Computer account not added to DNS record
From what I've read, when a Windows DNS client dynamically creates a DNS record for itself, its AD computer account is granted "Write" access to its DNS record, allowing the client to dynamically update it's record in the future. For some reason in our environment several servers' host records are missing the corresponding computer account in the ACL - thus when a server tries to update the timestamp on the DNS record it can't as it doesn't have permissions.
This is causing some of our servers to be marked "stale" and be deleted upon scavenging of stale records. If I go to one of the servers this happens to directly and do an "ipconfig /registerdns" I get an error in the system event logs with a Event ID of "11160" and a source of "DnsApi" - the description just tells me what I already know...that I don't have access. Of course, I could fix this problem by manually adding the computer account name to the ACL of the DNS record but in the long term I'd like the computer account to automatically be added to the ACL whenever the host record is dynamically added, just like it is with almost all the rest of the servers in our environment.
This is a new development as we've just recently turned scavenging on...as a temporary fixed we've turned it back off until we figure out the cause of this issue. Your help is much appreciated.
Software/Hardware used:
Software/Hardware used:
ASKED:
March 6, 2008 4:22 PM
UPDATED:
March 28, 2008 1:20 PM
Answer Wiki:
I found the same problem at EventID.net. Please check this article at that location:
<a href="http://www.eventid.net/display.asp?eventid=11160&eventno=3030&source=DnsApi&phase=1">http://www.eventid.net/display.asp?eventid=11160&eventno=3030&source=DnsApi&phase=1</a>
hopefully this will fix your problem.
We had a similar problem at a prior company that I worked at. In our case it was caused by an admin exporting the DNS database cleaning up a bunch or records, then purging the DNS records and uploading the exported version which then killed all the ACLs. We found this when servers started dropping out of DNS. We ended up coming up with a solution where we used WMI to do an ipconfig /registerdns on all the servers after we had deleted all the servers from DNS which then forced the servers to register them selves back.
------------------------------------------------
Ok, I found the fix. While looking in the DNS server "DNS events" log, I came across an event with a source of "DNS" and EventID of "4010" and the description said:
"The DNS server was unable to create a resource record for (IP ADDRESS OF PROBLEM RECORD). in zone (ZONE OF PROBLEM RECORD). The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error."
So I checked the resource records in ADSI Edit and they were corrupt. I fixed the corrupt records and we did not have this issue any more. Problem resolved.
To see all answers submitted to the Answer Wiki: View Answer History.
Unfortunately the article over at EventID.net did not solve my problem. They pretty much told me what I already knew – that the AD computer account didn’t have access to the DNS record – and as I pointed out, I can easily fix this by adding the AD computer account name to the DNS record ACL, however, I’m wanting to prevent this from happening on servers in the future. I’m wanting to know WHY the AD computer account isn’t being automatically added to the DNS ACL like it should be…so I can prevent further server’s DNS records from being deleted. The other solutions at eventid.net didn’t apply to my situation….
Thanks and I appreciate any help you’re able to provide me.
I’m glad that my info went in this time. The site crashed while I was typing it in the first time.
Unfortunately the resolution to my problem will be more ambiguous as we haven’t had any admin exporting DNS records. Also, we could run a script that would do an ipconfig /registerdns on all servers, however, the problem is that the servers this is happening to don’t have “write” access to their own DNS records….so doing an “ipconfig /registerdns” would just error out on them. And like I said, I could manually add the servers AD account to the DNS record, but this wouldn’t solve the problem of WHY this is happening to certain servers in the first place and it wouldn’t ensure that this wouldn’t happen again.