question

tonitodux avatar image
0 Votes"
tonitodux asked GaryReynolds commented

Dynamic DNS Error 9005 and event id 20032 & 200319

Hi,

I am battling an issue with DNS dynamic updates and DHCP server for some time. My company has 4 DCs, all are also DHCP servers. Two DC in our main HQ have a failover configured.

The errors in DHCP-Server event log that we are receiving are:
1. Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).
2. PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

I managed to change the following:
1. I added the dns dynamic update credentials in IPV4 part of the DHCP console, i checked the password multiple times to make sure everything is ok.
2. Ran the BPA on DHCP where it showed me that dhcp did not have the registry permissions, added full access for computer.
3. 006 Option is set to our two main DCs, first is our first DC and he is the main man.
4. Scope options:

141414-scope-options.jpg

DNS Settings:
1. Dynamics updates are set to secure only
2. Scavenging 1 day. Non-refresh and refresh 1 day.
3. Reverse zones are setup:

141297-dns-reverse.jpg

After all this I am seeing that Host A entries after I deleted them manually today are being stamped by the service account, but some are still being stamped by their own computer account. Why is this happening?



Cheers

windows-dhcp-dns
scope-options.jpg (33.8 KiB)
dns-reverse.jpg (27.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tonitodux avatar image
0 Votes"
tonitodux answered GaryReynolds commented

Hi,

I would like to confirm that the steps I have taken in this case have worked, at least in my case. After being unable to find a suitable solution on various forums and sites, I've spend 3 days troubleshooting only to accidentally find the solution.

Error:
1. Forward record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).
2. PTR record registration for IPv4 address [[192.168.0.69]] and FQDN machinename.domain.local failed with error 9005 (DNS operation refused.).

Solution:
1. In DNS Manager, got to properties of the zone you are going to delete, note all settings for the zone, delete the zone in Reverse Lookup Zones which shows errors:

142902-reverse-lookup-zone.jpg


  1. Depending on the size of your infrastructure/how many DCs you have, let this change propagate to all DCs.

  2. Recreate the deleted zone with the values you noted before deletion.

  3. Check event viewer log under Application and services->Microsoft->Windows->DHCP-Server->Microsoft-Windows-DHCP Server Events/Admin

There should be no more errors.

If you want to know more:

Upon further investigation, I simply compared the "security" Tab of the zone which didn't had any problems with the problematic one, and the difference was that the problematic zone did not have "DnsAdmins" Group. In my DnsAdmins Group there is currently only a service account which is used for dns dynamic updates (https://www.serverbrain.org/network-infrastructure-2003/using-dns-dynamic-update-credentials.html). At first, I tried to solve the problem without deleting a zone, and this also worked (not 100% sure). I added ALL the rights and "subrights" to the "DnsAdmins" group:

142853-security-rights.jpg

So everything must be enabled except "full control".

Cheers



· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi tonitodux

While this approach has fixed the problem, you have also broken the principal of least privileges, by giving the service account close to the equivalent of domain admins rights to your DNS infrastructure.

You should try and limit the permissions of the service account to only the update the dnsnode objects, so the account can only update the DNS records without the rights to change other components and configuration of the DNS infrstracture.

Gary.

0 Votes 0 ·

Hi Gary,

you make an excellent point, but this is what Windows Server OS set when I re-created the zone. I only copied there entries to the problematic zone.

How do I make this changes that you are suggesting? Don't know where to start.

Cheers

0 Votes 0 ·

Hi,

The permissions are ok for the DnsAdmins, the issue is adding the DHCP service account to the DnsAdmins group.

To reduce the level of access for the service account I would create a new delegation group and add the DHCP service account, then ideally I would set the permissions for this group on the all the zones to be, descendant dnsnode objects, with create all child objects and modify owner. However, the permissions dialog doesn't include the dnsnode object in the list of applies to. So next best option would be All descendant objects with create all child objects and modify owner.

This should be enough however, depending on the order in which the DNS server updates the dns record you might also need write to the dnsrecord attribute as well. You could confirm which attributes are changed by the DNS server by looking at the meta data of a record that has been updated, the all the attributes that were changed will have the same update time. Depending on scope of the zone, the zone could be stored under the cn=system in the default domain context or one of the dns application partitions. Have a look at this article on how to browser to the record and see the meta data.

