Had 4DC: 2win2k3 and 2win2k. Both Win2k had DNS installed and running AD
integrated. I dcpromo down one of the Win2k boxes and disabled DNS. Changed
all the DHCP server to pass only the one DNS server IP that is left. Now
When I try to add a workstation or move it to a new subnet, The old DNS
record is not updated with the new IP address. and my event log is full of
the messages below.
I am not getting any errors when I run Netdiag (DNS test) or DCdiag. Both
Pass. DNS event log does not show any errors, nor does the app or system
event log. Just the security log.....

Help - What did I do wrong?
Help - How can I fix my dns server?


I am getting the following event message on my server:
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 5/5/2006
Time: 12:40:47 PM
User: AVON\HS_SVR1$
Computer: MS-SVR
Description:
Object Open:
Object Server: DS
Object Type: dnsNode
Object
Name: DC=66,DC=10.5.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=avon,DC=local
New Handle ID: -
Operation ID: {0,757195213}
Process ID: 372
Primary User Name: MS-SVR$
Primary Domain: AVON
Primary Logon ID: (0x0,0x3E7)
Client User Name: HS_SVR1$
Client Domain: AVON
Client Logon ID: (0x0,0x2D21E1BF)
Accesses Write Self

Privileges -

Properties:
Write Property
%{00000000-0000-0000-0000-000000000000}
---
dnsRecord
ACCESS_SYS_SEC
dNSTombstoned

Robert-Avon-Schools wrote:
> Had 4DC: 2win2k3 and 2win2k. Both Win2k had DNS installed and running
> AD integrated. I dcpromo down one of the Win2k boxes and disabled
> DNS. Changed all the DHCP server to pass only the one DNS server IP
> that is left. Now When I try to add a workstation or move it to a
> new subnet, The old DNS record is not updated with the new IP
> address. and my event log is full of the messages below.
> I am not getting any errors when I run Netdiag (DNS test) or DCdiag.
> Both Pass. DNS event log does not show any errors, nor does the app
> or system event log. Just the security log.....
>
> Help - What did I do wrong?
> Help - How can I fix my dns server?
>
>
> I am getting the following event message on my server:
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 565
> Date: 5/5/2006
> Time: 12:40:47 PM
> User: AVON\HS_SVR1$
> Computer: MS-SVR
> Description:
> Object Open:
> Object Server: DS
> Object Type: dnsNode
> Object
> Name:

> DC=66,DC=10.5.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=avon,DC=local
> New Handle ID: - Operation ID: {0,757195213} Process ID: 372 Primary
> User Name: MS-SVR$ Primary Domain: AVON Primary Logon ID: (0x0,0x3E7)
> Client User Name: HS_SVR1$ Client Domain: AVON Client Logon ID:
> (0x0,0x2D21E1BF) Accesses Write Self

Is it just the reverse zone that is not getting updated? (That's the error
in this event)
A PTR created and registered by one machine cannot update a PTR register by
anotehr machine.

My suggestion, use DHCP on Win2k3 to register for all clients, assign a
dedicated user account with a non-expiring password in the Win2k3 DHCP to
authenticate with DNS. Set DHCP to Always update DNS, then clear the check
box "register this connections addresses in DNS"
DHCP will then register for all clients using the same user account, making
it possible for DHCP to update the PTR and A records.

Incidentally, DHCP uses the DNS servers in its TCP/IP properties to register
clients, so make sure the DNS server's in its TCP/IP properties are correct.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Kevin,
I should have mentioned that each of these server is in it's own subnet,
providing DHCP services for thier respective subnet. To answer your
question, the forward zone and the reverse zones are not being updated. on my
HS_SVR1 box (Win2k and previous DC that was demoted), there is no security
option. I have added it to the authorized dhcp list. any other suggestions?

