01 July 2009

Problem:

The check DNS_SECURE_UPDATE_FAILURES will fire very frequently, especially on a properly-secured Windows 2008 DHCP/DNS server.

Solution:

Ignore this check. It will be retired in future versions of TNTMonitoring

Root Cause:

Microsoft recommends that you configure a DHCP server to automatically update the corresponding updates in the DNS server. The procedure is documented in MS KB 816592. The updates can be configured to occur unsecured or secured. This TNTMonitoring check counts how many secured updates have failed.

Secure updates can fail for various reasons, many of them legitimate non-error conditions.

Specifically:to ensure security, Microsoft also recommends that you configure credentials for one designated user account for the DHCP update. If you follow this recommendation, the DNS record will have permissions attached that only allow this one user to modify the DNS record. This prevents any other source but the DHCP server from updating the DNS record.

The actual update of the DNS record occurs twice.The DHCP server will perform the DNS update, as indicated above. In addition, the client itself will also attempt to update the DNS record. This second update will fail, since the client does not have the configured credentials. This behavior is by design and not an error.

Every time the update from the client fails this way, the corresponding performance counter in Windows is incremented. This will trigger the check DNS_SECURE_UPDATE_FAILURES to report a CRITICAL status even though the network is working as intended.