From what I've read, when a Windows DNS client dynamically creates a DNS record for itself, its AD computer account is granted "Write" access to its DNS record, allowing the client to dynamically update it's record in the future. For some reason in our environment several servers' host records are missing the corresponding computer account in the ACL - thus when a server tries to update the timestamp on the DNS record it can't as it doesn't have permissions.
This is causing some of our servers to be marked "stale" and be deleted upon scavenging of stale records. If I go to one of the servers this happens to directly and do an "ipconfig /registerdns" I get an error in the system event logs with a Event ID of "11160" and a source of "DnsApi" - the description just tells me what I already know...that I don't have access. Of course, I could fix this problem by manually adding the computer account name to the ACL of the DNS record but in the long term I'd like the computer account to automatically be added to the ACL whenever the host record is dynamically added, just like it is with almost all the rest of the servers in our environment.
This is a new development as we've just recently turned scavenging on...as a temporary fixed we've turned it back off until we figure out the cause of this issue. Your help is much appreciated.
March 6, 2008 4:22 PM
March 28, 2008 1:20 PM