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Robert-Avon-Schools wrote:
> > Had 4DC: 2win2k3 and 2win2k. Both Win2k had DNS installed and running
> > AD integrated. I dcpromo down one of the Win2k boxes and disabled
> > DNS. Changed all the DHCP server to pass only the one DNS server IP
> > that is left. Now When I try to add a workstation or move it to a
> > new subnet, The old DNS record is not updated with the new IP
> > address. and my event log is full of the messages below.
> > I am not getting any errors when I run Netdiag (DNS test) or DCdiag.
> > Both Pass. DNS event log does not show any errors, nor does the app
> > or system event log. Just the security log.....
> >
> > Help - What did I do wrong?
> > Help - How can I fix my dns server?
> >
> >
> > I am getting the following event message on my server:
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Directory Service Access
> > Event ID: 565
> > Date: 5/5/2006
> > Time: 12:40:47 PM
> > User: AVON\HS_SVR1$
> > Computer: MS-SVR
> > Description:
> > Object Open:
> > Object Server: DS
> > Object Type: dnsNode
> > Object
> > Name:
>
> > DC=66,DC=10.5.10.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=avon,DC=local
> > New Handle ID: - Operation ID: {0,757195213} Process ID: 372 Primary
> > User Name: MS-SVR$ Primary Domain: AVON Primary Logon ID: (0x0,0x3E7)
> > Client User Name: HS_SVR1$ Client Domain: AVON Client Logon ID:
> > (0x0,0x2D21E1BF) Accesses Write Self
>
> Is it just the reverse zone that is not getting updated? (That's the error
> in this event)
> A PTR created and registered by one machine cannot update a PTR register by
> anotehr machine.
>
> My suggestion, use DHCP on Win2k3 to register for all clients, assign a
> dedicated user account with a non-expiring password in the Win2k3 DHCP to
> authenticate with DNS. Set DHCP to Always update DNS, then clear the check
> box "register this connections addresses in DNS"
> DHCP will then register for all clients using the same user account, making
> it possible for DHCP to update the PTR and A records.
>
> Incidentally, DHCP uses the DNS servers in its TCP/IP properties to register
> clients, so make sure the DNS server's in its TCP/IP properties are correct.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Robert-Avon-Schools wrote:
> Kevin,
> I should have mentioned that each of these server is in it's own
> subnet, providing DHCP services for thier respective subnet. To
> answer your question, the forward zone and the reverse zones are not
> being updated. on my HS_SVR1 box (Win2k and previous DC that was
> demoted), there is no security option. I have added it to the
> authorized dhcp list. any other suggestions?

Could you clear up some confusion for me?
Is HS_SVR1 a DNS server?
If it is a demoted DC, it cannot have AD integrated zones and therefore no
security tab and no security on its zones. If it has the zone, is it a
secondary zone?
If it is a secondary zone it can only send updates to the master using the
MNAME record and it does not have permission to make the update.
If it is a DHCP server, even if it is Authorized as a DHCP server. DHCP
Authorization only authorizes it to assign addresses in the domain, and does
not give it permission to update DNS.

This is why Win2k3 added the feature for DHCP to authenticate its
permissions to update DNS. Win2k used the DNSUpdateProxy group for this.

I would still recommend DHCP be moved to Win2k3 so it can be configured to
authenticate with DNS.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Kevin,
It was a DC with DNS, when I demoted it to a member server, I stopped the
DNS server service and changed DNS server settings on all my dhcp servers to
only point to the one dns server I have left running which is (MS-SVR - a
win2k (dc) it is ad integrated). I hope this helps. I noticed something
interesting. I setup a pc on the same subnet with the DNS server. I get an ip
address with all the right settings. when I do a nslookup -da ipaddress of
pc, I got a list of three reverse entries, only one of which was the correct
pc name. if I do a nslookup -da pcname of pc, I get an IP address of some
other pc. I guess I am really confused as to how removing one dns server (I
had two, now have 1) would make it so my dhcp servers stop updating dns
correctly.

