Troubleshooting dynamic updates

Updated: August 25, 2010

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting dynamic updates

What problem are you having?

• The DNS client is not performing dynamic updates.

• The DNS server is not performing dynamic updates.

• I am having a different problem related to dynamic updates than those described above.

The DNS client is not performing dynamic updates.

Cause:  The client (or its DHCP server) do not support the use of the DNS dynamic update protocol.

Solution:  Verify that your clients or servers support the DNS dynamic update protocol.

In order for client computers to be registered and updated dynamically with a DNS server, either:

1. Install or upgrade client computers to Windows XP or Windows Server 2003 .

2. Install and use the DHCP Server service on your network to lease client computers.

By default, computers attempt to register and perform dynamic update of their DNS names and IP addresses with a DNS server.

For other types of computers, you can deploy Windows Server 2003 DHCP servers, which can perform proxied registrations and updates as needed for non-dynamic clients.

Notes

• By default, the DNS client on Windows XP does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see Configure TCP/IP to use DNS and the Microsoft Windows Resource Kits Web site.

• By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone named with a single-label name is considered a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or modify the registry.

Cause:  The client was not able to register with the DNS server because of intermittent problems with either the DNS server or the network.

Solution:  At the client computer, use the ipconfig command as appropriate to retry registration or renewal and update client information with the DNS server.

You can use the ipconfig /registerdns command option to manually force a retry of its dynamic registration.

For computers running earlier versions of Windows, you can use the options of the ipconfig command to verify, view, or renew the client TCP/IP configuration details as appropriate.

For example, if the client computer obtains its IP address lease from a DHCP server, you might use the ipconfig /renew command to force it to renew its lease with the DHCP server. This action would then cause the DHCP server to proxy an update request to its configured DNS server on behalf of the client.

If the DHCP server succeeds in performing the proxied update with the DNS server, the result would be updated DNS host name and IP address information for the client computer in the DNS database.

See also:  Renew DNS client registration using the ipconfig command.

Cause:  The client was not able to register and update with the DNS server because of missing or incomplete DNS configuration.

Solution:  Verify that the client is fully and correctly configured for DNS, and update its configuration as needed.

One common cause of the client failing to update with the DNS server is that it does not have a DNS suffix (either a primary suffix or connection-specific suffix) configured. This might result in the client attempting to register an incorrect or unintended DNS domain name.

For example, the client could be attempting to register its short or unqualified computer or host name as a top-level domain name in the root zone. This happens because without a DNS suffix configured for the client computer, it determines the configured short name of a computer (such as host-a) is its fully qualified domain name (FQDN). This only occurs because the computer name does not have a DNS suffix to append to it and qualify the computer name when registering it for the client in DNS.

To update the DNS configuration for a client, either:

1. Configure a primary DNS suffix at the client computer for static TCP/IP clients.

2. Configure a connection-specific DNS suffix for use at one of the installed network connections at the client computer.

See also:  Configure the primary DNS suffix for a client computer; Configure TCP/IP to use DNS; Install and Configure Clients; Managing Clients.

Cause:  The DNS client attempted to update its information with the DNS server but failed because of a problem related to the server.

Solution:  If a client can reach its preferred and alternate DNS servers as configured, it is likely that the cause of its failed updates can be found elsewhere.

At Windows-based client computers, you can use Event Viewer to check the System log for any event messages that explain why attempts by the client to dynamically update its host (A) or pointer (PTR) resource records failed.

When reviewing messages in the System log, filter or order the display of all messages to view those that specify DnsApi as the source for the message. Typically, these messages are related to the performance of DNS activities, such as DNS queries or dynamic updates.

A common reason updates might fail for a mobile client is that the DNS server required to accept and perform the update does not respond when the client starts at a remote location on the network. This could be due to network performance issues or might indicate a problem in the underlying design of your network. Where these issues persist or seem likely, you should review your DNS deployment and modify it accordingly.

See also:  Deploying DNS; Dynamic update.

The DNS server is not performing dynamic updates.

Cause:  The DNS server does not support dynamic updates.

