06-01-2017 04:14 AM
06-02-2017 12:50 PM
What do the logs from the DNS server say at that time, that would be helpful in getting to the issue? Also, do you mean that the same server which accepts the updates till now is suddenly responding with NOT AUTH? Was there any configuration changes made so as to delete the zone itself or change the primary
06-09-2017 09:14 AM
thank you for the help.
We just see "update denied" in syslog and "no auth" in traffic capture on MS-DHCP.
... no change in DNS-config.
06-30-2017 01:01 PM
I would recommend reviewing the DNS configuration file and ensuring the update falls in the same view(if it has multiple views). and the server is indeed primary for the zone (look for "type master" or if a slave config look for update forwarding)
08-03-2017 01:31 PM - edited 11-13-2017 10:50 AM
Microsoft DHCP servers sending GSS-TSIG updates to Infoblox DNS servers has been flaky since Server 2003. I've had a couple tickets open for this over the years.
Although our usual failure mode generates [BAD KEY] messages in the Infoblox syslog, the results are about the same as what you list. At some point, the MS DHCP server stops negotiating the keys correctly with the Infoblox DNS server. Sometimes a restart of the MS DHCP service will trigger a correct update, and sometimes a reboot of the Windows box will fix it.
The last time I got Infoblox and Microsoft to talk about it and go through packet captures, it was that the Key roll over conversation all happened, Infoblox box started using the new key, and the MS box never switched for some reason.
Somewhere in late in the 6.X line (I think) of NIOS it got much better. Infoblox put in some code that greatly reduced the issue but we have seen it in 2003 2008 2008R2 and 2012 and all the way through the 6.x 7.x and 8.x versions of NIOS.
Once a MS DHCP server starts doing this, it rarely quits for good. I started playing with this again a year or so ago, after we turned on multi master DNS on Infoblox. It seems to be locked to something between the two specific "OS's". Making the DHCP server send its updates to a different Infoblox master would at least have the same affect as a restart of the services. I never got much further and have not ever got back to take the time to really dig into it again.
If I remember correctly, there also was some speculation that if the account that the Infoblox server had its keytab file exported from, was in a different domain (same forest) as the DHCP server that it seemed to have the issue more often.
I had some monitoring of the syslog for a while when it was bad, but it’s difficult to set a good threshold as service restarts of DHCP or DNS can trigger some BADKEY messages while keys expire or are re-negotiated . So now it’s more of a best effort or I just add the DHCP server's IP to a allow ACL until it can get rebuilt. It just depends on the frequency of the problem and the needed security of the environment.
11-13-2017 10:37 AM
sorry for the delay ...
Thank you for working out.
I will try to get a solution with microsoft.
Once a MS DHCP server starts doing this, it rarely quits for good. I started playing with this again a year or so ago, after we turned on multi master DNS on Infoblox. It seems to be locked to something between the two specific "OS's".