Troubleshooting Windows 2000 Domain Name System Dynamic Update Problems

This article describes the dynamic update process that is used between Windows 2000-based client computers and Windows 2000-based Domain Name System (DNS) servers. The typical points of failure in the update process and how to diagnose them are also described. For additional information about how to Configure DNS Dynamic Update in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

The dynamic update process can be broken into five basic steps:

1. A Windows 2000-based client queries its configured DNS server to find the authoritative name server for the domain name it is attempting to update.
2. The local name server of the client performs the standard name resolution process to discover the authoritative name server. This DNS server must respond to the client query with the start of authority (SOA) record and the Internet Protocol (IP) addresses of the name servers that are authoritative for the zone that the client queried.
3. The Windows 2000-based client sends a dynamic update request to the authoritative DNS server for the zone that the client is attempting to update.
4. The dynamic update request of the client may include a list of prerequisites that must be fulfilled before an update can be made. The types of prerequisites include:
   • The resource record set exists.
   • The resource record set does not exist.
   • The name is in use.
   • The name is not in use.
   NOTE: Refer to Requests for Comments (RFC) 2136 for a full description of these prerequisite types.
5. The authoritative DNS server checks whether the prerequisites have been fulfilled. If they have, the DNS server performs the requested update. If the prerequisites have not been fulfilled, the update is not successful. In either case, the DNS server replies to the client, indicating whether the update had been successful.

Updates can be unsuccessful for several reasons:

• The DNS server is not configured to accept dynamic updates for the requested zone. Therefore, all dynamic update requests for the zone are unsuccessful. You can verify that the zone to be updated is configured to accept dynamic updates, by right-clicking the zone in the Windows 2000 DNS Microsoft Management Console (MMC), and then clicking Properties. The "Allow dynamic updates" field must be set to "Yes" (in some cases it may be set to "Secure Only").
  
  You can also verify the configuration of the zone by using the Dnscmd.exe utility, which is included in Windows 2000 Support Tools. To display the current configuration of a zone, at a command prompt, type: dnscmd /ZoneInfo zone_name.
• The DNS server accepts only secure dynamic updates for the requested zone. Therefore, all non-secure dynamic update requests for the zone are unsuccessful. You can verify that a zone is configured for secure updates by using either the Windows 2000 DNS Server MMC or the Dnscmd.exe utility, in the manner previously described. To test whether secure dynamic updates are part of the problem, configure the Allow dynamic updates option of the target zone to "Yes", instead of "Only secure updates." When this option has been changed to enable non-secure updates, test to verify if the client can successfully register in the target zone.
• The authoritative server for the name does not respond. This behavior can occur if the server is down or if the local name server has an incorrect or outdated name server listed in its SOA resource record. Verify that the server responds, and that the response is accurate using the nslookup command. Use the nslookup command to verify that the configured DNS servers of the client answers queries. Send a query to the DNS servers for the name of the target zone by using the following commands:
  nslookup
  set query=SOA
  reskit.com
  
  The reskit.com. entry represents the name of the target zone. Change this name to match the zone name that you are interested in. The output can resemble:
  Server: name-server.dev.reskit.com
  Address: 134.67.123.245
  
  Non-authoritative answer: reskit.com
  primary name server = dns-server.reskit.com
  responsible mail addr = admin
  serial = 2413358
  refresh = 900 (15 minutes)
  retry = 600 (10 minutes)
  expire = 86400 (1 day)
  default TTL = 3600 (1 hour)
  
  dns-server.reskit.com Internet address = 134.66.1.11
  Is the SOA data in the response of the server accurate? Is the authoritative DNS server that is identified in the SOA record correct? If so, is the IP address that is listed for the server also accurate? If the server does not respond or the data that the server returns is not accurate, perform the necessary steps to address those issues.
• The server is not accepting dynamic updates because the target zone is currently being transferred. To determine whether this behavior can be the cause of a DNS update being unsuccessful, check the DNS log in Event Viewer. Specifically, look for zone transfer events that occurred at the time that the client attempted to perform an update. Typically, zone transfers are operations that occur for short periods of time. Because of this behavior, it is unlikely that an attempt by a client to dynamically update a DNS zone can be prevented twice in a short period of time because of zone transfers. To eliminate zone transfers as a possible cause of a dynamic update failure, run the ipconfig /registerdns command on a client shortly after it has been unable to successfully update a DNS zone. Record the time and check the DNS event log to observe if a zone transfer had been performed at the same time you ran the command.
  
  Another method to eliminate zone transfers as a possible cause of dynamic update failures is to stop zone transfers for the target zone on the server that the client is using to make the update. To do this, start the Windows 2000 DNS Server MMC on the DNS server used for the update, right-click the target zone, and then click Properties. Click the Zone Transfers tab, and then click to clear the Allow zone transfers check box. Click OK to save the changes.
  
  You can also use the Dnscmd.exe utility from Windows 2000 Support Tools to stop zone transfers. To stop zone transfers for a specific zone, at a command prompt of the DNS server that is hosting the target zone, where Reskit.com represents the name of the zone that you want to stop transfers to or from, type: dnscmd /ZoneResetSecondaries reskit.com. /NoXfr.
  
  When zone transfers have been stopped, determine if the update failures still occur. If dynamic updates are still unsuccessful, use the other suggestions that are in this article to continue troubleshooting the problem.