Aaron Street
asked on
DHCP DNS dynamic updates
Hi,
Where is the best place to look to see why a dhcp server is failing to update DNS recourds?
the DHCP server is set to update every thing.
it is a member of the DNSproxy groups
the dns proxy group is in the security settings for the forward and reverse zones
the DHCP server has a AD account associated with the DHCP update service for the subnet in question.
the DNS server is set to accept secure and non secure updates
some times (like one in 100 times I see a "successful" reported in the DHCP logs in the DHCP server
32,03/07/16,06:42:23,DNS Update Successful,172.20.0.12,Aar ons-Deskto p.iahtest. ac.uk,,,0, 6,,,,,,,,
but most times I see
31,03/08/16,12:11:31,DNS Update Failed,172.20.0.12,Aarons- Desktop.ia htest.ac.u k,,,0,6,,, ,,,,,
30,03/08/16,12:11:31,DNS Update Request,172.20.0.12,Aarons -Desktop.i ahtest.ac. uk,,,0,6,, ,,,,,,
What I cant find is the logs showing my why this is happening? I want a log that says "update failed due to security/could not find DNS server/etc....
Any thoughts?
aaron
Where is the best place to look to see why a dhcp server is failing to update DNS recourds?
the DHCP server is set to update every thing.
it is a member of the DNSproxy groups
the dns proxy group is in the security settings for the forward and reverse zones
the DHCP server has a AD account associated with the DHCP update service for the subnet in question.
the DNS server is set to accept secure and non secure updates
some times (like one in 100 times I see a "successful" reported in the DHCP logs in the DHCP server
32,03/07/16,06:42:23,DNS Update Successful,172.20.0.12,Aar
but most times I see
31,03/08/16,12:11:31,DNS Update Failed,172.20.0.12,Aarons-
30,03/08/16,12:11:31,DNS Update Request,172.20.0.12,Aarons
What I cant find is the logs showing my why this is happening? I want a log that says "update failed due to security/could not find DNS server/etc....
Any thoughts?
aaron
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK so I have a empty Forwarding zone and reverse zone and both services have been reset (separate servers)
no event logs and no meaningful logs in DHCP log folder
no event logs and no meaningful logs in DHCP log folder
try turning on DNS logging in the DNS console. this writes all DNS requests to a file so you can check the DHCP server is making the requests and you can see the responses etc. may point you in the right direction.
ASKER
Hi,
So this is what I see in the logs of the DHCP and DNS servers
DNS
so all seems to say "no Error"
but on the dhcp server
31,03/28/16,00:23:30,DNS Update Failed,xxx.xxx.253.143,DP1 -FE22B.iah .ac.uk,,,0 ,6,,,,,,,,
30,03/28/16,00:23:30,DNS Update Request,xxx.xxx.253.143,DP 1-FE22B.ia h.ac.uk,,, 0,6,,,,,,, ,
So whats going on? the record is not created on the DNS server that is all I know.
So this is what I see in the logs of the DHCP and DNS servers
DNS
28/03/2016 23:32:10 0D68 PACKET 000000000291F460 UDP Rcv xxx.xxx.224.45 988b U [0028 NOERROR] SOA (3)test(2)ac(2)uk(0)
UDP question info at 000000000291F460
Socket = 332
Remote addr xxx.xxx.224.45, port 60979
Time Query=1687101, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x003e (62)
Message:
XID 0x988b
Flags 0x2800
QR 0 (QUESTION)
OPCODE 5 (UPDATE)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
ZCOUNT 1
PRECOUNT 0
UPCOUNT 1
ARCOUNT 0
ZONE SECTION:
Offset = 0x000c, RR count = 0
Name "(3)test(2)ac(2)uk(0)"
ZTYPE SOA (6)
ZCLASS 1
PREREQUISITE SECTION:
empty
UPDATE SECTION:
Offset = 0x001b, RR count = 0
Name "(9)FE22B(3)test(2)ac(2)uk(0)"
TYPE A (1)
CLASS 254
TTL 0
DLEN 4
DATA xx.xx.253.143
ADDITIONAL SECTION:
empty
so all seems to say "no Error"
but on the dhcp server
31,03/28/16,00:23:30,DNS Update Failed,xxx.xxx.253.143,DP1
30,03/28/16,00:23:30,DNS Update Request,xxx.xxx.253.143,DP
So whats going on? the record is not created on the DNS server that is all I know.
