We seem to be having an issue recently after introducing new Windows Server 2012 R2 servers where they fail to register DNS correctly. The Windows Firewall is off and the servers are on the same VLAN with no firewalls between them.

When I do an ipconfig /registerdns or wait 24 hours for the system to try we get the following error:

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : {4A0ECF05-193F-4BEA-AA46-BEC593BA752B}
           Host Name : SRV-DATA
           Primary Domain Suffix : internal.local
           DNS server list :
              192.168.0.50, 192.168.0.42
           Sent update to server : <?>
           IP Address(es) :
             192.168.0.99

The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

On our DNS server we have set for the internal.local zone Secure Updates only so that looks good because it is Active Directory that should be handling this authentication to update the record I assume. Just to mention that when also doing an ipconfig /regsiterdns the update fails within a few seconds. 

Source: DNS Clients Events

Event ID: 8018

User: NETWORK SERVICE

This issue is only affecting Windows Server 2012 R2 clients and testing with Windows Server 2008 R2 clients works no issues. So is this a mis-configuration or a bug with Windows 2012 R2? I have checked all DNS settings on client / server which all look good to me so reaching out now to see if anyone has any ideas?

Environment:

- Windows Server 2012 R2 Domain Controllers (Forest/Domain Levels 2012 R2)

- Windows Server 2012 R2 Client machines (Physical and Virtual)

- Windows Server 2008 R2 Client machines (Physical and Virtual)

Decided to do a packet capture and look to see if anything is being blocked. To my surprise I could see that nothing is blocked as I see the SOA dynamic update request hit the DNS Server but then on the dynamic updates response from the DNS Server I see the following in the packet filter:

Dynamic update response 0xfb38 Refused CNAME

Transaction ID: 0x97f9
Flags: 0xa805 Dynamic update response, Refused
1... .... .... .... = Response: Message is a response
.010 1... .... .... = Opcode: Dynamic update (5)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0101 = Reply code: Refused (5)

So it does look like the request is being denied/refused for some reason which is odd. Looks like the update was not authenticated.. 

Is the zone on which the updates are being sent configured to accept secure + non secure updates. Also the server should be authoritative for the zone. Can you paste the result of PS cmd get-dnsServerZone | fl * result here. Also please paste the incoming packet

The zone is configured as "Secure Only"

The PDC is the SOA for the zone

I dont have a packet capture from the DC, only the client. 

The query you asked me to run is too long to paste in here, however this is the DNS zone it cannot update:

NotifyServers                     : 
SecondaryServers                  : {10.2.0.3, 10.2.0.5}
AllowedDcForNsRecordsAutoCreation : 
DistinguishedName                 : DC=internal.local,cn=MicrosoftDNS,DC=ForestDnsZones,DC=internal,DC=local
                                   
IsAutoCreated                     : False
IsDsIntegrated                    : True
IsPaused                          : False
IsReadOnly                        : False
IsReverseLookupZone               : False
IsShutdown                        : False
ZoneName                          : internal.local
ZoneType                          : Primary
DirectoryPartitionName            : ForestDnsZones.internal.local
DynamicUpdate                     : Secure
IsPluginEnabled                   : False
IsSigned                          : False
IsWinsEnabled                     : False
Notify                            : NoNotify
ReplicationScope                  : Forest
SecureSecondaries                 : TransferToSecureServers
ZoneFile                          : 
PSComputerName                    : 
CimClass                          : root/Microsoft/Windows/DNS:DnsServerPrimaryZone
CimInstanceProperties             : {DistinguishedName, IsAutoCreated, IsDsIntegrated, IsPaused...}
CimSystemProperties               : Microsoft.Management.Infrastructure.CimSystemProperties

Are the updates being received secure? If they are not you can change the setting to accept secure+ non secure update. you can do this using set-dnsserverprimaryzone -zonename <> -DynamicUpdate NonsecureAndSecure

While your idea of changing to "Secure and non-secure" may resolve the issue it is something I am not willing to do. We cannot have machines update DNS that are not members of our domain. Allowing the non-secure updates would really cause us security issues. 

I am not sure if the updates are being received secure or not though... how can I check if the client is sending the update secure? I dont really know what I am looking for in the packet capture or client settings that send the update secure or not. Do you know?

Ditto. I have workstations on a single-DC 2012 R2 network which are recording event 8018 as well. Likewise, I'm not willing to degrade DNS security to accommodate some bug or ?? in the OS.

What is the resolution to this issue?