遇到一个问题,即通过 DirectAccess 连接到域的 Windows 10 客户端未更新域的名称服务器上的客户端 DNS 记录。相反,它似乎正在尝试更新公共 DNS 基础设施。
当我运行 ipconfig /registerdns 时,我在事件查看器中收到以下内容:
The system failed to register host (A or AAAA) resource records for network adapter
with settings:
Adapter Name : {1D45B42E-3DE0-40FF-9306-C6017F422CD3}
Host Name : D8058
Primary Domain Suffix : ad.isg.global
DNS server list :
1.0.0.1, 1.1.1.1, 2606:4700:4700::1111, 2606:4700:4700::1001
Sent update to server : <?>
IP Address(es) :
2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac, 172.16.100.72
Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.
To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
请注意,2801 地址是计算机在客户端本地网络(可公共路由)上的 IPv6 地址,而 172.16.100.72 是本地网络上的 IPv4 地址。1.1.1.1 和 1.0.0.1 是客户端路由器的 DHCP 服务器提供的 DNS 服务器。
换句话说,它似乎试图更新公共 DNS 基础设施上的记录,而不是域的 DNS 服务器上的记录。我已在 Wireshark 上确认它正在尝试将更新请求发送到 1.1.1.1。
网络服务器的 DNS 解析工作正常,但是:
> ping dc01
Pinging dc01.redacted.network [fda4:9e55:xxxx:xxxx::xxxx:300a] with 32 bytes of data:
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=21ms
Reply from fda4:9e55:xxxx:xxxx::xxxx:300a: time=11ms
> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
IPv6 Address. . . . . . . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:cbac
Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
Temporary IPv6 Address. . . . . . : 2a01:4b00:xxxx:xxxx:xxxx:xxxx:xxxx:8e46
Link-local IPv6 Address . . . . . : fe80::4186:420e:3109:cbac%3
IPv4 Address. . . . . . . . . . . : 172.16.100.72
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::7a8a:20ff:fe41:a8bf%3
172.16.100.1
Tunnel adapter Microsoft IP-HTTPS Platform Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:ca42
Temporary IPv6 Address. . . . . . : fda4:9e55:xxxx:xxxx:xxxx:xxxx:xxxx:f3e1
Link-local IPv6 Address . . . . . : fe80::145a:43a2:73ff:ca42%5
Default Gateway . . . . . . . . . :
> Get-DnsClientNrptPolicy
Namespace : .redacted.network
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers : fda4:9e55:xxxx:xxxx::1
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
Namespace : DirectAccess-NLS.redacted.network
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : UseDefault
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired : False
NameServers :
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired : False
DnsSecValidationRequired : False
NameEncoding : Utf8WithoutMapping
客户端 DNS 记录更新在其他 DirectAccess 客户端上工作正常。我所知道的唯一区别是此网络有一个本机 IPv6 地址,但这可能是一个转移注意力的借口。