One last W2K / Active Directory / BIND question
Barry Finkel
b19141 at achilles.ctd.anl.gov
Fri Aug 3 15:26:37 UTC 2001
"Simpson, John R" <john_simpson at reyrey.com> wrote (in part):
> I'm attempting to allow Windows 2000 Active Directory to update the
>_msdcs, _tcp, _udp, and _sites AD specific subdomains of example.com while
>leaving example.com static -- basically the approach Cricket outlined in the
>4th edition of DNS and BIND. I've created zone definitions and db files for
>example.com, _msdcs.example.com, _tcp.example.com, _udp.example.com, and
>_sites.example.com.
>
> If I give allow-update permission to the W2K server for all zones,
>including example.com, the update works and all the SRV records get added to
>_msdcs, etc. However, I don't want the W2K server to have update permission
>to example.com.
>
> If I don't give allow-update permission to the W2K server to
>example.com, it fails with the message "The Wizard cannot contact the DNS
>server that handles the name "example.com" to determine if it supports
>dynamic update. Confirm your DNS configuration, or install and configure a
>DNS server on this computer." At the same time BIND logs an unauthorized
>update for example.com. It makes no attempt to update _msdcs.example.com,
>etc. As soon as I restore allow-update to example.com the updates proceed.
While others have responded to this post, I have additional information.
I was waiting until a posting had the "magic" keywords 5782 or 5774,
but this posting has enough of the problem for me to post the file I
have accumulated over the past months. Here it is, in its entirety.
Windows 2000 DNS Anomalies with Netlogon
/userhome/b19141/dns/win2k-netlogon
05Dec00 1102AM Barry Finkel
08Dec00 0226PM Revised by Barry Finkel to add netlogon.dns information
18May01 0456PM Revised by Barry Finkel to reference Q246804 and Q294832
25May01 0135PM Revised by Barry Finkel with another reference to Q246804
17Jul01 1008AM Revised by Barry Finkel to correct Q246084-->Q246804 typos
This information is based on our experience and testing in both our
Windows 2000 testbed network (192.168.x.x) and in our production
TCP/IP network. There is also information in the Microsoft article
Q246804.
01) DNS self-registration on a Domain Controller is different than
self-registration on a machine that is not a DC. Self-registration
on a non-DC Windows 2000 box involves registering the nodename and
IP address of the computer.
Without self-registration set on a DC, netlogon will not register
the SRV records in the "_" zones. (See Q178169 for a descrption of
the SRV records.) This is a change in SP1 to fix a bug, but I do
not see it listed in the three SP1 bug lists (Q269524, Q269425, and
Q269428). A search of the newsgroup
microsoft.public.win2000.dns
via the deja.com web site produced this mail from
Peter Reiss <reiss at nospam-deshaw.com>
on 11/27/2000:
To revert to the pre-SP1 behavior, set:
Key: HKLM\Systems\CurrentControlSet\Services\Netlogon\Parameters
Value: DnsUpdateOnAllAdapters (DWORD)
to 1.
This registry hack is supposedly in the code but not documented.
I have not found this registry key on the MS web site, and I
personally would not recommend setting it, as reverting to pre-SP1
behavior might cause more problems in the future.
Self-registration is set by default in Windows 2000; it can be
turned off via:
Start
Settings
Network and Dialup
Local Area
Properties
Adapter
Protocols
TCP/IP
Advanced
DNS
The "Register this name" box should NOT be checked.
With SP1 you do not need to reboot to have this setting
take effect.
If self-registration fails, then subsequent attempts are made at
these intervals - 5 minutes, 10 minutes, 60 minutes, 5 minutes, ...
If self-registration succeeds, then self-registration will again be
attempted in 24 hours (I believe), as MS for some reason does not
expect that the registration will remain in DNS.
MS article Q294832 describes how to disable DDNS globally.
02) There is a 5782 warning message (in the event log) from the
netlogon process:
Dynamic Registration or deregistration of one or more
DNS records failed with the following error:
No DNS servers configured for local system.
The text of this message is misleading, and the message may or may
not be produced based on some settings, as described below.
