RGRodgers
asked on
win7 won't register in win2k3 dc server dns
I have a dual win2k3 dc server configuration running dns and dhcp for my network. Everything seems to be working except that win7 will not register in dns. My xp machines that also use dhcp register just fine.
I can access servers, shares and printers using win7. I just can't access my win7 machine by name across the network because the dns entry is missing.
OBTW, the reverse lookup is actually updated! It's only the forward lookup that is missing.
IPv6 is disabled. The win7 nics are configured to register in dns the same way the xp machines are configured. Issuing start \\servername to the dns server works just fine so credentials are good. Event logs show no issues on either win7 or dns.
Help? Thanks...RG
I can access servers, shares and printers using win7. I just can't access my win7 machine by name across the network because the dns entry is missing.
OBTW, the reverse lookup is actually updated! It's only the forward lookup that is missing.
IPv6 is disabled. The win7 nics are configured to register in dns the same way the xp machines are configured. Issuing start \\servername to the dns server works just fine so credentials are good. Event logs show no issues on either win7 or dns.
Help? Thanks...RG
Try this
http://social.technet.microsoft.com/Forums/nl/winservergen/thread/0759595a-ee04-409b-9836-427ee54cbf32
http://social.technet.microsoft.com/Forums/nl/winservergen/thread/0759595a-ee04-409b-9836-427ee54cbf32
I suggest we try the following 3 suggestions to troubleshoot this issue.(please check if it worked after using each method)
1. uninstall IPv6 from the NIC
To uninstall use the following command
netsh interface ipv6 uninstall
We need reboot after this.
2. Re-register DNS record
Stop the DNS service.
Open ” %systemroot%\System32\Config “ folder, delete Netlogon.dns file.
Restart the DNS service.
run "net stop netlogon" and "net start netlogon" for register again. If necessary, please restart the server.
3. modify register
HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft \Windows NT\DNSClient
Name: UpdateTopLevelDomainZones
Data Type: REG_DWORD
Value: 0x1
IMPORTANT- If the DNSClient key does not exist you must create it using the following method.
1) Right click on "Windows NT" and select "New Key"
1) Name the new Key "DNSClient".
Once done proceed to add the "UpdateTopLevelDomainZones" reg entry with the correlating value of "1"
HKEY_LOCAL_MACHINE\System\CurrentCon trolSet\Se rvices\Net logon\Para meters
Name: AllowSingleLabelDnsDomain
Data Type: REG_DWORD
Value: 0x1
After that, please try to run netdiag and check if the errors continue.
ASKER
I meant to mention that none of the clients are domain members.
ASKER
For btpringle: Actually, my problem is the reverse. I get PTR records but no A records.
Is the server configured to allow "unsecure updates"?
ASKER
The server does not permit unsecure updates. However, XP works and Win7 doesn't so I'm not sure how that applies. Also, neither the forward or the reverse zones permit unsecured updates.
Number-1, I made your changes and booted with no effect. There was no netlogon.dns file. I had to add both keys and values. And, netdiag did find an old artifact of a dns server that had been removed. I corrected that and rebooted again to no effect.
Thanks...RG
Number-1, I made your changes and booted with no effect. There was no netlogon.dns file. I had to add both keys and values. And, netdiag did find an old artifact of a dns server that had been removed. I corrected that and rebooted again to no effect.
Thanks...RG
ASKER
One more note, IPv6 would not uninstall. The netsh command doesn't support interface and the GUI doesn't permit uninstall. It is disabled but not uninstalled.
From researching this it appears that Vista and higher will only get added if the server supports unsecure updates.
ASKER
Okay, wait a minute. I might have gotten confused on that series of updates Number-1 requested.
The servers do not have IPv6. It is on Win7. So, I did all the changes on Win7.
Were some of them supposed to be done on the server?
Thanks...RG
The servers do not have IPv6. It is on Win7. So, I did all the changes on Win7.
Were some of them supposed to be done on the server?
Thanks...RG
Check the IP settings on the workstation. There is supposed to an option for automatically adding the computer info to dns.
ASKER
Okay, ran all the updates on both servers and rebooted then rebooted win7 with no effect.
Yes, the IP settings request dns registration in win7 the same as xp.
Thanks...RG
Yes, the IP settings request dns registration in win7 the same as xp.
Thanks...RG
ASKER
btpringle can you provide a URL regarding your research on unsecure updates above Vista?
If this is the case, I wonder why the PTR records are getting updated when the A records are not...
Thanks...RG
If this is the case, I wonder why the PTR records are getting updated when the A records are not...
Thanks...RG
ASKER
Allowing unsecure updates did allow the win7 machine to register in dns. I am not happy with this as a solution, of course. Seems like a hole someone could drive a mac truck through.
If I can find references regarding this, it'd help. Right now, I am leaving this open.
Thanks...RG
If I can find references regarding this, it'd help. Right now, I am leaving this open.
