DNS Hell

matt_B_2008
matt_B_2008 used Ask the Experts™
on
Hi all,

Had had lots of problems with DNS recently but still not getting to the bottom. I have 2008 DC running DNS and DHCP. Problem is my client pickups a valid DHCP address but does not update DNS. Strangely from the DC i can ping the host but nslookup fails.  When i look in DNS there is no record in the forward lookup zone for my domain?

Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Has someone unchecked the option to update DNS on the windows clients?  That would be my first guess.  The option is in the TCP/IP settings for the network card under in the DNS tab once you click advanced.
bluntTonyHead of ICT
Top Expert 2009

Commented:
You can ping becuase name resolution is failing over to NetBIOS, whereas nslookup exclusively queries the DNS server.
Also check your DHCP server - properties of the scope, DNS tab - what option is selected in here?

Author

Commented:
Here is the DHCP properties
dhcp.bmp
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Chris DentPowerShell Developer
Top Expert 2010

Commented:

The DHCP server has a set of log files here:

%SystemRoot%\System32\DHCP

See if you have notes of the update failing there?

It is also very important that you verify the TCP/IP settings on the DHCP server. For instance, if you're using a third-party DNS server in TCP/IP configuration the update is quite likely to fail. Systems must only ever list DNS servers that are able to respond for the AD domain.

Finally, if you have configured credentials to perform the updates in DHCP, check the account. If it's disabled or locked out or expired the updates won't be working too well.

Chris
If your DNS zone is only configured for secure updates., client machines that either are not on the domain or have yet to update an expired machine certificate will not be able to register their IP.

Cheers,
Juice
Chris DentPowerShell Developer
Top Expert 2010

Commented:

If DHCP is updating according to the settings above then the client settings have no relevance. DHCP prohibits the client from performing updates directly.

Chris

Author

Commented:
ANyine help with this?

Author

Commented:
ANyine help with this?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

What do the log files say about the update?

And can you confirm / verify your TCP/IP settings on the server? If it, for example, uses a DNS server that can not answer for your internal domain the update in DNS will fail.

Chris

Author

Commented:
Do you mean the %SystemRoot%\System32\DHCP log?

Heres a example of the log today.

1,11/10/09,11:02:50,DNS Update Failed,172.16.2.182,l000508DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.182,l000508DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.183,l000813DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.183,l000813DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.184,d000277DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.184,d000277DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.185,L000507DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.185,L000507DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.186,d000462DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.186,d000462DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.187,L000689DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.187,L000689DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.188,l000777DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.188,l000777DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.189,L000653DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.189,L000653DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.190,l000623DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.190,l000623DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.191,l000793DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.191,l000793DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.192,l000480DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.192,l000480DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.193,D000743DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.193,D000743DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.194,l000547DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.194,l000547DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.195,l001026DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.195,l001026DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.196,L000747DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.196,L000747DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.197,l001025DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.197,l001025DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.198,apolloDOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.198,apolloDOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.199,D000712DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.199,D000712DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.200,L000895DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.200,L000895DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.201,D000276DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.201,D000276DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.202,d000573DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.202,d000573DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.203,l000623DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.203,l000623DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.204,D000713DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.204,D000713DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.206,d000280DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.206,d000280DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.207,L000431.westlea.org.uk,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.207,L000431.westlea.org.uk,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.208,l000682DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.208,l000682DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.209,L000716DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.209,L000716DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.210,L000715DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.210,L000715DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.211,L000431.westlea.org.uk,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.211,L000431.westlea.org.uk,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.212,L000683DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.212,L000683DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.213,L000897DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.213,L000897DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.214,laptop559DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.214,laptop559DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.215,l000690DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.215,l000690DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.216,l000805DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.216,l000805DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.217,D000756DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.217,D000756DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.219,d000404DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.219,d000404DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.222,l000959DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.222,l000959DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.226,d000761DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.226,d000761DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.227,l000947DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.227,l000947DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.228,d000494DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.228,d000494DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.230,D000714DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.230,D000714DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.232,l000809DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.232,l000809DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.235,d000309DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.235,d000309DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.236,d000394DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.236,d000394DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.238,D000745DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.238,D000745DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.243,d000733DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.243,d000733DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.2.247,l000837DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.2.247,l000837DOMAIN,,,0,6,,,
31,11/10/09,11:02:50,DNS Update Failed,172.16.3.1,l000912DOMAIN,,,0,6,,,
30,11/10/09,11:02:50,DNS Update Request,172.16.3.1,l000912DOMAIN,,,0,6,,,
Matt, can you please expand on your earlier statement:

"When i look in DNS there is no record in the forward lookup zone for my domain? "

Also, please verify that your DNS scope options have the appropriate server listed for the DNS server.

Cheers,
Juice
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Okay, so they are failing.

TCP/IP configuration? "ipconfig /all" would be nice to see.

Chris

Author

Commented:
I could resolve a host using nslookup but i couldnt see any record of the host in the domains forward lookup zone which seemed very strange.  

