Troubleshooting Dynamic Updates

Applies To: Windows Server 2008, Windows Server 2008 R2

What problem are you having?

  • The DNS client is not performing dynamic updates.

  • The DNS server is not performing dynamic updates.

  • I am having a different problem related to dynamic updates than those described here.

The DNS client is not performing dynamic updates.

Cause:  The client, or its Dynamic Host Configuration Protocol (DHCP) server, does not support the use of the Domain Name System (DNS) dynamic update protocol.

Solution:  Verify that your clients or servers support the DNS dynamic update protocol.

For client computers to be registered and updated dynamically with a DNS server, either:

  • Install or upgrade client computers to the current version of Windows.

  • Install and use the DHCP Server service on your network to lease client computers.

By default, computers attempt to register and perform dynamic update of their DNS names and IP addresses with a DNS server.

For other types of computers, you can deploy Windows Server 2008 DHCP servers, which can perform proxied registrations and updates as needed for nondynamic clients.

Additional considerations

  • By default, the DNS client on Microsoft Windows XP or Windows Vista does not attempt dynamic update over a Remote Access Service (RAS) or virtual private network (VPN) connection. To modify this configuration, you can modify the advanced TCP/IP settings of the particular network connection or modify the registry. For more information, see the Windows Server 2003 Resource Kit Registry Reference (https://go.microsoft.com/fwlink/?LinkId=428).

  • By default, the DNS client does not attempt dynamic update of top-level domain (TLD) zones. Any zone that is named with a single-label name is considered a TLD zone, for example, com, edu, blank, my-company. To configure the DNS client to allow the dynamic update of TLD zones, you can use the Update Top Level Domain Zones policy setting or you can modify the registry.

Cause:  The client was not able to register with the DNS server because of intermittent problems with either the DNS server or the network.

Solution:  At the client computer, use the ipconfig command as appropriate to retry registration or renewal and update client information with the DNS server.

You can use the ipconfig /registerdns command option to manually force a retry of the client computer's dynamic registration.

For computers running earlier versions of Windows, you can use the options of the ipconfig command to verify, view, or renew the client TCP/IP configuration details as appropriate.

For example, if the client computer obtains its IP address lease from a DHCP server, you might use the ipconfig /renew command to force the client to renew its lease with the DHCP server. This action then causes the DHCP server to submit an update request to its configured DNS server on behalf of the client.

If the DHCP server succeeds in performing the update with the DNS server, the result is an updated DNS host name and updated IP address information for the client computer in the DNS database.

Cause:  The client was not able to register and update with the DNS server because of missing or incomplete DNS configuration.

Solution:  Verify that the client is fully and correctly configured for DNS, and update its configuration as needed.

One common cause of the client failing to update with the DNS server is that it does not have a DNS suffix (either a primary suffix or connection-specific suffix) configured. This might result in the client attempting to register an incorrect or unintended DNS domain name.

For example, the client might be attempting to register its short or unqualified computer or host name as a top-level domain name in the root zone. This happens because, without a DNS suffix configured for the client computer, it determines the configured short name of a computer (such as host-a) is its fully qualified domain name (FQDN). This occurs only because the computer name does not have a DNS suffix to append to it and qualify the computer name when registering it for the client in DNS.

To update the DNS configuration for a client, either:

  • Configure a primary DNS suffix at the client computer for static TCP/IP clients.

  • Configure a connection-specific DNS suffix for use at one of the installed network connections at the client computer.

For more information, see Managing Clients.

Cause:  The DNS client attempted to update its information with the DNS server but failed because of a problem related to the server.

Solution:  If a client can reach its preferred and alternate DNS servers as configured, it is likely that the cause of its failed updates can be found elsewhere.

At Windows-based client computers, you can use Event Viewer to check the System log for any event messages that explain why attempts by the client to dynamically update its host (A) or pointer (PTR) resource records failed.

When youi review messages in the System log, filter or order the display of all messages to view the messages that specify DnsApi as the source for the message. Typically, these messages are related to the performance of DNS activities, such as DNS queries or dynamic updates.

