18

I've stumbled upon a strange behaviour with Windows machines, which seems to be fairly consistent between all Windows versions from Vista/2008 to 8.1/2012 R2; it doesn't happen instead when using Windows XP or Windows Server 2003.

The problem is this: when the network adapter is configured for DHCP and the DHCP server doesn't register DNS records on behalf of its clients (because it can't, or because it's not configured to do so), then the forward A record gets registered, but the reverse PTR record doesn't.

Some more details:

  • Both the forward and the reverse DNS zones are AD-integrated and accept dynamic updates.
  • All computers are joined to the domain.
  • All computers use the correct internal DNS servers, both when configured statically and when getting their configuration from DHCP.
  • "Register this connection's addresses in DNS" is enabled in the network adapters.
  • Everything is fine when a computer has a static IP address; both the forward and the reverse records get automatically registered.
  • When the same computer is configured for DHCP, the forward record is registered, but the reverse record isn't.
  • This happens for all computers with an OS version >= 6.0, and it's definitely not related to a single machine.
  • No amount of ipconfig /registerdns will change anything.
  • No errors are logged anywhere.

Why does this happen, and how can it be fixed?

And no, configuring the DHCP server to perform DNS registration is not an option here.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • A friend not on SF said: "That's normal, PTR is only updated by DHCP in Win2K+". That doesn't exactly seem to be the case from your experience, but might be close.... I'm trying to dig up a better reference. – Chris S Oct 24 '14 at 14:07
  • Massimo, are you able to pull a wireshark trace and check the DHCPREQUEST Packet? There should be a flag set to "1" if the client is supposed to update both the A record and PTR record. A flag of "0" means the client updates the A record and requests that the server update the PTR record on its behalf. Default is "0". – TheCleaner Oct 24 '14 at 14:21
  • Also in the DHCP scope make sure == Click the DNS tab, click Properties, and then click to select the Dynamically update DNS A and PTR records only if requested by the DHCP clients check box == is set. This would mean when the default flag of "0" comes in the server will then try to register the PTR record with the DNS server(s) it is configured to update. And make sure the DNS dynamic update credentials are correct and appropriate permissions are applied for this to work – TheCleaner Oct 24 '14 at 14:28
  • As I said in the question, configuring the DHCP server is not an option. I don't manage it. It won't register DNS records for its clients, period. They should be able to handle it, since all of them are domain members. – Massimo Oct 24 '14 at 15:03
  • I have the same issue. Using pfSense as DHCP server. Win2k8 DC/DNS. Win7 clients. The clients are registering A records, but not PTR records. – Corey Oct 29 '14 at 18:53
  • not an answer to OP's question per se, just an opinion of mine: I'd rather have auto PTR registering disabled. Rarely any app needs reverse lookup to function (there are a few exceptions of course, and all for servers. Workstation should NEVER need PTR record). Enabling PTR increases DNS servers' work load for no purpose really. And also it increase the chances of having orphaned PTRs when machines are gone - people tend to forget to clean up PTR. – strongline Oct 21 '15 at 15:13

6 Answers6

16

The solution is checking Use this connection's DNS suffix in DNS registration in the TCP/IP settings of the network interface:

enter image description here

As much as it may appear strange, this is the only solution to ensure Windows will register both the A and the PTR records for a DHCP network connection; otherwise, it will only register the A record.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • I just ran into this again myself, seems like a bug to me. Would be nice if MS would fix. – Corey Jun 30 '18 at 05:17
7

I ran into the same issue years ago the following group policy settings are how I resolved it. This could easily be overkill, but since the above answers didn't cover things from a group policy angle here goes.