DNS.JPG

Author

Commented:
172.16.0.120 is itself. The other 2 are DCs on other sites

Author

Commented:
172.16.0.120 is itself. The other 2 are DCs on other sites
Matt, are all three of these server AD servers for your domain?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

That's the server's settings? Are all of the DNS servers listed there configured to answer for your own domain?

It is vital that they can, the DHCP server will use the DNS servers it is configured with to find out where to send updates for your domain. If it can't find where to send the updates you will see the failures above.

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Okay, sorry, was a bit slow typing that :)

Can you open the properties for your Forward Lookup Zone and verify that Dynamic Updates is enabled (either Secure, or Secure and Non-Secure)?

Chris
When you issue the nslookup command, which server is it connecting to (shoudl be 172.16.0.120 according to your pic) , and when you look in your forward lookup zone in DNS, are you looking at that specific server. If your zone is AD-Integrated on all controllers (which it should be), and you are not seeing the same records, you may have an AD replication issue.

I would run DCDIAG and NETDIAG from all three of your DCs to check for issues.

Hope this helps,
Juice
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Can you also run this on your DHCP server?

nslookup -q=soa yourdomain.com

The DHCP server will be sending update requests to the server returned in the command above. If it is unreachable, or incorrect, the update will fail.

Chris

Author

Commented:
That's the server's settings? Are all of the DNS servers listed there configured to answer for your own domain?It is vital that they can, the DHCP server will use the DNS servers it is configured with to find out where to send updates for your domain. If it can't find where to send the updates you will see the failures above.

Thats alot of info ! There is a DC at each site that is setup to replicate changes to eachother. Each DC has its own DHCP scope.
Each site is connected by a VPN so they can all talk with eachother.

Author

Commented:
juicebigeloh:Matt, are all three of these server AD servers for your domain?

Yes they are

Author

Commented:
Can you open the properties for your Forward Lookup Zone and verify that Dynamic Updates is enabled (either Secure, or Secure and Non-Secure)?

Is set to secure only

Author

Commented:
Have run DCDIAG on server shows no errors at all/
Chris DentPowerShell Developer
Top Expert 2010

Commented:

One more to add in addition to checking the SOA record the DHCP server finds...

Credentials: by default DHCP updates using the servers computer account, however, alternate credentials can also be configured. If they have been set and the account has since changed (disabled, deleted, password changed, etc) we will run into trouble updating. To check it:

1. Open the DHCP Console
2. Right click on the Server and select Properties
3. Select Advanced
4. Select Credentials and see if an account has been configured

Chris

Author

Commented:
C:\Users\mb12>nslookup -q=soa DOMAIN
Server:  
Address:  172.16.0.120

greensquare.local
        primary name server = correct server
        responsible mail addr = hostmaster.domain
        serial  = 79830
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
server domain       internet address = 172.16.0.120

Author

Commented:
One more to add in addition to checking the SOA record the DHCP server finds...

Credentials: by default DHCP updates using the servers computer account, however, alternate credentials can also be configured. If they have been set and the account has since changed (disabled, deleted, password changed, etc) we will run into trouble updating. To check it:

1. Open the DHCP Console
2. Right click on the Server and select Properties
3. Select Advanced
4. Select Credentials and see if an account has been configured





Check!

Chris DentPowerShell Developer
Top Expert 2010

Commented:

It has been configured to use an account? If so, check / reset the password there.

Chris

Author

Commented:
Yes i configured it to use a specific account that i know is valid.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

If you've only just done that we will have to check and see if it begins updating correctly.

If not, we might check that the account has permission to create records in the forward lookup zone.

1. Open the DNS Console
2. Expand Forward Lookup Zones
3. Right Click on your Forward Lookup Zone and open Properties
4. Select Security
5. Verify that "Authenticated Users" has "Create all child objects" ticked

Chris

Author

Commented:
Yes have done this "Authenticated Users" has "Create all child objects" ticked

From what i can tell its seems to be machines that are newly built ahve the issue. For example i have just built  and a dded a winxp machien to the domain it has picked a valid DHCP address but yet there is no site of it on DNS. as you can see i can but cannot do a nslookup:

Server:  server - domain
Address:  172.16.0.120

***server - domain can't find d000469:

C:\Users\mb12>ping d000469

Pinging d000469 [172.16.2.78] with 32 bytes of dat
Reply from 172.16.2.78: bytes=32 time<1ms TTL=128
Reply from 172.16.2.78: bytes=32 time<1ms TTL=128
Reply from 172.16.2.78: bytes=32 time<1ms TTL=128
Reply from 172.16.2.78: bytes=32 time<1ms TTL=128
Chris DentPowerShell Developer
Top Expert 2010

Commented:

The Ping response you have indicates it is resolving the name via NetBIOS, so Broadcast or WINS based name resolution. It explains the difference in results between nslookup and ping.

Can you check the Primary DNS Suffix of the newly built machine with "ipconfig /all"?

Chris

Author

Commented:
Yep its correct. 172.16.0.120

Im going to force a registerdns whci has worked in the past.
Problem was with reverse DNS scope being incorrect. it was set to 0.16.172 scope is set to go up to 172.16.2.254. Strangely when it tried to create the reverse lookup entry it couldnt so it wouldnt allow forward lookup either.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial