Solving Dynamic Update and Secure Dynamic Update Problems

  • Article

If you have problems with dynamic update, use the following steps to diagnose and solve your problem.

Troubleshooting Dynamic Update

If dynamic update does not register a name or IP address properly, use the following process to diagnose and solve your problem.

  • Force the client to renew its registration by typing ipconfig /registerdns .

  • Check whether dynamic update is enabled for the zone that is authoritative for the name that the client is trying to update.
    For more information about dynamic update and secure dynamic update, see "Dynamic Update and Secure Dynamic Update" earlier in this chapter.

  • To rule out other problems, check whether the dynamic update client lists the primary DNS server for the zone as its preferred DNS server.
    This is not necessary for dynamic update to work; however, if the client lists a preferred server other than the primary DNS server for the zone, many other problems might cause the failure, such as a network connectivity problem between the two servers or a prolonged recursive lookup for the primary server of the zone. To ascertain the preferred DNS server for the client, check the IP address configured in the TCP/IP properties of the network connection for the client, or at the command prompt type ipconfig   /all .
    If the zone is Active Directory-integrated, any DNS server that hosts an Active Directory-integrated copy of the zone can process the updates.

  • Check whether the zone is configured for secure dynamic update.
    If the zone is configured for secure dynamic update, the update can fail if zone or record security does not permit this client to make changes to the zone or record, or the update can fail if this client does not have ownership of the name that it is trying to update. To see whether the update failed for one of these reasons, check Event Viewer on the client. For more information about Event Viewer, see "Troubleshooting Tools" earlier in this chapter.
    For information about what to do if the update failed because the zone is configured for secure dynamic update, see "Troubleshooting Secure Dynamic Update" later in this chapter.

Troubleshooting Secure Dynamic Update

Secure dynamic update can prevent a client from creating, modifying, or deleting records, depending on the ACL for the zone and the name. By default, secure dynamic update prevents a client from creating, deleting, or modifying a record if the client is not the original creator of the record. For example, if two computers have the same name and both try to register their names in DNS, dynamic update fails for the client that registers second.

If a client failed to update a name in a zone that is configured for secure dynamic update, the failure could be caused by one of the following conditions:

  • The system time on the client and the system time on the DNS server are not in sync .

  • You have modified the UpdateSecurityLevelregistry entry to disallow the use of secure dynamic update on the client . For more information about dynamic update and secure dynamic update, see "Dynamic Update and Secure Dynamic Update" earlier in this chapter.

  • The client does not have the appropriate rights to update the resource record . You can confirm this by checking the ACL associated with the name to be updated.
    If the client does not have the appropriate rights to update the resource record, check whether the DHCP server registered the name of the client and that the DHCP server is the owner of the corresponding dnsNode object. If so, you might consider placing the DHCP server in the DNSUpdateProxy security group. Any object created by a member of the DNSUpdateProxy security group has no security.
    For more information about the DNSUpdateProxy security group, see "Dynamic Update and Secure Dynamic Update Interoperability Considerations" earlier in this chapter.