DNS Cannot Register for Domain Machines on SD-WAN and SSL VPN
I am working on a DNS issue that we are experiencing on our SD-WAN as well as our SSL VPN connections. Domain computers are unable to register with DNS and receive an Event ID 8020 when trying. My MPLS sites, and anyone locally in our main site are able to register without any problem.
When I disable “Secure Only” DNS then they are able to register. But I want to use “Secure Only” for obvious reasons.
Anyone seen anything like this?
When I disable “Secure Only” DNS then they are able to register. But I want to use “Secure Only” for obvious reasons.
Anyone seen anything like this?
Aaron Tomosky
Have you created all the subnets in sites and services? Also, what is providing dhcp for secure working and non working sites?
ASKER
Thanks for the response Aaron. Yes the subnets have all been added to sites and services.
Here is some new information from today's testing. I discovered that clients at my main site cannot register DNS either. It is only registering because DHCP is handling it for the client. When I use "ipconfig /registerdns" from a client, it fails. So this tells me it is most likely a configuration issue within DNS or our domain controllers in general.
I ran wireshark and it shows that when the client tries to register DNS it is unable authenticate the machine for the secure connection and drops the request.
I need to figure out what needs to be done to fix this authentication failure.
Here is some new information from today's testing. I discovered that clients at my main site cannot register DNS either. It is only registering because DHCP is handling it for the client. When I use "ipconfig /registerdns" from a client, it fails. So this tells me it is most likely a configuration issue within DNS or our domain controllers in general.
I ran wireshark and it shows that when the client tries to register DNS it is unable authenticate the machine for the secure connection and drops the request.
I need to figure out what needs to be done to fix this authentication failure.
Could be something around ownership of the records, assuming you have multiple domain controllers, make sure you setup dnsupdateproxy stuff. Good write up here
https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/
https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/
ASKER
Thank again Aaron, I had the same thought and did some testing with that Yesterday with no luck.
I did make a very big discovery at the end of the day while testing. I have been able to narrow this issue down Windows 10 Enterprise version 1803, within my environment. I tested Windows 7, and Windows 10 Professional and they both work just fine.
Sadly all of our computers run Enterprise, so this affects all of our devices.
I will be researching this and reaching out to Microsoft for assistance if needed.
I did make a very big discovery at the end of the day while testing. I have been able to narrow this issue down Windows 10 Enterprise version 1803, within my environment. I tested Windows 7, and Windows 10 Professional and they both work just fine.
Sadly all of our computers run Enterprise, so this affects all of our devices.
I will be researching this and reaching out to Microsoft for assistance if needed.
A quick search for "windows 1803 dns problem" shows you are not alone... hopefully a hot fix shows up soon.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.