Helo,

I have DC/DNS on Windows Server 2012 (not R2) and some clients with OS Windows 7 and some 8.1.

All Windows 8.1 clients not registerd to DNS with DNS Client Events ID 8018 ?

Window 7 clients registered to DNS OK.

I must have DC on Windows Server 2012 R2 ?

Event details:

The system failed to register host (A or AAAA) resource records (RRs) for network adapter

with settings:

           Adapter Name : {DF71F97C-9B9D-4DA4-8209-0C02978E8D3D}

           Host Name : PC02

           Primary Domain Suffix : faf.cuni.cz

           DNS server list :

             2001:718:1201:100::1, 2001:718:1201:100::17, 172.18.100.1, 172.18.100.17

           Sent update to server : <?>

           IP Address(es) :

             2001:718:1201:128:44f0:a314:f663:373a, 172.18.152.7

The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Thanks,

Snake AG

• Edited by SnakeAG Wednesday, December 18, 2013 5:27 PM

Let's see an ipconfig /all from a couple of your machines for comparison.

Also\:

1. Does the issue just occur on wireless or on wired and wireless?
2. Is it just with DHCP clients, or DHCP and static clients (such as your DCs and member servers)?
3. Is the zone set to Secure Only? If it is, and you set the zone to Unsecure, does it work?

Windows 8.1 ipconfig /all

Q:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PCUVT1
   Primary Dns Suffix  . . . . . . . : faf.cuni.cz
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : faf.cuni.cz
   System Quarantine State . . . . . : Not Restricted

Ethernet adapter S Ethernet:

   Connection-specific DNS Suffix  . : faf.cuni.cz
   Description . . . . . . . . . . . : Intel(R) 82566DM-2 - gigabitov sov pipojen
   Physical Address. . . . . . . . . : 00-1E-4F-E3-2E-12
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:718:1201:128:15c3:3160:f281:2038(Preferred)
   Temporary IPv6 Address. . . . . . : 2001:718:1201:128:9e8:61a9:1826:3ac1(Preferred)
   Link-local IPv6 Address . . . . . : fe80::15c3:3160:f281:2038%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.18.130.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.224.0
   Lease Obtained. . . . . . . . . . : Friday, December 27, 2013 1:05:29 PM
   Lease Expires . . . . . . . . . . : Thursday, February 5, 2150 5:39:04 PM
   Default Gateway . . . . . . . . . : fe80::eab7:48ff:fee5:f17f%3
                                       172.18.128.10
   DHCP Server . . . . . . . . . . . : 172.18.100.241
   DHCPv6 IAID . . . . . . . . . . . : 50339407
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-3C-A4-45-00-1E-4F-E3-2E-12

   DNS Servers . . . . . . . . . . . : 2001:718:1201:100::1
                                       2001:718:1201:100::17
                                       172.18.100.1
                                       172.18.100.17
   Quarantine State. . . . . . . . . : Not Restricted

   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       faf.cuni.cz

Tunnel adapter isatap.faf.cuni.cz:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : faf.cuni.cz
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

This issue is on wired clients.

I have DCHP static clients (MAC reservations)

This zone is set secure only.

(The same working fine for Windows 7 clients)

Windows 7 ipconfig /all

C:\Users\rudisar>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PCUVT2

   Primary Dns Suffix  . . . . . . . : faf.cuni.cz

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : faf.cuni.cz

   System Quarantine State . . . . . : Not Restricted

Ethernet adapter Pipojen k mstn sti:

   Connection-specific DNS Suffix  . : faf.cuni.cz

   Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection

   Physical Address. . . . . . . . . : 00-01-80-7C-ED-6E

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:718:1201:128:201:80ff:fe7c:ed6e(Preferred)

   Link-local IPv6 Address . . . . . : fe80::201:80ff:fe7c:ed6e%11(Preferred)

   IPv4 Address. . . . . . . . . . . : 172.18.130.2(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.224.0

   Lease Obtained. . . . . . . . . . : 30. prosince 2013 11:22:02

   Lease Expires . . . . . . . . . . : 5. nora 2150 17:53:29

   Default Gateway . . . . . . . . . : fe80::eab7:48ff:fee5:f17f%11

                                       172.18.128.10

   DHCP Server . . . . . . . . . . . : 172.18.100.241

   DHCPv6 IAID . . . . . . . . . . . : 234881408

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-DD-29-B0-00-01-80-7C-ED-6E

   DNS Servers . . . . . . . . . . . : 2001:718:1201:100::1

                                       2001:718:1201:100::17

                                       172.18.100.1

                                       172.18.100.17

   Quarantine State. . . . . . . . . : Not Restricted

   NetBIOS over Tcpip. . . . . . . . : Enabled

   Connection-specific DNS Suffix Search List :

                                       faf.cuni.cz

Thank you for the detailed info. A couple of more questions:

1. Have you tried setting the zone faf.cuni.cz, to Unsecure to see if that works? If it does work, then it's a Kerberos Authentication issue on the Windows 8.1 clients.
2. I assume it does not occur with statically configured machines, such as your servers (any of them), and which I do not mean DHCP MAC reservations.

*

DHCP server configuration?

Do you have DHCP configured with Credentials, the DHCP servers added to the DnsUpdateProxy group, and have set DHCP to update ALL clients whether they can or not?

If you haven't configured DHCP this way, I recommend going this route, because this setup will take care of registering all clients.

The reason I say this, is because with this setup, we are altering the default registration mechanism, whereas the client is trying to register so instead, we force DHCP to register.

