XP clients not updating DNS via DHCP

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Had 4DC: 2win2k3 and 2win2k. Both Win2k had DNS installed and running AD
integrated. I dcpromo down one of the Win2k boxes and disabled DNS. Changed
all the DHCP server to pass only the one DNS server IP that is left. Now
When I try to add a workstation or move it to a new subnet, The old DNS
record is not updated with the new IP address. and my event log is full of
the messages below.
I am not getting any errors when I run Netdiag (DNS test) or DCdiag. Both
Pass. DNS event log does not show any errors, nor does the app or system
event log. Just the security log.....

Help - What did I do wrong?
Help - How can I fix my dns server?


I am getting the following event message on my server:
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/5/2006
Time: 12:40:47 PM
User: AVON\HS_SVR1$
Computer: MS-SVR
Description:
Object Open:
Object Server: DS
Object Type: dnsNode
Object
Name: DC=66,DC=10.5.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=avon,DC=local
New Handle ID: -
Operation ID: {0,757195213}
Process ID: 372
Primary User Name: MS-SVR$
Primary Domain: AVON
Primary Logon ID: (0x0,0x3E7)
Client User Name: HS_SVR1$
Client Domain: AVON
Client Logon ID: (0x0,0x2D21E1BF)
Accesses Write Self

Privileges -

Properties:
Write Property
%{00000000-0000-0000-0000-000000000000}
 
Robert-Avon-Schools said:
Had 4DC: 2win2k3 and 2win2k. Both Win2k had DNS installed and running
AD integrated. I dcpromo down one of the Win2k boxes and disabled
DNS. Changed all the DHCP server to pass only the one DNS server IP
that is left. Now When I try to add a workstation or move it to a
new subnet, The old DNS record is not updated with the new IP
address. and my event log is full of the messages below.
I am not getting any errors when I run Netdiag (DNS test) or DCdiag.
Both Pass. DNS event log does not show any errors, nor does the app
or system event log. Just the security log.....

Help - What did I do wrong?
Help - How can I fix my dns server?


I am getting the following event message on my server:
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/5/2006
Time: 12:40:47 PM
User: AVON\HS_SVR1$
Computer: MS-SVR
Description:
Object Open:
Object Server: DS
Object Type: dnsNode
Object
Name:
Click to expand...
DC=66,DC=10.5.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=avon,DC=local
New Handle ID: - Operation ID: {0,757195213} Process ID: 372 Primary
User Name: MS-SVR$ Primary Domain: AVON Primary Logon ID: (0x0,0x3E7)
Client User Name: HS_SVR1$ Client Domain: AVON Client Logon ID:
(0x0,0x2D21E1BF) Accesses Write Self
Click to expand...

Is it just the reverse zone that is not getting updated? (That's the error
in this event)
A PTR created and registered by one machine cannot update a PTR register by
anotehr machine.

My suggestion, use DHCP on Win2k3 to register for all clients, assign a
dedicated user account with a non-expiring password in the Win2k3 DHCP to
authenticate with DNS. Set DHCP to Always update DNS, then clear the check
box "register this connections addresses in DNS"
DHCP will then register for all clients using the same user account, making
it possible for DHCP to update the PTR and A records.

Incidentally, DHCP uses the DNS servers in its TCP/IP properties to register
clients, so make sure the DNS server's in its TCP/IP properties are correct.
 
Kevin,
I should have mentioned that each of these server is in it's own subnet,
providing DHCP services for thier respective subnet. To answer your
question, the forward zone and the reverse zones are not being updated. on my
HS_SVR1 box (Win2k and previous DC that was demoted), there is no security
option. I have added it to the authorized dhcp list. any other suggestions?
 
Robert-Avon-Schools said:
Kevin,
I should have mentioned that each of these server is in it's own
subnet, providing DHCP services for thier respective subnet. To
answer your question, the forward zone and the reverse zones are not
being updated. on my HS_SVR1 box (Win2k and previous DC that was
demoted), there is no security option. I have added it to the
authorized dhcp list. any other suggestions?
Click to expand...

Could you clear up some confusion for me?
Is HS_SVR1 a DNS server?
If it is a demoted DC, it cannot have AD integrated zones and therefore no
security tab and no security on its zones. If it has the zone, is it a
secondary zone?
If it is a secondary zone it can only send updates to the master using the
MNAME record and it does not have permission to make the update.
If it is a DHCP server, even if it is Authorized as a DHCP server. DHCP
Authorization only authorizes it to assign addresses in the domain, and does
not give it permission to update DNS.