03) There is a 5774 error message (in the event log) from the
netlogon process:
Registration of "anl.gov 600 IN A 192.168.1.11" failed
with the following error:
DNS server unable to interpret format.
This is the registration of the DC "A" record for a Domain
Controller in the anl.gov Windows 2000 Domain at address
192.168.1.11 . The text of this message is also misleading. The
problem (at least in the one case we saw) was not that the BIND DNS
server was unable to interpret the format of the DDNS request, the
"problem" was that the BIND server did not allow the Dynamic DNS
request.
04) There is a registry setting "RegisterDNSARecords"; there are three
possible values:
1 ==> Register the DNS "A" records for this DC.
0 ==> Do not register the DNS "A" records for this DC.
not present (i.e., null) ==> Rely in the self-registration
setting.
Article Q259028 has this about the registry setting:
The correct registry entry is RegisterDnsARecords:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Data type: REG_DWORD
Range: 0 - 1
Default value: 1
The two "A" records are these (from article Q258213):
A record(s) for the DnsDomainName for a domain controller
A record(s) for the gc._msdcs.DnsForestName if the domain
controller is also a global catalog
The first "A" record is placed in the anl.gov zone; I did this
manually for each of three DCs in the anl.gov Windows 2000 domain:
@ IN A 146.139.254.75
@ IN A 146.137.96.48
@ IN A 146.137.162.84
The second is placed in the _mscds.anl.gov zone, which we have
allocated to a MS DNS box. The update is dynamic via the netlogon
process:
$ORIGIN _msdcs.anl.gov.
gc 3600 IN A 146.137.162.84
3600 IN A 146.137.96.48
3600 IN A 146.139.254.75
We allow any Dynamic DNS update to the four "_" zones on the MS DNS
box.
When the RegisterDnsARecords value is set to 0, netlogon will not
attempt new registration of the "A" records. In addition, the "A"
records are removed from the netlogon.dns file, and netlogon on the
DC sends DDNS requests to de-register any "A" records that had
previously been registered. In our case, the DDNS de-registration
of the first "A" records failed, as dns0.anl.gov does not allow
DDNS. The de-registration of the Global Catalog (GC) record
succeeded, as that record is in the _msdcs.anl.gov zone, which is
in a zone mastered on a Win2k DNS computer that allows DDNS.
Article Q246804 has this about the DC "A" records:
The following registry key enables/disables the registration
of A records by Netlogon for a domain controller. The domain
A records are not required by Windows 2000, but are
registered for the benefit of Lightweight Directory Access
Protocol (LDAP) implementations that do not support SRV
records.
05) There is a difference in the code path depending on the values
of two settings -- self-registration and RegisterDNSARecords:
| Event BIND DDNS
Self-reg RegDSNARec Test# | Msg Activity?
-------- ---------- ----- | ----- ---------
no null 3 | 5782 no
no 0 5 | 5782 no
no 1 2 | 5782 no
|
yes null 4 | 5782 yes
yes 0 1 | none no
yes 1 6 | 5774 yes
06) My interpretation of the tests:
a) If self-registration on a DC is set to NO, then no DDNS activity
occurs, and the 5782 warning message is produced. The part of
the message "No DNS servers configured for the local system"
is misleading, in a sense. If you know what is happening, then
the message makes sense, as you have told the DC not to do the
DDNS registration.
b) If self-registration on a DC is set to YES, then the DDNS
activity depends on the "RegistrerDNSARecords" registry hack.
null ==> DDNS activity (rejected by BIND dns0.anl.gov)
The 5782 error message is misleading. There is a
DNS server configured; but that DNS server does
not allow the DDNS updates.
0 ==> There is no DDNS activity because we told the DC
not to do any. There is no error/warning message
because MS assumes that we know the settings we
set.
1 ==> DDNS activity (rejected by BIND dns0.anl.gov)
The 5774 error message is somewhat misleading,
unless one knows the cause of the message.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-9689
Building 221, Room B236 Internet: BSFinkel at anl.gov
Argonne, IL 60439-4844 IBMMAIL: I1004994
More information about the bind-users
mailing list