Hi, I am battling an issue with DNS dynamic updates and DHCP server for some time. My company has 4 DCs, all are also DHCP servers. Two DC in our main HQ have a failover configured. The errors in DHCP-Server event log that we are receiving are: Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.). PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.). I managed to change the following: I added the dns dynamic update credentials in IPV4 part of the DHCP console, i checked the password multiple times to make sure everything is ok. Ran the BPA on DHCP where it showed me that dhcp did not have the registry permissions, added full access for computer. 006 Option is set to our two main DCs, first is our first DC and he is the main man. Scope options: DNS Settings: Dynamics updates are set to secure only Scavenging 1 day. Non-refresh and refresh 1 day. Reverse zones are setup: After all this I am seeing that Host A entries after I deleted them manually today are being stamped by the service account, but some are still being stamped by their own computer account. Why is this happening? Cheers

Hi, I would like to confirm that the steps I have taken in this case have worked, at least in my case. After being unable to find a suitable solution on various forums and sites, I've spend 3 days troubleshooting only to accidentally find the solution. Error: Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.). PTR record registration for IPv4 address [[192.168. 0 .69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.). Solution: In DNS Manager, got to properties of the zone you are going to delete, note all settings for the zone, delete the zone in Reverse Lookup Zones which shows errors: Depending on the size of your infrastructure/how many DCs you have, let this change propagate to all DCs. Recreate the deleted zone with the values you noted before deletion. Check event viewer log under Application and services->Microsoft->Windows->DHCP-Server->Microsoft-Windows-DHCP Server Events/Admin There should be no more errors. If you want to know more: Upon further investigation, I simply compared the "security" Tab of the zone which didn't had any problems with the problematic one, and the difference was that the problematic zone did not have "DnsAdmins" Group. In my DnsAdmins Group there is currently only a service account which is used for dns dynamic updates ( https://www.serverbrain.org/network-infrastructure-2003/using-dns-dynamic-update-credentials.html ). At first, I tried to solve the problem without deleting a zone, and this also worked (not 100% sure). I added ALL the rights and "subrights" to the "DnsAdmins" group: So everything must be enabled except "full control". Cheers

Hi, I think I have this solved after 3 days of troubleshooting. I recreated the reverse zones for the IP addresses that were having issues and it worked like a charm. However I am still testing it. I will write a final review once am I sure that works. Cheers

Dynamic DNS Error 9005 and event id 20032 & 200319

Accepted answer

Tonito Dux 956 Reputation points

2021-10-22T07:59:40.003+00:00
Hi,

I would like to confirm that the steps I have taken in this case have worked, at least in my case. After being unable to find a suitable solution on various forums and sites, I've spend 3 days troubleshooting only to accidentally find the solution.

Error:

Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

Solution:

In DNS Manager, got to properties of the zone you are going to delete, note all settings for the zone, delete the zone in Reverse Lookup Zones which shows errors:

Depending on the size of your infrastructure/how many DCs you have, let this change propagate to all DCs.

Recreate the deleted zone with the values you noted before deletion.

Check event viewer log under Application and services->Microsoft->Windows->DHCP-Server->Microsoft-Windows-DHCP Server Events/Admin There should be no more errors.

If you want to know more:

Upon further investigation, I simply compared the "security" Tab of the zone which didn't had any problems with the problematic one, and the difference was that the problematic zone did not have "DnsAdmins" Group. In my DnsAdmins Group there is currently only a service account which is used for dns dynamic updates (https://www.serverbrain.org/network-infrastructure-2003/using-dns-dynamic-update-credentials.html). At first, I tried to solve the problem without deleting a zone, and this also worked (not 100% sure). I added ALL the rights and "subrights" to the "DnsAdmins" group:

So everything must be enabled except "full control".

Cheers
Please sign in to rate this answer.
Gary Reynolds 9,391 Reputation points

2021-10-22T08:36:00.707+00:00

Hi tonitodux

While this approach has fixed the problem, you have also broken the principal of least privileges, by giving the service account close to the equivalent of domain admins rights to your DNS infrastructure.

You should try and limit the permissions of the service account to only the update the dnsnode objects, so the account can only update the DNS records without the rights to change other components and configuration of the DNS infrstracture.

Gary.

Tonito Dux 956 Reputation points

2021-10-22T08:56:58.617+00:00

Hi Gary,

you make an excellent point, but this is what Windows Server OS set when I re-created the zone. I only copied there entries to the problematic zone.

How do I make this changes that you are suggesting? Don't know where to start.

Cheers

Gary Reynolds 9,391 Reputation points

2021-10-22T11:00:52.007+00:00

Hi,

The permissions are ok for the DnsAdmins, the issue is adding the DHCP service account to the DnsAdmins group.

To reduce the level of access for the service account I would create a new delegation group and add the DHCP service account, then ideally I would set the permissions for this group on the all the zones to be, descendant dnsnode objects, with create all child objects and modify owner. However, the permissions dialog doesn't include the dnsnode object in the list of applies to. So next best option would be All descendant objects with create all child objects and modify owner.

This should be enough however, depending on the order in which the DNS server updates the dns record you might also need write to the dnsrecord attribute as well. You could confirm which attributes are changed by the DNS server by looking at the meta data of a record that has been updated, the all the attributes that were changed will have the same update time. Depending on scope of the zone, the zone could be stored under the cn=system in the default domain context or one of the dns application partitions. Have a look at this article on how to browser to the record and see the meta data.

Gary.
Sign in to comment

Dynamic DNS Error 9005 and event id 20032 & 200319

6 additional answers