1

I have an Active Directory domain corp.com, which has a child domain dev.corp.com. Each domain has a pair of DCs. For the top-level AD domain, DNS, as well as DHCP, runs on both ADs. For the child domain, DNS runs on both ADs. The child domain trusts the top-level domain, but not the other way around.

Originally, I was running a mix of Windows Server 2008 R2 and Windows Server 2012 DCs, subsequently added new Windows Server 2019 DCs, and decommissioned all older DCs. Everything is running fine, but dynamic DNS updates from the DHCP.

I'm experiencing the following two errors in the Event Log:

PTR record registration for IPv4 address [[192.168.8.102]] and FQDN cstl-dms01.dev.corp.com failed with error 9009 (DNS server not authoritative for zone.).
Forward record registration for IPv4 address [[192.168.8.102]] and FQDN cstl-dms01.dev.corp.com failed with error 9005 (DNS operation refused.).

Originally, every dynamic DNS attempt failed. I'm using secure updates and have a dedicated system account for DHCP-to-DNS access, so I made it member of DnsUpateProxy group for certain machines updates started working.

So far, I was able to isolate the issue to a situation when there's a sub-domain CNAME associated with the problematic record. The records in the MS DNS look like this:

Name Type Data Timestamp
(same as parent folder) Host (A) 192.168.8.119 01.01.2021 18:00:00
* Alias (CNAME) cstl-dms01.dev.corp.com static

Note that once I (manually) create the CNAME record, the MS DNS Server automatically creates a folder, named alike the machine hostname, and places both A and CNAME records within it.

I cannot avoid the *.cstl-dms01.dev.corp.com CNAME, it's required by SharePoint running on that machine for it to work. I have a couple dozen such records in the DNS, so I'd like to avoid switching to static IPs.

In addition, while I wasn't experiencing this issue on previous Windows Server versions, it may be the case that there is some misconfiguration after introducing new DHCP and DNS servers.

How to make the dynamic DNS updates work? Is this is a limitation of the DNS server or am I missing something?

Ondrej Tucny
  • 404
  • 1
  • 7
  • 25
  • Are you sure that a `*` *CNAME* is required by Sharepoint? Per the RFCs, CNAMEs are *special* beasts; they must be the *only* record for a given name, and they should point to the real address of the server. Your DNS config appears to be saying, for any name not already defined (`*`), return that name as a CNAME -- e.g. `foo.cstl-dms01.dev.corp.com` should return a CNAME referring to `cstl-dms01.dev.corp.com`. If DHCP is trying to register `foo.cstl-dms01.dev.corp.com` as an A-record, it is likely seeing that name "exists" as a CNAME and *choosing* not to overwrite (because it's not an A). – jimbobmcgee Jun 21 '21 at 19:27
  • @jimbobmcgee Yes, I am sure a `*` CNAME is required by SharePoint. It's necessary to support SharePoint-hosted modern apps. Weird, but true. Meanwhile, the synchronization problem just went away, kind of typical Microsoft. I'm not sure what was the root cause, though, so leaving the question open should anyone have a deeper insight into the behavior. – Ondrej Tucny Jun 22 '21 at 07:46

0 Answers0