This is why Win2k3 added the feature for DHCP to authenticate its
permissions to update DNS. Win2k used the DNSUpdateProxy group for this.

I would still recommend DHCP be moved to Win2k3 so it can be configured to
authenticate with DNS.
 
Kevin,
It was a DC with DNS, when I demoted it to a member server, I stopped the
DNS server service and changed DNS server settings on all my dhcp servers to
only point to the one dns server I have left running which is (MS-SVR - a
win2k (dc) it is ad integrated). I hope this helps. I noticed something
interesting. I setup a pc on the same subnet with the DNS server. I get an ip
address with all the right settings. when I do a nslookup -da ipaddress of
pc, I got a list of three reverse entries, only one of which was the correct
pc name. if I do a nslookup -da pcname of pc, I get an IP address of some
other pc. I guess I am really confused as to how removing one dns server (I
had two, now have 1) would make it so my dhcp servers stop updating dns
correctly.

Really beginning to worry, (should I panic yet?)
Robert
 
Robert-Avon-Schools said:
Kevin,
It was a DC with DNS, when I demoted it to a member server, I stopped
the
DNS server service and changed DNS server settings on all my dhcp
servers to only point to the one dns server I have left running which
is (MS-SVR - a win2k (dc) it is ad integrated).
Click to expand...

This was one of the scenarios I gave.
I hope this helps.
I noticed something interesting. I setup a pc on the same subnet with
the DNS server. I get an ip address with all the right settings. when
I do a nslookup -da ipaddress of pc, I got a list of three reverse
entries, only one of which was the correct pc name. if I do a
nslookup -da pcname of pc, I get an IP address of some other pc. I
guess I am really confused as to how removing one dns server (I had
two, now have 1) would make it so my dhcp servers stop updating dns
correctly.

Really beginning to worry, (should I panic yet?)
Robert
Click to expand...

When DHCP runs on a Win2k DC, it uses the DC's permissions to update DNS,
which is why you shouldn't run DHCP on a Win2k DC.
When you demoted to a member, it no longer had permission to update DNS, you
would have to add DHCP servers on Member server to the DnsUpdateProxy group.
But, I still wouldn't recommend that. Win2k3 DHCP will work much better as a
DHCP server.
 
Kevin,
I have added the HS_SVR1 to the dnsupdateproxy group and am now rebooting. I
hope this does it. on a related topic. Can I have one DHCP server that
passes IP addresses for different subnets to specific subnets. for example.
Our network is 10.5.x.x, each building is assigned a range 10.5.1.xx for
example.
so I would need the dhcp server say on 10.5.40.2 to passout ips to 10.5.1.xx
even though it's seperated by two switches. I hope this makes sense, not sure
if I am describing it exactly right.
 
Robert-Avon-Schools said:
Kevin,
I have added the HS_SVR1 to the dnsupdateproxy group and am now
rebooting. I hope this does it. on a related topic. Can I have one
DHCP server that passes IP addresses for different subnets to
specific subnets. for example. Our network is 10.5.x.x, each building
is assigned a range 10.5.1.xx for example.
so I would need the dhcp server say on 10.5.40.2 to passout ips to
10.5.1.xx even though it's seperated by two switches. I hope this
makes sense, not sure if I am describing it exactly right.
Click to expand...

Switches? maybe, but these two IPs appear to be on different subnets, which
means there would need to be a router, and most routers won't pass through
DHCP broadcasts.
 
Ok, That's what I thought, the switches are doing some internal routing
because they are setup as vlans.... (cisco people smarter than I set it up).
I rebooted the server that was added to the dnsupdateproxy group. but the
errors are still being sent from that server and my dns server is still
getting those update failures

clearer picture of network.
10.5.1.x contains a win2k DC with DNS(AD integrated) and DHCP passes ips to
..1.x
10.5.10.x now contains a demoted win2k box (member svr) with DHCP passes to
..10.x
10.5.20.x contains a win2k3 DC with DHCP ips to .20.x
10.5.30.x contains a win2k mbr svr with DHCP ips to .30.x
10.5.40.x contains a win2k3 DC with DHCP ips to .40.x
10.5.50.x contains a win2k mbr svr with dhcp to .50.x
I am getting the errors from the .10.x server on the .1.x server running dns.
but DNS is not even being updated correctly for a pc brought into .1.x
subnet (where the dns server is). I have added (overkill) all the dhcp
servers to the dnsupdateproxy group to no apparent effect.
 
