again.
 
Back
Top