Tom Shinder Q&A: Dynamic DNS

Author Tom Shinder fields user questions on DNS and Dynamic DNS in a followup to his Sept. 6 searchWin2000 live expert Q&A.

Q: If you are not sharing any workstation services on client Win2k machines, is it necessary to register their "A" and "PTR" records in DNS?

A:No. If no resources are contained on those clients that other machines need to access, there is no reason for them to register in the DDNS.

Q: Do you have to be running in native mode to use DDNS?

A:No. You can run a stand-alone Win2k DDNS server and take advantage of dynamic updates.

Q: What should the DNS Server entries be set to in the TCPIP settings on a DNS server? Also, on a DNS/DHCP/DC? If the PTR records for the DHCP server are set on another DNS server, would that affect what DNS server entries the TCPIP settings should be set to?

A:The DNS server settings should typically point to itself. This is especially the case if the DNS server is on a Domain Controller and using DDNS to update domain records information. There should be PTR records for all records stored on the DNS server. You might consider making a secondary zone on your server if you need pointer records from another server.

Q: Are there any issues with using a Windows 2000 DNS stand only server for a mix of NT4.0 domains and Windows 2000 domains pointing to it for resolution?

A:There are no serious problems. Remember that WinNT clients will not be able to update the DDNS themselves.

Q: Our DNS Win2k server is not AD-integrated. It is primary for our domain but not for the reverse lookup, which is handled by a UNIX server. The UNIX server is run by another org and will not delegate. The UNIX server is a secondary DNS server for our domain. Question: Will AD integration work in this situation?

A:This will work, but you need to make sure there is some mechanism in place to manually add the PTR records to the other domain. You lose a lot of functionality in this way because your DDNS configuration will not work best when the DNS server cannot register reverse lookup records. You might consider creating a subdomain for your internal network clients for which your server is authoritative.

Q: I have a mixed Win2k/NT Domain. I have a couple of machines (one is a member server with IIS installed and the other is a Win2k Pro with IIS installed) and I get a Security Event Failure with Event ID 565. The description indicates this is DNS related. I know that 565 is normally a success event. I haven't been able to find any references to Event ID 565 as a failure. Everything seems to be working normally but the Event Logs have lots of 565's and I'm concerned. Description contain: Object Open: Object Server: DS Object Type: dnsNode Object Name: DC=141,DC=220.16.168.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=etcmcn,DC=org New Handle ID: - Operation ID: {0,5787872} Process ID: 248 Primary User Name: APOLLO2K$ Primary Domain: ETC-MACON Primary Logon ID: (0x0,0x3E7) Client User Name: WEB2K$ Client Domain: ETC-MACON Client Logon ID: (0x0,0x5850D3) Accesses Write Self Privileges - Properties: Delete Child Read Property %{00000000-0000-0000-0000-000000000000} Write Property %%7689 dnsRecord ACCESS_SYS_SEC dNSTombstoned.

A:It looks like an issue with dynamic update. You can try to put in static records for these clients or disable dynamic update on the client side.

Q: When dynamic updates is turned on we loose the DNS entries for our Static RAS DNS entries. The clients that are dialing in are non-Windows 2000. RAS is Windows 2000 server and all DNS and DC are 2000 Server. Ideas?

A:This can be a problem on domain controllers that also run DDNS. I would advise not running Active Directory on a RAS server.