Would it matter that the FQDN appears to be different?
DHCP log: DP1-FE22B.iah.ac.uk,,,0,6, ,,,,,,,
DNS log: "(9)FE22B(3)test(2)ac(2)uk (0)"
(ignore the numbers they are effectively just the full stops.)
Anyway, whats the layout here please?
Are the DHCP, DNS and DC different servers, or all the same box? What IP have you got set as DNS server?
Have you specified credentials in DHCP for DNS update or have you set your DNS to accept 'unsecured' DNS updates?
DHCP log: DP1-FE22B.iah.ac.uk,,,0,6,
DNS log: "(9)FE22B(3)test(2)ac(2)uk
(ignore the numbers they are effectively just the full stops.)
Anyway, whats the layout here please?
Are the DHCP, DNS and DC different servers, or all the same box? What IP have you got set as DNS server?
Have you specified credentials in DHCP for DNS update or have you set your DNS to accept 'unsecured' DNS updates?
ASKER
Hi,
Opps that was me attempting to remove personal details, all of the FQDN are iah.ac.uk, i missed it on the DHCP log.
So the set up is
3 X DNS servers (also DC's) running on windows 2008 server
2 X DHCP servers running on 2012 boxes
DNS servers have got IP's of .11 .12 and .13 and DHCP are .45 and .120 (all in same subnet)
DNS has all zones (forward and reverse)set to allow secure updates
DHCP servers have a domain admin account (this was purly for testing using DA) set in the dynamic up date credentials.
As above this updates are some times successful, and I will see the same entry some times work and some times fail.
Opps that was me attempting to remove personal details, all of the FQDN are iah.ac.uk, i missed it on the DHCP log.
So the set up is
3 X DNS servers (also DC's) running on windows 2008 server
2 X DHCP servers running on 2012 boxes
DNS servers have got IP's of .11 .12 and .13 and DHCP are .45 and .120 (all in same subnet)
DNS has all zones (forward and reverse)set to allow secure updates
DHCP servers have a domain admin account (this was purly for testing using DA) set in the dynamic up date credentials.
As above this updates are some times successful, and I will see the same entry some times work and some times fail.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It does seem to fail more when there are lots of updates, I read about extending the queue but it already seemed to done.
it seems very random, the same device I might see a number of times in the DHCP logs some times working some times not. but I don't see a pattern.
it seems very random, the same device I might see a number of times in the DHCP logs some times working some times not. but I don't see a pattern.
ASKER
I do see this on the DHCP server also
Title:
DHCP: A forward lookup zone should be configured for the DNS domain used to register DNS records for IPv4 clients.
Severity
Error
Date:
09/03/2016 17:24:17
Category:
Configuration
Problem:
A forward lookup zone has not been configured for the following domains (Domain Name, Server/Scope): iah.ac.uk Server ,
Impact:
Domain Name System (DNS) registration of A records for client computers will fail resulting in the inability to connect to these client computers using host names.
Resolution
By using the DNS MMC snap-in, configure a forward lookup zone for these domains or configure the correct domain name on the DHCP server as a scope option or server option.
http://go.microsoft.com/fwlink/?LinkId=157553
however the zone iah.ac.uk is created on the DNS server and has all the same permissions as the rest.
Title:
DHCP: A forward lookup zone should be configured for the DNS domain used to register DNS records for IPv4 clients.
Severity
Error
Date:
09/03/2016 17:24:17
Category:
Configuration
Problem:
A forward lookup zone has not been configured for the following domains (Domain Name, Server/Scope): iah.ac.uk Server ,
Impact:
Domain Name System (DNS) registration of A records for client computers will fail resulting in the inability to connect to these client computers using host names.
Resolution
By using the DNS MMC snap-in, configure a forward lookup zone for these domains or configure the correct domain name on the DHCP server as a scope option or server option.
http://go.microsoft.com/fwlink/?LinkId=157553
however the zone iah.ac.uk is created on the DNS server and has all the same permissions as the rest.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the ideas guys, and for helping dertermin the final root casue
ASKER
the audit logging is where I posted the outputs above from. (windows/system32/dhcp/...
or does it create a log file some where else?