Secure DNS update authentication log

%3CLINGO-SUB%20id%3D%22lingo-sub-2275017%22%20slang%3D%22en-US%22%3ESecure%20DNS%20update%20authentication%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275017%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20a%20problem%20where%20secure%20DNS%20updates%20fail%20while%20on%20VPN.%20I%20can%20see%20that%20the%20machine%20account%20is%20getting%20a%20Kerberos%20ticket%20for%20DNS%20for%20a%20specific%20DNS%20server.%20I%20want%20to%20confirm%20the%20DNS%20update%20is%20actually%20going%20to%20the%20DNS%20server%20that%20the%20ticket%20is%20for.%20Normally%20this%20wouldn't%20be%20so%20hard%20but%20with%20VPN%20and%20the%20VPN%20server%20proxying%20DNS%20request%20is%20not%20quite%20clear%20what%20server%20the%20DNS%20update%20was%20directed%20to.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20lets%20suppose%20my%20Kerberos%20ticket%20included%20in%20the%20secure%20DNS%20update%20is%20not%20correct%2C%20so%20it%20fails%20like%20an%20Access%20Denied%2C%20what%20log%20would%20that%20be%20written%20in%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Wes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2275017%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2275095%22%20slang%3D%22en-US%22%3ERe%3A%20Secure%20DNS%20update%20authentication%20log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2275095%22%20slang%3D%22en-US%22%3E%3CP%3ESomething%20here%20may%20help.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn800669(v%3Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDNS%20Logging%20and%20Diagnostics%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I have a problem where secure DNS updates fail while on VPN. I can see that the machine account is getting a Kerberos ticket for DNS for a specific DNS server. I want to confirm the DNS update is actually going to the DNS server that the ticket is for. Normally this wouldn't be so hard but with VPN and the VPN server proxying DNS request is not quite clear what server the DNS update was directed to.   

 

So lets suppose my Kerberos ticket included in the secure DNS update is not correct, so it fails like an Access Denied, what log would that be written in? 

 

Thanks,

 

-Wes

3 Replies

Something here may help.

DNS Logging and Diagnostics | Microsoft Docs

 

 

 

Looks perfect. Thanks. I should have found that myself.

Sounds good, you're welcome. 

 

(please don't forget to mark helpful replies)