02-24-2020 02:32 AM - edited 02-24-2020 03:15 AM
We're currently planning a DHCP-Migration from MS DHCP-Server to Infoblox.
DNS will - for now - stay on the extisting MS-DNS Server (AD-Integrated).
These Microsoft DNS-Server are running Windows Server 2008, as far as i know.
Infoblox is running 8.4.4.
For Testpurpose we have already moved one DHCP-Scope to Infoblox, and also configured DDNS so that Infoblox updates the affected A- and PTR-Records - if needed - on the Micosoft DNS-Servers on behalf of the enddevices.
But we still get these Error-Messages on Infoblox for the A- and PTR-Records:
- bind update on <ip end device> from xxxxxx (1581495196ps) rejected: incoming update is less critical than outgoing update
- Unable to add forward map from <hostname end device> to <ip end device>: NOTAUTH
- Reverse map update for <ip end device> abandoned because of non-retryable failure: NOTAUTH
- Forward map update for <ip end device> abandoned because of non-retryable failure: NOTAUTH
These are our current DDNS settings in Infoblox:
Grid DHCP DDNS Setting
- DNS Updates: “Enable DDNS Updates” enabled
- DDNS Update Method: Interim
- Lease Renewal Update: “Update DNS on DHCP Lease Renewal” enabled
- Generate Hostname: “Generate Hostname if not Sent by Client” enabled
- Fixed Address Updates: “Update Fixed Addresses” enabled
- TXT (DHCID) Record Handling: ISC
Data Management – DHCP – Configure DDNS - DNS UPDATES TO EXTERNAL ZONES
- Forward- und Reverse-Mapping Zones added
- Security: None
We have also played with different settings (e.g. for TXT Record Handling) but right now we are not able to get DDNS working.
Can anybody tell me where those NOTAUTH Log-Messages come from and what could be the reason why DDNS is not working ?
Solved! Go to Solution.
02-28-2020 03:26 AM
Hey, I am working on a very similar project at the moment, migrating MS DHCP to Infoblox but keeping MS DNS on AD. I am setting up GSS-TSIG to update the MS DNS servers as they have "secure only" updates enabled.
But your problem seems more simple, you are getting a NOTAUTH error. I can never remember if this means not authoritative or not authorised.
It sounds like you are not using GSS-TSIG, have you checked the zone security in AD? Do you have them set to "Nonsecure and secure" - if you have it set to "Secure only" then you will need to set up GSS-TSIG.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
a month ago
We were now able to fix this problem. It had nothing to do with a secure connection between Infoblox and Microsoft as both sides had security disabled.Instead we used the wrong zone-name in Infoblox for the external zone on the Microsoft server.
On Micorosft DNS-Server we have a zone "zone.com" with a folder/grooup below "group).
This results in a complete FQDN "hostname.group.zone.com".
So we used the following zone name on Infoblox in "DNS Updates to external Zones":
And this did not work as this was not a valid zone on Microsoft, and therefore Microsoft sent a NOAUTH message back (verified with packet capture on Infoblox).
After we changed the zone name on Infoblox to "zone.com" DDNS was working fine without any NOAUTH message.