Cant get DDNS going on secure only updates

[aking]

Hi, i have a small network
Background: 2x Windows 2003 domain controllers, both are running DNS server, 1 is running DHCP server, all clients are on dhcp, all other servers are on statics. The DNS on both servers are AD-integrated.

I got a recurring error with DDNS - every 24 hours on some member servers i get the 11166 Warning in system events re the DnsApi:
"The system failed to register host (A) resource records (RRs) for network adapter"

So all the settings are correct.
(So far) I can only get rid of the error by changing the properties of thd DNS zone on one of the Domain Controllers from 'Secure Only' to 'Nonsecure and Secure'

Does anyone understand why?
(Note: i only have to change the settings on one DC and it will also appear in the other DC's DNS zone - i assume because the DNS servers can talk to each other once the unsecured one gets the update).

I have been browsing the web and the ms kb most of the afternoon, with an AD-Integrated DNS i should be fine on Secure Only. I also need this for the network audit.

Anyone know how to get secure only ddns going?
Seems to work on some member servers and not others!
(all servers on windows 2003 with all the patest updates).

 

[ITPangaeaArchitect]

are you multihoming or teaming your DCs?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[aking]

Only 1 of the DCs is multihomed
no nic teaming.

 

[ITPangaeaArchitect]

DCs should NEVER be multihomed....it actually invalidates any supportability for the DC. The NETLOGON service WILL tie the wrong interface to the SRV records. The checkboxes to not register an interface in DNS do NOT prevent this from happening. The more enabled NICs you have, the greater increase you run of messing up authentication against any multihomed DC. This does include the SOA, which can lead to problems with registration. Do yourself a major favor before you are running around like a chicken with your head cut off to fix a problem caused by your multihoming...and you wont even find its the multihomed DC thats your problem for quite some time either...it always ends up the last thing ya look at

What are the current security settings on your zone?

What is your internal domain's fully qualified domain name?



- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[ITPangaeaArchitect]

Also, what is the FQDN of the member server showing the problem as well as your DCs?

Do you have any DNS suffix search orders set?

Do you have any static DNS suffixes set on the DNS tab in the advanced tcp/ip properties?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[aking]

Wow - a lot of caps. I guess i'm worried now.
But thanks, probably saved me a lot of time. Clearly I will have to change this.

DNS security settings are on defaults - i.e only admins have write privileges.
all servers in same domain, got no dns suffixes set.
Thought it was a small problem as the other member servers are fine and not giving this error.
I found other forums with people with this problem and the quick fix is non-secure updates - which does remove the error.
But the more i've looked into it the more it seems that secure updates should work if client is in active directory - which it is.

 

[ITPangaeaArchitect]

Is the "enterprise domain controllers" group listed in the security properties on your zone?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[aking]

yes - with security options that surprised me:
'special' is the only option ticked, go into advanced and they are - read on User, Group & Computer objects.
Have never changed any of these security settings since original install.

 

[ITPangaeaArchitect]

ok is the DC logging the error the one that is multihomed or no?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[aking]

Sorry - have been away.
Neither of the DC's have ever logged this error.

I get this error on some (not all) member servers on the network. The reason i posted this is cos (as far as i can tell) all member servers are configured the same, so i can't see why some servers give this error and not others.

Thanks for the tip about multihoming - i think you've highlighted something that should be changed but i dont know if thats anything to do with this error.

Also this is not a critical error - the servers with this error can still browse the network and are accessible from other machines etc. Now i'm wondering if it might be something to do with old network cards or something like that. One of the servers which has this error is working on quite old hardware.

 

[ITPangaeaArchitect]

actually the multihoming can still be the problem. If it writes the wrong SOA into the zone, even for a short time, then in that short time it is quite possible for clients to get an error such as that....

next time you get the error, grab netdiag /v results on the problem server and post them...

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[aking]

so anyway due to company changes that server name had to change, so i took it off the domain, changed the name - by one letter, and added it back to the domain - and now that dns error has gone.
The last time it flagged that error was yesterday afternoon - half an hour before i did the name change. Since then it hasn't done it - and by now it should have according to the frequency the error was occuring before.
i'm almost disappointed! i wanted to know what was causing it.
When i find that error again on the network i'll netdiag /v it.....

 

[ITPangaeaArchitect]

k

glad to hear its working right now though

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)