Computer Configuration\Administrative Templates\Network\DNS Client

  • Connection Specific DNS Suffix: enabled, and set to mydomain.org
  • Register DNS records with connection-specific DNS suffix: enabled
  • Register PTR Records: enabled
  • Dynamic Update: enabled
Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
  • Interesting. I had already tried "Register PTR Records" to no effect, but "Register DNS records with connection-specific DNS suffix" *could* actually do the trick, because it indeed *does* when manually enabling this option in the network connection properties (see the accepted answer). – Massimo Oct 21 '15 at 17:05
  • 1
    @Massimo yeah thats inline with what I saw. I needed a way to push this out so I kept playing with the policy until it worked. – Tim Brigham Oct 21 '15 at 17:28
3

According to MS:

Windows 2000 .. sends option 81 and its fully qualified domain name to the DHCP server and requests the DHCP server to register a pointer resource record (PTR RR) on its behalf. The dynamic update client registers an address resource record (A RR). .. the DHCP server can be configured to instruct the client to allow the server to register both records with the DNS.

Statically configured (non-DHCP) clients register both the A RR and the PTR RR with the DNS server themselves.

The article also mentions Changing registry entries changes the behavior of the dynamic update DNS client. So there might be a registry workaround... Looking


Edit:
According to the article linked by TheCleaner below, the GPO I mentioned in my comment will not do what you want (yeah MS and closed-source software). But checking the boxes for "Register this connection's address in DNS" and "Use this connection's DNS suffix in DNS registration" makes it work. I don't have a convenient test environment to try it...

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • I don't have a setup convenient to test, could you try enabling the GPO `Computer Config > Templates > Network > DNS Client > Register PTR records` and see if that has the desired effect - I'm thinking it might not, but worth a shot. – Chris S Oct 24 '14 at 14:24
  • 1
    http://setspn.blogspot.com/2010/12/windows-7-reverse-lookup-dns.html – TheCleaner Oct 24 '14 at 14:31
  • The GPO doesn't change anything, but enabling "Use this connection's DNS suffix in DNS registration" actually did the trick. Please rewrite your answer to explicitly state this, and I'll accept it. – Massimo Oct 24 '14 at 15:47
  • It's interesting the GPO doesn't change anything. The context-help docs say explicitly that the checkbox only works if the associated GPO policy is disabled or unspecified. – Kev Jul 21 '15 at 08:44
0

I ran into this issue during creating and migrating VM's into Azure IAAS. Most of the VMs we install have a reserved DHCP address in the subnet and the NIC IP-settings are set to DHCP. The default 'register this adapter in DNS' setting is always enabled. A-records get created in our domain's DNS but not the PTR which indeed makes sense as the Azure DHCP service won't be able to update our DNS reverse lookup zones. Ticking the 'Use this connection's DNS suffix in DNS registration' seems to work if the IP-address is static and not DHCP for all the VM's with OS 2012R2, 2016 or 2019. Those OS's I tested, not lower or higher OS version. When the VM is running 2019 (and above?) that checkbox also does the trick if it's DHCP, however when the VM-OS is 2016 or 2012R2 then you also need the GPO Setting 'Register PTR records' to make it work. That was at least in my lab..

I implemented this via the GPO's for our servers with these two settings in: "Computer Configuration/Policies/Administrative Templates/Network/DNS Client" 'Register PTR records':Enabled 'Register DNS records with connection specific DNS suffix':Enable

run GPUpdate and restart the server to let it take effect. It could also work by gpupdate followed by a DHCP-client service restart as that part does the registration.

hope this helps anyone.

Eric
  • 1
-1

In Windows 2008 and above, there is an option in the DHCP scope to set up the DHCP server to automatically update the authoritative DNS servers with the host (A) and PTR) records of the DHCP clients. You must enable DNS dynamic updates and choose the option for "Always dynamically update DNS A and PTR records, and to Discard A and PTR records when the lease is deleted.

Image of the DNS tab

Anthony Geoghegan
  • 2,800
  • 1
  • 23
  • 34
Pi Rho
  • 1
-1

Another issue that we found out is if the DNS zone (both) is set to Secure only. If the Machine is not generating a unique SID, then an Active Directory integrated DNS will have the option to be set as allowing secure updates only. Have them set to be secure and non-secure on both the forward and reverse lookup zones.

Pi Rho
  • 1
  • Not relevant at all. If this was the case, DNS registration would fail even when using a static IP address. – Massimo Oct 22 '15 at 16:25