Robert-Avon-Schools said:
Ok, That's what I thought, the switches are doing some internal
routing because they are setup as vlans.... (cisco people smarter
than I set it up). I rebooted the server that was added to the
dnsupdateproxy group. but the errors are still being sent from that
server and my dns server is still getting those update failures

clearer picture of network.
10.5.1.x contains a win2k DC with DNS(AD integrated) and DHCP passes
ips to .1.x
10.5.10.x now contains a demoted win2k box (member svr) with DHCP
passes to .10.x
10.5.20.x contains a win2k3 DC with DHCP ips to .20.x
10.5.30.x contains a win2k mbr svr with DHCP ips to .30.x
10.5.40.x contains a win2k3 DC with DHCP ips to .40.x
10.5.50.x contains a win2k mbr svr with dhcp to .50.x
I am getting the errors from the .10.x server on the .1.x server
running dns. but DNS is not even being updated correctly for a pc
brought into .1.x
subnet (where the dns server is). I have added (overkill) all the dhcp
servers to the dnsupdateproxy group to no apparent effect.
Click to expand...

This would still require a change of ownership of registered records. The
DnsUpdateProxy group is not secure and the DHCP server will have to take
ownership of the records. The problem is if a machine registered its own
record the DHCP server can't update it and vice-versa. Once the DHCP server
takes ownership, the client cannot update it.
Check the Advanced security of the records to see who the current owner is
and what the Effective permissions are for the DnsUpdateProxy group.

Read the Section beginning with Secure Dynamic Updates in these KB:


How to configure DNS dynamic update in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;317590

How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816592
 
Neo

Use below script in case if u are using clone pcs setup and those pcs are not appearing in wsus console

'SetAuthorization.vbs
'
'Version 1.2 - 05/31/07, Rob Dunn
'
'Email: uphold twothousand1 (the year as a number) at hotmail dot com
'Websites: www.vbshf.com, www.wsus.info
'
'This script can be run against a remote computer and delete the WSUS
' Client ID's and it can force the computer to run a detectnow or
' resetauthorization so it will report back into the WSUS server with a
' newly generated ID.
'
'This was based off of a script that I came across in the WSUS.info forums
' http://www.wsus.info/forums/index.php?showtopic=8698&hl=duplicate+script
'
'Usage:
'SetAuthorization.vbs computer:computername reset:true (will delete regkeys, stop/restart AU services, perform /resetauthorization /detectnow)
'SetAuthorization.vbs computer:computername (will stop/restart AU service, perform /detectnow)
'SetAuthorization.vbs computer:computername reset:true force:true (if you have run the script on the PC before, you will need to use the force switch to override the regkey marker to run again - then performs the same actions as the 'reset:true' listed above)

Const ForAppending = 8
Const HKEY_LOCAL_MACHINE = &H80000002
Dim objLocator, objWMIService, oReg, strResetAuthorization, strComputer, iDebug, sIDDeleted, l
Dim strForceReset

'Set iDebug = 1 if you wish to see what is going on with the variables, etc.
iDebug = 0

'Static variable - do not change.
sIDDeleted = ""

Set ws = CreateObject("Scripting.FileSystemObject")
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set oShell = CreateObject("WScript.Shell")
Set objArgs = WScript.Arguments
Set l = ws.OpenTextFile (".\setauthorization.log", ForAppending, True)

l.WriteLine "[" & now & "] - initializing script..."

'Get command-line arguments
If objargs.count < 1 Then
'if no command line arguments, then goto the input function
Call fctInput
Else
For I = 0 to objArgs.Count - 1
'get computername - who are we running the script against?
If InStr(1,LCase(objargs(I)),"computer:") Then
arrComputer = split(lcase(objargs(I)),"computer:")
strComputer = arrComputer(1)
if iDebug = 1 then msgbox "Computername: " & strComputer
'get reset switch - reset authorization or just detect now?
ElseIf InStr(1,LCase(objargs(I)),"Reset:") Then
arrAuth = split(lcase(objargs(I)),"Reset:")
strResetAuthorization = arrAuth(1)
if iDebug = 1 then msgbox "Reset Authorization: " & strResetAuthorization

'If we get an invalid switch defined, catch it here.
if not lcase(instr("true yes false no",lcase(strResetAuthorization))) then
msgbox "You have used an invalid switch for the 'Reset' option. Use 'true|yes'. Now exiting."
l.WriteLine "[" & now & "] - Invalid switch specified: " & strResetAuthorization & ". Exiting script."
wscript.quit
End If
'get force switch - force computer to delete WSUS ID keys again?
ElseIf InStr(1,LCase(objargs(I)),"force:") Then
arrForce = split(lcase(objargs(I)),"force:")
strForceReset = arrForce(1)

