Microsoft KB Archive/842200

= How to troubleshoot Windows Server 2003 Domain Name System Dynamic Update problems =

Article ID: 842200

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

-





INTRODUCTION
This article describes the dynamic update process between Microsoft Windows XP-based client computers and Microsoft Windows Server 2003-based Domain Name System (DNS) servers. This article also discusses typical reasons that the update process may not succeed and how to diagnose an unsuccessful update.

For additional information about how to configure DNS dynamic update in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

816592 How to configure DNS dynamic update in Windows Server 2003



MORE INFORMATION
The dynamic update process includes four basic steps:  A Windows XP-based client queries the DNS server to find the authoritative name server for the domain name that it is trying to update. The client's local name server performs the standard name resolution process to discover the authoritative name server. The local name server must respond to the client query with the start of authority (SOA) record and the Internet Protocol (IP) addresses of the name servers that are authoritative for the zone that the client queried. The Windows XP-based client sends a dynamic update request to the authoritative DNS server for the zone that the client is trying to update. The client's dynamic update request may include a list of prerequisites that must be fulfilled before an update can occur. The prerequisites may be of the following types:  The resource record set exists. The resource record set does not exist. The name is in use. The name is not in use.</li></ul>

Note For a full description of these prerequisite types, visit the following Internet Engineering Task Force (IETF) Web site:

http://www.ietf.org/rfc/rfc2136.txt?number=2136

</li> The authoritative DNS server checks whether the prerequisites have been fulfilled. If the prerequisites have been fulfilled, the DNS server performs the requested update. If the prerequisites have not been fulfilled, the update is not successful. In either case, the DNS server replies to the client. The DNS server's reply indicates whether the update is successful.</li></ol>

Updates may be unsuccessful for several reasons: <ul> The DNS server is not configured to accept dynamic updates for the requested zone. Therefore, all dynamic update requests for the zone are unsuccessful. To configure the zone to permit dynamic updates, follow these steps: <ol> Click Start, point to Programs, point to Administrative Tools, and then click DNS.</li> Expand the server that you want to work with, and then expand Forward Lookup Zones or Reverse Lookup Zones.</li> Right-click the zone that you want to work with, and then click Properties.</li> On the General tab, click Nonsecure and secure in the Dynamic updates box, and then click OK.</li></ol>

You can also verify the configuration of the zone by using the Dnscmd.exe command-line tool. Dnscmd.exe is included in the Windows Server 2003 Support Tools package. To display the current configuration of a zone, follow these steps: <ol> Click Start, click Run, type cmd, and then click OK..</li> At the command prompt, type dnscmd / ZoneInfo, and then press ENTER.

Note is a placeholder for the name of the zone whose configuration you want to display.</li></ol> </li> The DNS server accepts only secure dynamic updates for the requested zone. Therefore, all non-secure dynamic update requests for the zone are unsuccessful. You can verify that a zone is configured for secure updates by using either the DNS Server service or the Dnscmd.exe command-line tool. To test whether secure dynamic updates are part of the problem, configure Dynamic updates for the target zone to Nonsecure and secure instead of Secure updates. After you turn on non-secure updates, verify that the client can successfully register in the target zone.</li>  The authoritative server for the name does not respond. This behavior may occur if the server is down or if the local name server's SOA service record has an incorrect name server listed. To verify that the server responds and that the response is accurate, use the nslookup command. To use the nslookup command to verify that the client's configured DNS servers correctly answer queries, follow these steps: <ol> Click Start, click Run, type cmd, and then click OK..</li> At the command prompt, type nslookup, and then press ENTER.</li> At the prompt, type set query=SOA, and then press ENTER.</li> At the prompt, type, where   is the name of the zone that you want to verify.</li></ol>

For example, if you specify reskit.com as the target zone, the information that is returned may look similar to the following: <pre class="fixed_text">Server: name-server.dev.reskit.com

Address: 134.67.123.245

Non-authoritative answer:

reskit.com

primary name server = dns-server.reskit.com

responsible mail addr = admin

serial = 2413358

refresh = 900 (15 minutes)

retry = 600 (10 minutes)

expire = 86400 (1 day)

default TTL = 3600 (1 hour)

dns-server.reskit.com Internet address = 134.66.1.11 To verify whether the response is accurate, consider the following questions: <ul> Is the SOA data in the response of the server accurate?</li> <li>Is the authoritative DNS server that is identified in the SOA record correct?</li> <li>If the DNS server is correct, is the IP address that is listed for the server also accurate?</li></ul>

If the server does not respond or the data that the server returns is not accurate, address these issues before you continue. </li> <li>The server is not accepting dynamic updates because the target zone is currently being transferred. To determine if this is the cause of a unsuccessful DNS update, check the DNS log in Event Viewer. Specifically, look for zone transfer events that occurred at the time that the client tried to perform an update. Typically, zone transfers are operations that require short periods of time. Because of this behavior, it is unlikely that an attempt by a client to dynamically update a DNS zone can be prevented two times in a brief interval because of zone transfers. To eliminate zone transfers as the cause of an unsuccessful dynamic update, run the ipconfig /registerdns command on a client shortly after the client cannot successfully update a DNS zone. Record the time, and check the DNS event log to determine if a zone transfer was performed at the same time that you ran the command.

Another method to eliminate zone transfers as the cause of unsuccessful dynamic updates is to stop zone transfers for the target zone on the server that the client is using to make the update. To do this, follow these steps: <ol> <li>Click Start, point to Programs, point to Administrative Tools, and then click DNS.</li> <li>Expand the server that you want to work with, and then expand Forward Lookup Zones or Reverse Lookup Zones.</li> <li>Right-click the zone that you want to work with, and then click Properties.</li> <li>On the Zone Transfers tab, click to clear the Allow zone transfers check box, and then click OK.</li></ol>

You can also use the Dnscmd.exe command-line tool to stop zone transfers. To stop zone transfers to or from a specific zone, follow these steps: <ol> <li>Click Start, click Run, type cmd, and then click OK..</li> <li>At the command prompt, type dnscmd /ZoneResetSecondaries reskit.com. /NoXfr, and then press ENTER.</li></ol>

When zone transfers are stopped, determine whether dynamic updates are still unsuccessful. If dynamic updates are still unsuccessful, use the other suggestions in this article to troubleshoot the problem.</li></ul>

Keywords: kbtshoot kbenv kbdns kbinfo KB842200

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.