Gary.


0 Votes 0 ·
tonitodux avatar image
0 Votes"
tonitodux answered

The entries that are being stamped with computer account all come from another office location, this would mean that the 006 option in DHCP has incorrect settings?

On the first place is the IP from the DC which is not in HQ:

141298-006.jpg




Should the main DC server always be on the first place when looking from remote offices?

Cheers


006.jpg (40.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
1 Vote"
GaryReynolds answered

Hi @tonitodux

If you have both the DHCP server and the clients updating DNS records then you could see both attempting to update the record. Normally the first one that creates the DNS record is the owner, The default permissions that are assigned to the zone, will not allow the ownership to be take by another client.

The order of the DNS servers in the DHCP scope option shouldn't make much difference, as the issue is likely to be which process registers the DNS record first.

If you turn on the DHCP auditing\logging, you should be able to see more details on the reason for failure. Also if you enable DNS logging you might be able to see more details on why the DNS updates are failing.

141534-dns-debug.png

Gary.



dns-debug.png (18.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tonitodux avatar image
0 Votes"
tonitodux answered tonitodux published

Hi Gary,

you are really holding down the fort on the forum, appreciate the answers.

I took two machines from debugging log as an example.

Machine 1:

19.10.2021 13:49:09 0074 PACKET 000002BDF4A9E5A0 UDP Rcv 192.168.0.100 5bcd Q [0001 D NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
19.10.2021 13:49:09 0074 PACKET 000002BDF4A9E5A0 UDP Snd 192.168.0.100 5bcd R Q [8085 A DR NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
19.10.2021 13:49:23 0074 PACKET 000002BDF2F5AD80 UDP Rcv 192.168.0.124 50d6 Q [0001 D NOERROR] A (11)Machine 01(9)domain(5)local(0)
19.10.2021 13:49:23 0074 PACKET 000002BDF2F5AD80 UDP Snd 192.168.0.124 50d6 R Q [8085 A DR NOERROR] A (11)Machine 01(9)domain(5)local(0)
19.10.2021 13:50:20 0574 PACKET 000002BDF1C70180 UDP Rcv 192.168.0.100 1c0b Q [0001 D NOERROR] SOA (11)Machine 01(9)domain(5)local(0)
19.10.2021 13:50:20 0574 PACKET 000002BDF1C70180 UDP Snd 192.168.0.100 1c0b R Q [8085 A DR NOERROR] SOA (11)Machine 01(9)domain(5)local(0)

Machine 2:

19.10.2021 13:49:59 0074 PACKET 000002BDE550A960 UDP Rcv 192.168.0.100 6711 Q [0001 D NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
19.10.2021 13:49:59 0074 PACKET 000002BDE550A960 UDP Snd 192.168.0.100 6711 R Q [8085 A DR NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
19.10.2021 13:50:28 20BC PACKET 000002BDE7520D10 UDP Rcv 192.168.0.100 6a1b Q [0001 D NOERROR] SOA (11)Machine 02(9)domain(5)local(0)
19.10.2021 13:50:28 20BC PACKET 000002BDE7520D10 UDP Snd 192.168.0.100 6a1b R Q [8085 A DR NOERROR] SOA (11)Machine 02(9)domain(5)local(0)


For this and other machines I am getting the 20319 and 20322 Event IDs - I dont know what to do anymore.
192.168.0.100 - main DC
192.168.0.124 - management server where Veeam Backup is installed.

Cheers

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @tonitodux

The logs don't contain the actual DNS update request, they might have been sent to a different DNS server.

Have a read of the this post, as it contains a the details and step by step guide on how to setup DHCP updates based on your scenario, at least this should get you to a known good configuration.

https://blogs.msmvps.com/acefekay/2016/08/13/dynamic-dns-updates-how-to-get-it-to-work-with-dhcp-scavenging-static-entries-their-timestamps-the-dnsupdateproxy-group-and-dhcp-name-protection/

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tonitodux avatar image
0 Votes"
tonitodux answered

Hi,

I think I have this solved after 3 days of troubleshooting. I recreated the reverse zones for the IP addresses that were having issues and it worked like a charm. However I am still testing it. I will write a final review once am I sure that works.

Cheers

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.