'If we get an invalid switch defined, catch it here.
if not instr("true yes false no",lcase(strForceReset)) then
msgbox "You have used an invalid switch for the 'force' option. Use 'true|yes'. Now exiting."
wscript.quit
End If

if iDebug = 1 then msgbox "Force Reset Authorization: " & strResetAuthorization

Else

End If
Next
End If
l.WriteLine "=========================================================="

l.WriteLine "[" & now & "] - Computer: " & strComputer
l.WriteLine "[" & now & "] - Reset: " & strResetAuthorization
if strForceReset <> "" then l.WriteLine "[" & now & "] - Force: " & strForceReset

'******************************************************************************
' Subroutine fctInput - Inputbox to prompt user for computername and
' choice to reset the authorization or not...
' Inputs - None
'******************************************************************************
Sub fctInput()
'input the computer name you wish to run against.
strComputer = InputBox("Type the name of the computer.","Input computer name")
If strComputer = "" Then wscript.quit
if iDebug = 1 then msgbox "Computername: " & strComputer

'do you want to reset authorization or run a 'detect now'?
strResetAuthorization = InputBox("Do you wish to delete the WSUS SIDs and reset '" & strComputer & "' authorization to the WSUS server?" & vbcrlf & vbcrlf & "Type 'yes' or 'no' then click 'OK'.","Reset computer's membership on the WSUS server?")

if strResetAuthorization = "" then strResetAuthorization = "no"

End Sub

'Set the registry keypath that we are going to work with
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate"
l.WriteLine "[" & now & "] - Working with " & strKeyPath & "..."

'Set the value name that we will use to create the registry marker
' (to determine if we've run the script before on this computer)
strValueName = "IDDeleted"
l.WriteLine "[" & now & "] - Checking for " & strValueName

on error resume next

set objWMIService = objLocator.ConnectServer(strComputer,"root\default")

If err.number <> 0 then
strMsg = "Unable to connect to " & strComputer & " via WMI. Please check the connection and try again."
msgbox strMsg,48,"Cannot connect"
l.WriteLine "[" & now & "] - " & strMsg
wscript.quit
End if

'We will need to use WMI to connect to the registry...
Set oReg = objWMIService.Get("StdRegProv")

If err.number <> 0 then
'if we cannot connect to the computer via WMI, show message, and then quit
' the script.
strMsg = "Could not connect to computer '" & strComputer & "'. Check to see if the computer is powered on or not behind a firewall."
Msgbox strMsg,48,"Could not connect to " & strComputer
l.WriteLine "[" & now & "] - " & strMsg
wscript.quit
End If
on error goto 0

'Check for registry marker to find out if we ran this script against the computer
' we specified in strComputer.
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strIDDeleted
If strIDDeleted = null then
l.WriteLine "[" & now & "] - WSUS SID has not been previously deleted. Setting to 'no'."
sIDDeleted = "no"
Else
l.writeline "[" & now & "] - Current value of sIDDeleted: " & strIDDeleted
l.WriteLine "[" & now & "] - WSUS SID has been previously deleted."
End if

'To be sure values is only deleted once, test on marker
If strIDDeleted = "yes" and lcase(strResetAuthorization) = "no" then
l.writeline "[" & now & "] - Running wuauclt detect process"
Call RunWUAUCLT()

Else

on error resume next

'Delete values - if debug = 1 (set in the beginning of the script), then show
' a messagebox for every delete.
If iDebug = 1 then msgbox "Deleting " & strKeyPath & "\AccountDomainSid"

l.WriteLine "[" & now & "] - Removing " & strKeyPath & "\AccountDomainSid"

oReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath,"AccountDomainSid"

if iDebug = 1 then msgbox "Deleting " & strKeyPath & "\PingID"

l.WriteLine "[" & now & "] - Removing " & strKeyPath & "\PingID"

oReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath,"PingID"

if iDebug = 1 then msgbox "Deleting " & strKeyPath & "\SusClientId"

l.WriteLine "[" & now & "] - Removing " & strKeyPath & "\SusClientId"

oReg.DeleteValue HKEY_LOCAL_MACHINE, strKeyPath,"SusClientId"

