Dynamic DNS Error 9005 and event id 20032 & 200319

Tonito Dux 956 Reputation points
2021-10-18T12:58:57.427+00:00

Hi,

I am battling an issue with DNS dynamic updates and DHCP server for some time. My company has 4 DCs, all are also DHCP servers. Two DC in our main HQ have a failover configured.

The errors in DHCP-Server event log that we are receiving are:

  1. Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).
  2. PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

I managed to change the following:

  1. I added the dns dynamic update credentials in IPV4 part of the DHCP console, i checked the password multiple times to make sure everything is ok.
  2. Ran the BPA on DHCP where it showed me that dhcp did not have the registry permissions, added full access for computer.
  3. 006 Option is set to our two main DCs, first is our first DC and he is the main man.
  4. Scope options:

141414-scope-options.jpg

DNS Settings:

  1. Dynamics updates are set to secure only
  2. Scavenging 1 day. Non-refresh and refresh 1 day.
  3. Reverse zones are setup:

141297-dns-reverse.jpg

After all this I am seeing that Host A entries after I deleted them manually today are being stamped by the service account, but some are still being stamped by their own computer account. Why is this happening?

Cheers

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,021 questions
0 comments
Accepted answer
  1. Tonito Dux 956 Reputation points
    2021-10-22T07:59:40.003+00:00

    Hi,

    I would like to confirm that the steps I have taken in this case have worked, at least in my case. After being unable to find a suitable solution on various forums and sites, I've spend 3 days troubleshooting only to accidentally find the solution.

    Error:

    1. Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).
    2. PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

    Solution:

    1. In DNS Manager, got to properties of the zone you are going to delete, note all settings for the zone, delete the zone in Reverse Lookup Zones which shows errors:

    142902-reverse-lookup-zone.jpg

    1. Depending on the size of your infrastructure/how many DCs you have, let this change propagate to all DCs.
    2. Recreate the deleted zone with the values you noted before deletion.
    3. Check event viewer log under Application and services->Microsoft->Windows->DHCP-Server->Microsoft-Windows-DHCP Server Events/Admin There should be no more errors.

    If you want to know more:

    Upon further investigation, I simply compared the "security" Tab of the zone which didn't had any problems with the problematic one, and the difference was that the problematic zone did not have "DnsAdmins" Group. In my DnsAdmins Group there is currently only a service account which is used for dns dynamic updates (https://www.serverbrain.org/network-infrastructure-2003/using-dns-dynamic-update-credentials.html). At first, I tried to solve the problem without deleting a zone, and this also worked (not 100% sure). I added ALL the rights and "subrights" to the "DnsAdmins" group:

    142853-security-rights.jpg

    So everything must be enabled except "full control".

    Cheers

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,391 Reputation points
    2021-10-18T22:47:42.717+00:00

    Hi @Tonito Dux

    If you have both the DHCP server and the clients updating DNS records then you could see both attempting to update the record. Normally the first one that creates the DNS record is the owner, The default permissions that are assigned to the zone, will not allow the ownership to be take by another client.

    The order of the DNS servers in the DHCP scope option shouldn't make much difference, as the issue is likely to be which process registers the DNS record first.

    If you turn on the DHCP auditing\logging, you should be able to see more details on the reason for failure. Also if you enable DNS logging you might be able to see more details on why the DNS updates are failing.

    141534-dns-debug.png

    Gary.

    1 person found this answer helpful.
    0 comments
  2. Tonito Dux 956 Reputation points
    2021-10-18T13:34:33.143+00:00

    The entries that are being stamped with computer account all come from another office location, this would mean that the 006 option in DHCP has incorrect settings?

    On the first place is the IP from the DC which is not in HQ:

    141298-006.jpg

    Should the main DC server always be on the first place when looking from remote offices?

    Cheers

    0 comments
  3. Tonito Dux 956 Reputation points
    2021-10-19T12:15:50.513+00:00

    Hi Gary,

    you are really holding down the fort on the forum, appreciate the answers.

    I took two machines from debugging log as an example.

    Machine 1:

    19.10.2021 13:49:09 0074 PACKET 000002BDF4A9E5A0 UDP Rcv 192.168.0.100 5bcd Q [0001 D NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
    19.10.2021 13:49:09 0074 PACKET 000002BDF4A9E5A0 UDP Snd 192.168.0.100 5bcd R Q [8085 A DR NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
    19.10.2021 13:49:23 0074 PACKET 000002BDF2F5AD80 UDP Rcv 192.168.0.124 50d6 Q [0001 D NOERROR] A (11)Machine 01(9)domain(5)local(0)
    19.10.2021 13:49:23 0074 PACKET 000002BDF2F5AD80 UDP Snd 192.168.0.124 50d6 R Q [8085 A DR NOERROR] A (11)Machine 01(9)domain(5)local(0)
    19.10.2021 13:50:20 0574 PACKET 000002BDF1C70180 UDP Rcv 192.168.0.100 1c0b Q [0001 D NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
    19.10.2021 13:50:20 0574 PACKET 000002BDF1C70180 UDP Snd 192.168.0.100 1c0b R Q [8085 A DR NOERROR] SOA (11)Machine 01(9)domain(5)local(0)

    Machine 2:

    19.10.2021 13:49:59 0074 PACKET 000002BDE550A960 UDP Rcv 192.168.0.100 6711 Q [0001 D NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
    19.10.2021 13:49:59 0074 PACKET 000002BDE550A960 UDP Snd 192.168.0.100 6711 R Q [8085 A DR NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
    19.10.2021 13:50:28 20BC PACKET 000002BDE7520D10 UDP Rcv 192.168.0.100 6a1b Q [0001 D NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
    19.10.2021 13:50:28 20BC PACKET 000002BDE7520D10 UDP Snd 192.168.0.100 6a1b R Q [8085 A DR NOERROR] SOA (11)Machine 02(9)domain(5)local(0)

    For this and other machines I am getting the 20319 and 20322 Event IDs - I dont know what to do anymore.
    192.168.0.100 - main DC
    192.168.0.124 - management server where Veeam Backup is installed.

    Cheers

    0 comments
  4. Gary Reynolds 9,391 Reputation points
    2021-10-19T20:37:32.32+00:00

    Hi @Tonito Dux

    The logs don't contain the actual DNS update request, they might have been sent to a different DNS server.

    Have a read of the this post, as it contains a the details and step by step guide on how to setup DHCP updates based on your scenario, at least this should get you to a known good configuration.

    https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/

    Gary.

    0 comments