Really beginning to worry, (should I panic yet?)
Robert

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Robert-Avon-Schools wrote:
> > Kevin,
> > I should have mentioned that each of these server is in it's own
> > subnet, providing DHCP services for thier respective subnet. To
> > answer your question, the forward zone and the reverse zones are not
> > being updated. on my HS_SVR1 box (Win2k and previous DC that was
> > demoted), there is no security option. I have added it to the
> > authorized dhcp list. any other suggestions?
>
> Could you clear up some confusion for me?
> Is HS_SVR1 a DNS server?
> If it is a demoted DC, it cannot have AD integrated zones and therefore no
> security tab and no security on its zones. If it has the zone, is it a
> secondary zone?
> If it is a secondary zone it can only send updates to the master using the
> MNAME record and it does not have permission to make the update.
> If it is a DHCP server, even if it is Authorized as a DHCP server. DHCP
> Authorization only authorizes it to assign addresses in the domain, and does
> not give it permission to update DNS.
>
> This is why Win2k3 added the feature for DHCP to authenticate its
> permissions to update DNS. Win2k used the DNSUpdateProxy group for this.
>
> I would still recommend DHCP be moved to Win2k3 so it can be configured to
> authenticate with DNS.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Robert-Avon-Schools wrote:
> Kevin,
> It was a DC with DNS, when I demoted it to a member server, I stopped
> the
> DNS server service and changed DNS server settings on all my dhcp
> servers to only point to the one dns server I have left running which
> is (MS-SVR - a win2k (dc) it is ad integrated).

This was one of the scenarios I gave.

> I hope this helps.
> I noticed something interesting. I setup a pc on the same subnet with
> the DNS server. I get an ip address with all the right settings. when
> I do a nslookup -da ipaddress of pc, I got a list of three reverse
> entries, only one of which was the correct pc name. if I do a
> nslookup -da pcname of pc, I get an IP address of some other pc. I
> guess I am really confused as to how removing one dns server (I had
> two, now have 1) would make it so my dhcp servers stop updating dns
> correctly.
>
> Really beginning to worry, (should I panic yet?)
> Robert

When DHCP runs on a Win2k DC, it uses the DC's permissions to update DNS,
which is why you shouldn't run DHCP on a Win2k DC.
When you demoted to a member, it no longer had permission to update DNS, you
would have to add DHCP servers on Member server to the DnsUpdateProxy group.
But, I still wouldn't recommend that. Win2k3 DHCP will work much better as a
DHCP server.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Kevin,
I have added the HS_SVR1 to the dnsupdateproxy group and am now rebooting. I
hope this does it. on a related topic. Can I have one DHCP server that
passes IP addresses for different subnets to specific subnets. for example.
Our network is 10.5.x.x, each building is assigned a range 10.5.1.xx for
example.
so I would need the dhcp server say on 10.5.40.2 to passout ips to 10.5.1.xx
even though it's seperated by two switches. I hope this makes sense, not sure
if I am describing it exactly right.

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Robert-Avon-Schools wrote:
> > Kevin,
> > It was a DC with DNS, when I demoted it to a member server, I stopped
> > the
> > DNS server service and changed DNS server settings on all my dhcp
> > servers to only point to the one dns server I have left running which
> > is (MS-SVR - a win2k (dc) it is ad integrated).
>
> This was one of the scenarios I gave.
>
> > I hope this helps.
> > I noticed something interesting. I setup a pc on the same subnet with
> > the DNS server. I get an ip address with all the right settings. when
> > I do a nslookup -da ipaddress of pc, I got a list of three reverse
> > entries, only one of which was the correct pc name. if I do a
> > nslookup -da pcname of pc, I get an IP address of some other pc. I
> > guess I am really confused as to how removing one dns server (I had
> > two, now have 1) would make it so my dhcp servers stop updating dns
> > correctly.
> >
> > Really beginning to worry, (should I panic yet?)
> > Robert
>
> When DHCP runs on a Win2k DC, it uses the DC's permissions to update DNS,
> which is why you shouldn't run DHCP on a Win2k DC.
> When you demoted to a member, it no longer had permission to update DNS, you
> would have to add DHCP servers on Member server to the DnsUpdateProxy group.
> But, I still wouldn't recommend that. Win2k3 DHCP will work much better as a
> DHCP server.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Robert-Avon-Schools wrote:
> Kevin,
> I have added the HS_SVR1 to the dnsupdateproxy group and am now
> rebooting. I hope this does it. on a related topic. Can I have one
> DHCP server that passes IP addresses for different subnets to
> specific subnets. for example. Our network is 10.5.x.x, each building
> is assigned a range 10.5.1.xx for example.
> so I would need the dhcp server say on 10.5.40.2 to passout ips to
> 10.5.1.xx even though it's seperated by two switches. I hope this
> makes sense, not sure if I am describing it exactly right.
>

