Having a problem where a Windows 10 client connected to the domain via DirectAccess isn't updating the client DNS records on the domain's nameserver. Instead, it appears to be trying to update the public DNS infrastructure.
When I run ipconfig /registerdns, I get the following in Event Viewer:
The system failed to register host (A or AAAA) resource records for network adapter
with settings:
Adapter Name : {1D45B42E-3DE0-40FF-9306-C6017F422CD3}
Host Name : D8058
Primary Domain Suffix : ad.isg.global
DNS server list :
1.0.0.1, 1.1.1.1, 2606:4700:4700::1111, 2606:4700:4700::1001
Sent update to server : <?>
IP Address(es) :
2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 172.16.100.72
Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.
To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
Note that the 2801 address is the computer's IPv6 address on the client's local network (publicly routable), and 172.16.100.72 is the IPv4 address on the local network. 1.1.1.1 and 1.0.0.1 are the DNS servers provided by the client router's DHCP server.
In other words, it appears to be trying to update the record on the public DNS infrastructure, rather than the domain's DNS server. I have confirmed on Wireshark that it is trying to send the update requests to 1.1.1.1.
DNS resolution for network servers is working completely fine, however:
> ping dc01
Pinging dc01.redacted.network [fda4:9e55:xxxx:xxxx::xxxx:300a] with 32 bytes of data:
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=21ms
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=11ms
> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
Link-local IPv6 Address . . . . . : fe80::4186:420e:3109:cbac%3
IPv4 Address. . . . . . . . . . . : 172.16.100.72
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::7a8a:20ff:fe41:a8bf%3
172.16.100.1
Tunnel adapter Microsoft IP-HTTPS Platform Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:ca42
Temporary IPv6 Address. . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:f3e1
Link-local IPv6 Address . . . . . : fe80::145a:43a2:73ff:ca42%5
Default Gateway . . . . . . . . . :
> Get-DnsClientNrptPolicy
Namespace : .redacted.network
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers : fda4:9e55:xxxx:xxxx::1
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : DirectAccess-NLS.redacted.network
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Client DNS record updates are working fine on other DirectAccess clients. The only difference I am aware of is that this network has a native IPv6 address, but that could be a red herring.
0 Answers