Here's the default registration mechanism:

1. By default, a Windows 2000 and newer statically configured machines will
register their own A record (hostname) and PTR (reverse entry) into DNS.
2. If set to DHCP, a Windows 2000, 2003 or XP machine, will request DHCP to allow
the machine itself to register its own A (forward entry) record, but DHCP will register its PTR
(reverse entry) record.
3. If Windows 2008 or newer, the DHCP server always registers and updates client information in DNS.
   Note: "This is a modified configuration supported for DHCP servers
         running Windows Server 2008 and DHCP clients. In this mode,
         the DHCP server always performs updates of the client's FQDN,
         leased IP address information, and both its host (A) and
         pointer (PTR) resource records, regardless of whether the
         client has requested to perform its own updates."
         Quoted from, and more info on this, see:
         http://technet.microsoft.com/en-us/library/dd145315(v=WS.10).aspx
4. The entity that registers the record in DNS, owns the record.
   Note "With secure dynamic update, only the computers and users you specify
        in an ACL can create or modify dnsNode objects within the zone.
        By default, the ACL gives Create permission to all members of the
        Authenticated User group, the group of all authenticated computers
        and users in an Active Directory forest This means that any
        authenticated user or computer can create a new object in the zone.
        Also by default, the creator owns the new object and is given full control of it."
        Quoted from, and more info on this:
        http://technet.microsoft.com/en-us/library/cc961412.aspx

*

Therefore, to set it all up, in summary:

• Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. But give it a really strong password.
• Set DHCP to update everything, whether the clients can or cannot.
• Set the zone for Secure & Unsecure Updates. Do not leave it Unsecure Only.
• Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group. Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work. Make sure that NO user accounts are in that group, either. (I hope that's crystal clear - you would be surprised how many will respond asking if the DHCP credentials should be in this group.)
• On Windows 2008 R2 or newer, DISABLE Name Protection.
• If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
          dnscmd /config /OpenAclOnProxyUpdates 0
• Configure Scavenging on ONLY one DNS server. What it scavenges will replicate to others anyway. Set the scavenging NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length.

*

Details on how to set it up with screenshots:

DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

Good summary
How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

Another good discussion that Microsoft support concurred with my settings for a poster that called in to Support, which verified my settings are correct:
DHCP Server Not Registering A Records for Windows Clients
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e4b285d6-5795-4045-83ff-3a3c793b2cfc/

*

More reading on DNS registration:

D & Dynamic DNS Updates Registration Rules of engagement
http://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement/

Thanks Ace.

After I set zone to unsecure DNS registration working.

How I resolve problem with Kerberos authentication ?

I have in "Default Domain Policy" GPO this:

Account Policies/Kerberos
Policy

Policy	Setting
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	600 minutes
Maximum lifetime for user ticket	10 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

for computer configuration (Windows 7 and Windows 8.1).

I usually don't recommend changing Kerberos settings. Those setting you posted look like the default settings. I

Late edit: In some cases with Kerberos auth settings, it's not just in the domain policy, rather it may also need to be changed in the security settings in the Default Domain Controller Policy for all DCs. Now you see why I don't usually recommend changes in this area and try to resolve the issue first.

I assume the Windows 8 and 8.1 machines clocks are within 5 minutes skew with the DCs and all other machines.

If you don't want to implement DHCP as suggested, which is the way that many installations, small and large, have it configured so they have full control of what's being updated, which I know will work, (it also eliminates duplicate A and PTR records), then we have to look deeper into why DNS updates authentication is not working. With Kerberos issues, it's a bit more involved to get to the root of it and will involve packet captures filtering for kerb authentication and DNS client side SOA query and the registration sequence process.

Is the SOA available? Check the zone to make sure there are no old servers in the NS list. That's the main way registration works, as I assume you took the time to read up on it in my DNS update rules blog.

What domain functional level is the domain set to?

Did this all start after a Windows update perhaps?

In such cases, it's better to get Microsoft support involved where they can run numerous tests to get down to the root of the issue. If you do, please post what they've found.
http://support.microsoft.com/contactus/

SOA is available a NS list is correct.

Domain functional level is Windows Server 2008 R2 - I must change this to Windows Server 2012 ?

That's what I would have done if I've upgraded the domain. So you can, as long as ALL DCs are now 2012. If there are any 2008 R2 or older DCs, no you can't.

After change domain functional level problem is resolved.

Dynamic DNS registration working on Windows 8.1 fine.

Thanks.

• Marked as answer by SnakeAG Thursday, January 02, 2014 1:15 PM

After change domain functional level problem is resolved.

Dynamic DNS registration working on Windows 8.1 fine.

Thanks.

I'm happy to hear this worked. Certain authentication and other changes are added with newer domain functional levels.

I'm also happy to hear our suggestions helped you!

        By default, the ACL gives Create permission to all members of the
        Authenticated User group, the group of all authenticated computers
        and users in an Active Directory forest This means that any
        authenticated user or computer can create a new object in the zone.
        Also by default, the creator owns the new object and is given full control of it."
        Quoted from, and more info on this:
        http://technet.microsoft.com/en-us/library/cc961412.aspx

Thank you for posting this Ace!  We just came across this problem where Dynamic DNS was not working, and the key in our scenario was the text "By default, the ACL gives Create permission to all members of the Authenticated User group". 

In our scenario, changing the dynamic updates option to allow insecure updates did work (but we obviously didn't want that).  In digging further I found that someone in our environment had incorrectly changed the "Authenticated Users" group to no longer have the "Create all child objects" permission and this is what prevented Dynamic DNS from working in one of our environments.  Once this was corrected, Dynamic DNS started to work correctly.

I realize this is an old thread, but I wanted to post this information here since there are other good tips here and will hopefully help someone else.

Thanks!

• Edited by Aakash Shah 4 hours 9 minutes ago