Switches? maybe, but these two IPs appear to be on different subnets, which
means there would need to be a router, and most routers won't pass through
DHCP broadcasts.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Ok, That's what I thought, the switches are doing some internal routing
because they are setup as vlans.... (cisco people smarter than I set it up).
I rebooted the server that was added to the dnsupdateproxy group. but the
errors are still being sent from that server and my dns server is still
getting those update failures

clearer picture of network.
10.5.1.x contains a win2k DC with DNS(AD integrated) and DHCP passes ips to
..1.x
10.5.10.x now contains a demoted win2k box (member svr) with DHCP passes to
..10.x
10.5.20.x contains a win2k3 DC with DHCP ips to .20.x
10.5.30.x contains a win2k mbr svr with DHCP ips to .30.x
10.5.40.x contains a win2k3 DC with DHCP ips to .40.x
10.5.50.x contains a win2k mbr svr with dhcp to .50.x
I am getting the errors from the .10.x server on the .1.x server running dns.
but DNS is not even being updated correctly for a pc brought into .1.x
subnet (where the dns server is). I have added (overkill) all the dhcp
servers to the dnsupdateproxy group to no apparent effect.


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Robert-Avon-Schools wrote:
> > Kevin,
> > It was a DC with DNS, when I demoted it to a member server, I stopped
> > the
> > DNS server service and changed DNS server settings on all my dhcp
> > servers to only point to the one dns server I have left running which
> > is (MS-SVR - a win2k (dc) it is ad integrated).
>
> This was one of the scenarios I gave.
>
> > I hope this helps.
> > I noticed something interesting. I setup a pc on the same subnet with
> > the DNS server. I get an ip address with all the right settings. when
> > I do a nslookup -da ipaddress of pc, I got a list of three reverse
> > entries, only one of which was the correct pc name. if I do a
> > nslookup -da pcname of pc, I get an IP address of some other pc. I
> > guess I am really confused as to how removing one dns server (I had
> > two, now have 1) would make it so my dhcp servers stop updating dns
> > correctly.
> >
> > Really beginning to worry, (should I panic yet?)
> > Robert
>
> When DHCP runs on a Win2k DC, it uses the DC's permissions to update DNS,
> which is why you shouldn't run DHCP on a Win2k DC.
> When you demoted to a member, it no longer had permission to update DNS, you
> would have to add DHCP servers on Member server to the DnsUpdateProxy group.
> But, I still wouldn't recommend that. Win2k3 DHCP will work much better as a
> DHCP server.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Robert-Avon-Schools wrote:
> Ok, That's what I thought, the switches are doing some internal
> routing because they are setup as vlans.... (cisco people smarter
> than I set it up). I rebooted the server that was added to the
> dnsupdateproxy group. but the errors are still being sent from that
> server and my dns server is still getting those update failures
>
> clearer picture of network.
> 10.5.1.x contains a win2k DC with DNS(AD integrated) and DHCP passes
> ips to .1.x
> 10.5.10.x now contains a demoted win2k box (member svr) with DHCP
> passes to .10.x
> 10.5.20.x contains a win2k3 DC with DHCP ips to .20.x
> 10.5.30.x contains a win2k mbr svr with DHCP ips to .30.x
> 10.5.40.x contains a win2k3 DC with DHCP ips to .40.x
> 10.5.50.x contains a win2k mbr svr with dhcp to .50.x
> I am getting the errors from the .10.x server on the .1.x server
> running dns. but DNS is not even being updated correctly for a pc
> brought into .1.x
> subnet (where the dns server is). I have added (overkill) all the dhcp
> servers to the dnsupdateproxy group to no apparent effect.

This would still require a change of ownership of registered records. The
DnsUpdateProxy group is not secure and the DHCP server will have to take
ownership of the records. The problem is if a machine registered its own
record the DHCP server can't update it and vice-versa. Once the DHCP server
takes ownership, the client cannot update it.
Check the Advanced security of the records to see who the current owner is
and what the Effective permissions are for the DnsUpdateProxy group.

Read the Section beginning with Secure Dynamic Updates in these KB:


How to configure DNS dynamic update in Windows 2000:
http://support.microsoft.com/default...b;en-us;317590

How to configure DNS dynamic updates in Windows Server 2003:
http://support.microsoft.com/default...b;en-us;816592


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================