Solution:  Verify that the DNS server used by the client can support the DNS dynamic update protocol, as described in RFC 2136.

Only the Windows 2000 and Windows Server 2003 DNS Server service supports dynamic updates. The DNS Server service provided with Windows NT Server 4.0 does not.

If you are using other DNS servers on your network, verify that they are running a DNS server implementation that supports dynamic updates.

See also:  Dynamic update; DNS RFCs.

Cause:  The DNS server supports dynamic updates but is not configured to accept them.

Solution:  Verify that the primary zone where clients require updates is configured to allow dynamic updates.

The default for a new primary zone is to not accept dynamic updates. At the DNS server that loads the applicable primary zone, modify zone properties to allow updates.

See also:  Allow dynamic updates.

Cause:  The zone database is not available.

Solution:  Verify that the zone is available for update.

First, if necessary, verify that the zone exists. For a standard primary zone, verify that the zone file exists at the server and that the zone is not paused. If you are using Active Directory-integrated zones, verify that the DNS server is running as a domain controller and has access to the Active Directory database where zone data is stored.

Secondary zones do not support dynamic updates. If you are trying to determine which server is the primary server for a standard zone, review zone authority records to determine which server is referenced in both the start of authority (SOA) and name server (NS) resource records for the zone. This is the primary server for the zone which can accept dynamic updates to it.

If you need to, you can use the DNS console to change a secondary zone to become a primary zone so that it can accommodate dynamic updates. However, because standard primary zones use a single-master update model, you can only configure one server to accept dynamic updates for the zone.

If you change the zone type at a secondary server so that it becomes the primary server for that zone, you need to either remove the zone or convert it to another zone type (such as a secondary zone) at the original primary server. Otherwise, zone data would become inconsistent and cause additional problems.

If you want to have more than one DNS server be able to update a zone, it is recommended that you change the zone type so that it becomes Active Directory-integrated. To be able to use this zone type, Active Directory must be installed and the server computer must be promoted to a domain controller.

Once the zone is stored in the directory, other domain controllers can load the zone automatically and be allowed to update it when they are running the DNS Server service. This is because Active Directory supports a multiple (or floating) master update model where more than one computer can process updates to the directory database.

See also:  Change the zone type; Add and Remove Zones; Managing authority records; Active Directory integration.

Cause:  The DNS server is configured to allow only secure dynamic updates and has a security-related problem.

Solution:  Verify that zone or resource record security does not block or prevent dynamic updates at the server.

Secure update can be enabled for directory-integrated zones and their resource records. If secure dynamic update is in effect for a directory-integrated zone, then only users, groups, or computers that have write permissions may add new resource records to the zone. If secure dynamic update is in effect for resource records, then only users, groups, or computers that have write permissions can update these resource records. Consequently, security might block or prevent a DNS client (or its DHCP server) from performing an update of its host (A) and pointer (PTR) resource records.

In most cases, secure dynamic update does not prevent new records from being created or added to a zone, but it does restrict who is given default permissions to update or modify records. Where necessary, you can use the access control list (ACL) editing features available for directory-integrated zones to modify security permissions on a zone or its resource records and enable update by another user, group, or computer.

Typically, this is only needed if the computer requesting the update is different from the one that owns the client records and originally created them.

See also:  Dynamic update; Modify security for a directory-integrated zone; Modify security for a resource record.

Cause:  The DNS server required to perform the updates is not available on the network.

Solution:  Verify that the DNS server is available on the network or troubleshoot any further issues as necessary.

See also:  Troubleshooting DNS servers.

I am having a different problem related to dynamic updates than those described above.

Cause:  My problem is not described above.

Solution:  Search TechNet at the Microsoft Web site for the latest technical information that could relate to the problem. If necessary, you can obtain information and instructions that pertain to your problem or issue.

If you are connected to the Internet, the latest operating system updates are available at the Microsoft Web site.

To obtain the latest service pack updates for Windows NT Server, see the Microsoft Web site.

See also:  DNS updated technical information; DNS.