Thanks...RG
ASKER
Here is an appropriate article. It is lengthy so I'll have to read it in the morning. But, I read enough to know it applies and even explains why there is a difference in PTR records and A records as DHCP registers the PTR records but the client can request DHCP to permit the client to register the A records so the client has ownership. I don't know if it can help explain how to secure updates, but I believe it may. In any case, recognizing that unsecured updates are working certainly narrows the search. Thanks...RG
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/989e0771-1d6f-4711-bfce-f082ce77b5d9/
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/989e0771-1d6f-4711-bfce-f082ce77b5d9/
ASKER
Interesting information. I checked the ownership of the win7 A record and it is SYSTEM. I checked the ownership of an xp A record and it was the computer account. That difference is obviously at issue. The win7 computer account is not listed under security permissions at all. The xp computer account is specifically listed with full control. Haven't solved this.
Also, that reference suggested resetting dns domain security to default. Mine were very corrupted. Setting it to default cleared that up, but I still need to permit unsecured updates and they are still owned by SYSTEM.
Until tomorrow. So long and thanks for all the fish...RG
Also, that reference suggested resetting dns domain security to default. Mine were very corrupted. Setting it to default cleared that up, but I still need to permit unsecured updates and they are still owned by SYSTEM.
Until tomorrow. So long and thanks for all the fish...RG
http://www.petri.co.il/forums/showthread.php?t=31307
http://www.winvistatips.com/re-authorizing-non-domain-computer-access-dns-t802665.html
http://www.techtalkz.com/windows-server-2003/442568-update-2003-dns-non-domain-member-clients.html
http://www.tek-tips.com/viewthread.cfm?qid=1436181
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/155c3baa-db75-4de5-84e9-24850c5bdb42/
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/7f4e21d6-cffb-4519-80dd-12cecaa880ff/
http://www.winvistatips.com/re-authorizing-non-domain-computer-access-dns-t802665.html
http://www.techtalkz.com/windows-server-2003/442568-update-2003-dns-non-domain-member-clients.html
http://www.tek-tips.com/viewthread.cfm?qid=1436181
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/155c3baa-db75-4de5-84e9-24850c5bdb42/
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/7f4e21d6-cffb-4519-80dd-12cecaa880ff/
ASKER
Working on this today, I changed a Default Domain Controller GPO. After the change, one of the DC's could no longer edit any GPO using the standard dcpol.msc through Administrator Tools. I spent most of the day correcting that problem, figuring that one of my edits caused the problems which wasn't the case.
Don't you just hate it when you change something then it breaks only to find out your change had NOTHING at all to do with it?
Strangely enough, the fix was to ensure that the two NICs had the correct priority where the Public NIC was ahead of the Private NIC which only talks to the other DC...
http://edwinfriesen.nl/content/?p=732
Oh, I checked to ensure that this fix didn't actually correct the problem I am chasing. It doesn't...
On to the real problem. Thanks...RG
Don't you just hate it when you change something then it breaks only to find out your change had NOTHING at all to do with it?
Strangely enough, the fix was to ensure that the two NICs had the correct priority where the Public NIC was ahead of the Private NIC which only talks to the other DC...
http://edwinfriesen.nl/content/?p=732
Oh, I checked to ensure that this fix didn't actually correct the problem I am chasing. It doesn't...
On to the real problem. Thanks...RG
You have 2 NIC's on your DC's??
ASKER
I do. They share a private network, just between the two of them, to support storage communication.
ASKER
Okay, btpringle, you led me to the resolution of the problem through:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/155c3baa-db75-4de5-84e9-24850c5bdb42/
They key is not to permit nonsecure updates, though. It is to set DHCP up to Always update A and PTR records and make sure it has appropriate credentials to permit those updates.
I'll give you the points if you respond to this because I don't want to accept your previous answer since it is misleading. Okay? Thanks...RG
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/155c3baa-db75-4de5-84e9-24850c5bdb42/
They key is not to permit nonsecure updates, though. It is to set DHCP up to Always update A and PTR records and make sure it has appropriate credentials to permit those updates.
I'll give you the points if you respond to this because I don't want to accept your previous answer since it is misleading. Okay? Thanks...RG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For non-domain computers, set up DHCP to update both A and PTR records in DNS.
Oddly enough, I actually encountered this problem today...
For anyone who is trying to figure this out in the future, here are the steps.
1. Open DHCP on the server
2. Expand DHCP | server.domain | IPv4
3. Right-click on IPv4 and select "Properties".
4. Select the "DNS" tab at the top of the window.
Make sure that the following are selected:
-- Enable DNS dynamic updates according to the settings below:
-- Alway dynamically update DNS A and PTR records
-- Discard A and PTR records when lease is deleted
-- Dynamically update DNS A and PTR records for DHCP clients that do not request updates. (Only if there are older clients)
DHCP-IPv4-DNS-Properties.PNG
For anyone who is trying to figure this out in the future, here are the steps.
1. Open DHCP on the server
2. Expand DHCP | server.domain | IPv4
3. Right-click on IPv4 and select "Properties".
4. Select the "DNS" tab at the top of the window.
Make sure that the following are selected:
-- Enable DNS dynamic updates according to the settings below:
-- Alway dynamically update DNS A and PTR records
-- Discard A and PTR records when lease is deleted
-- Dynamically update DNS A and PTR records for DHCP clients that do not request updates. (Only if there are older clients)
DHCP-IPv4-DNS-Properties.PNG
ASKER
Yes, but you also have to make sure you have valid credentials in the same dialog as I mentioned. Thanks...RG
http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/3a1c9334-54ba-4845-b7c0-ef8ce5454276