'Run remote wuauclt process on strComputer.
Call RunWUAUCLT()

if iDebug = 1 then msgbox "Creating regkey marker: HKLM\" & strkeyPath & "\" & strValueName

On error resume next
'Create registry marker
oreg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,"yes"

If err.number <> 0 then
'If we can't create the registry marker, show messagebox and then quit the
' script.
Msgbox "Could not make registry change to computer '" & strComputer & "'. Check to see if the computer is behind a firewall, or if remote registry permissions have been disabled.",48,"Could not connect to " & strComputer
wscript.quit
End If
On Error goto 0

End If

l.writeline "[" & now & "] - Script completed. Check WSUS console for updated entry for " & strComputer & "."
l.close

'******************************************************************************
' Function RunWUAUCLT - function to execute wuauclt.exe
' Inputs - None
'******************************************************************************
Function RunWUAUCLT()
l.WriteLine "[" & now & "] - Attempting to stop wuauserv service..."

sCmd = chr(34) & "net.exe" & chr(34) & " stop wuauserv"

if iDebug = 1 then msgbox "Running command on '" & strComputer & "': " & sCmd

'Stop the Automatic updates service
Call RunProcess(sCmd,strComputer)

if iDebug = 1 then msgbox "Sleeping for 2 seconds...(after you click 'OK')"

'Pause for 2 seconds
wscript.sleep 2000

l.WriteLine "[" & now & "] - Attempting to start wuauserv service..."

sCmd = chr(34) & "net.exe" & chr(34) & " start wuauserv"

if iDebug = 1 then msgbox "Running command on '" & strComputer & "': " & sCmd

'Start the Automatic updates service
Call RunProcess(sCmd,strComputer)

If sIDDeleted <> "yes" or lcase(strResetAuthorization) = "true" or lcase(strResetAuthorization) = "yes" or lcase(strForceReset) = "true" Then

sCmd = "wuauclt.exe /resetauthorization /detectnow"

l.WriteLine "[" & now & "] - Running " & sCmd & " on " & strComputer

if iDebug = 1 then msgbox "Running command on '" & strComputer & "': " & sCmd

'Run wuauclt.exe with resetauthorization
Call RunProcess(sCmd,strComputer)
Else
sCmd = "wuauclt.exe /detectnow"

l.WriteLine "[" & now & "] - Running " & sCmd & " on " & strComputer

if iDebug = 1 then msgbox "Running command on '" & strComputer & "': " & sCmd

'Run wuauclt.exe with detectnow only
Call RunProcess(sCmd,strComputer)

End If
End Function

'******************************************************************************
' Function RunProcess
' Inputs -
' strCommand: command-line you wish to run on strComputer
' strComputer: computername you wish to run the command on
'******************************************************************************
Function RunProcess(strCommand,strComputer)
On Error resume next

strArgs = " "
StrExeName = strCommand

'I hard-coded this in (I was lazy) - but you may need to change this
' if your root drive is 'R:\', etc.
strCurrentDir = "C:\"

Set objService = objLocator.ConnectServer(strComputer,"root/cimv2")
Set objProcess = objService.Get("WIN32_Process")
Set objProcessStartup = objService.Get("Win32_ProcessStartup")

objProcessStartup.PriorityClass = 128
objProcessStartup.ShowWindow = 1

Set objMethod = objProcess.Methods_("Create")
Set objInParameters = objMethod.inParameters.SpawnInstance_()

objInParameters.CommandLine = strExeName & strArgs
objInParameters.CurrentDirectory = strCurrentDir

Set objInParameters.ProcessStartupInformation = objProcessStartup
Set objOutParameters = objProcess.ExecMethod_("Create", objInParameters)

If objOutParameters.returnValue = 0 Then
strPID = objOutParameters.ProcessID
Else

End If

dim errDescription

If objOutParameters.returnValue = 0 Then errdescription = "Successfully created process on " & strComputer & " with PID: " & strPID
If objOutParameters.returnValue = 2 Then errdescription = "Access denied"
If objOutParameters.returnValue = 3 Then errdescription = "Insufficient privileges to create a process on " & strComputer
If objOutParameters.returnValue = 9 Then errdescription = "Path not found for " & strCommand & " on " & strComputer

If iDebug = 1 then msgbox errdescription
l.WriteLine "[" & now & "] - Process '" & strCommand & "' result:" & errdescription

End Function


copy paste above vb script and run on the client computer

your pc will get listed on wsus for sure I have tested and it worked

Thanks
NEO
 
Back
Top