A common reason that updates might fail for a mobile client is that the DNS server that is required to accept and perform the update does not respond when the client starts at a remote location on the network. This might be due to network performance issues or it might indicate a problem in the underlying design of your network. Where these issues persist or seem likely, review your DNS deployment and modify it accordingly.

For more information, see Understanding Dynamic Update.

The DNS server is not performing dynamic updates.

Cause:  The DNS server does not support dynamic updates.

Solution:  Verify that the DNS server that is used by the client can support the DNS dynamic update protocol, as described in RFC 2136.

If you are using other DNS servers on your network, verify that they are running a DNS server implementation that supports dynamic updates.

For more information, see Understanding Dynamic Update.

Cause:  The DNS server supports dynamic updates, but it is not configured to accept them.

Solution:  Verify that the primary zone where clients require updates is configured to allow dynamic updates.

The default for a new primary zone is to not accept dynamic updates. At the DNS server that loads the applicable primary zone, modify zone properties to allow updates.

For more information, see Allow Dynamic Updates.

Cause:  The zone database is not available.

Solution:  Verify that the zone is available for update.

First, if necessary, verify that the zone exists. For a standard primary zone, verify that the zone file exists at the server and that the zone is not paused. If you are using Active Directory–integrated zones, verify that the DNS server is running as a domain controller and that it has access to the Active Directory database where zone data is stored.

Secondary zones do not support dynamic updates. If you are trying to determine which server is the primary server for a standard zone, review zone authority records to determine which server is referenced in both the start of authority (SOA) and name server (NS) resource records for the zone. This is the primary server for the zone that can accept dynamic updates to it.

If you need to, you can use DNS Manager to change a secondary zone to become a primary zone so that it can accommodate dynamic updates. However, because standard primary zones use a single-master update model, you can configure only one server to accept dynamic updates for the zone.

If you change the zone type at a secondary server so that it becomes the primary server for that zone, either remove the zone or convert it to another zone type (such as a secondary zone) at the original primary server. Otherwise, zone data becomes inconsistent and causes additional problems.

If you want to have more than one DNS server be able to update a zone, we recommend that you change the zone type so that it becomes Active Directory–integrated. For this zone type to be used, Active Directory Domain Services (AD DS) must be installed and the server computer must be promoted to a domain controller.

After the zone is stored in the directory, other domain controllers can load the zone automatically and they are allowed to update it when they are running the DNS Server service. This is because AD DS supports a multiple (or floating) master update model in which more than one computer can process updates to the directory database.

For more information, see Change the Zone Type; Adding Zones; Understanding Active Directory Domain Services Integration.

Cause:  The DNS server is configured to allow only secure dynamic updates, and it has a security-related problem.

Solution:  Verify that zone or resource record security does not block or prevent dynamic updates at the server.

Secure update can be enabled for directory-integrated zones and their resource records. If secure dynamic update is in effect for a directory-integrated zone, only users, groups, or computers that have Write permissions may add new resource records to the zone. If secure dynamic update is in effect for resource records, only users, groups, or computers that have Write permissions can update these resource records. Consequently, security might block or prevent a DNS client (or its DHCP server) from performing an update of its host (A) and pointer (PTR) resource records.

In most cases, secure dynamic update does not prevent new records from being created or added to a zone, but it does restrict who is given default permissions to update or modify records. Where necessary, you can use the access control list (ACL) editing features that are available for directory-integrated zones to modify security permissions on a zone or its resource records and enable update by another user, group, or computer.

Typically, this is necessary only if the computer requesting the update is different from the computer that owns the client records and originally created them.

For more information, see Understanding Dynamic Update

Cause:  The DNS server that is required to perform the updates is not available on the network.

Solution:  Verify that the DNS server is available on the network, or troubleshoot any further issues as necessary.

For more information, see Troubleshooting DNS Servers.

Cause:  My problem is not described here.

Solution:  Search TechNet (https://go.microsoft.com/fwlink/?LinkId=170) for the latest technical information that might relate to the problem. If necessary, you can obtain information and instructions that pertain to your problem or issue.

If you are connected to the Internet, the latest operating system updates are available at Microsoft Update (https://go.microsoft.com/fwlink/?LinkId=284).