none
Primary DNS server's A record keeps disapearing RRS feed

  • Question

  • Setting up a brad new win2012 domain. Green field...

    AD integrated DNS

    I have one domain controller, three member servers and 3 domain joined PCs. The DC is a VM running on Hyper-v

    1 DNS server (running on the only DC)


    First noticed the problem when I tried to add the first server to the doamin and it could not find the DC. I checked DNS on the DC and there was no resource record for the doamin controller. I can add the A record and it keeps getting deleted. I can open the SOA record and resolve the name server to an ip address which auto-adds the A record but it will dissapear. It must be some update or zone load that's doing it because it ssems to happen on a timed interval. Sometimes the record will remain for 45 minutes, sometimes it is deleted in 5-10 minutes. Can anyone suggest some logging/debugging to determine what is deleting the record? How do I get support tools for win2012 so I can run netdiag.exe?

    Thanks,

    Doug

    Wednesday, September 7, 2016 4:01 AM

All replies

  • Hi dschaef8,

    1. When promote the DC, it will create an A record for the DC in the DNS zone automatically. Have you configured static IP address on the NIC for the DC before you install the DS role?

    2. Please run an ipconfig/all on the DC, check if all NIC settings are correct;

    3. Use command "dcdiag" to check the health of the DC, check if all rules passed;

    4. If you want to see the log of the DNS, you may enable DNS debug:

     

    5. Also check the DNS console tree shows in my above screenshot, check if your console tree misses something;

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, September 7, 2016 5:54 AM
    Moderator
  • Thanks for helping Anne...

    1. Server was a fresh install, I did assign a static address before making it a DC

    2. All NIC settings look good. NIC is configured with its own ip address as the sole DNS server. I had IPv6 disabled so I enabled it to see if the a record holds. Will update the thread when a good amount of time has passed.

    3. DCDIAG fails on DNS (no resource record for primary server) when I run it after adding the A record it passes all the tests. It does mention the following error on the system log...

    Source:        NETLOGON
    Date:          9/7/2016 20:28:15
    Event ID:      5782
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      SRV07.wtpd.local
    Description:
    Dynamic registration or deregistration of one or more DNS records failed with the following error: 
    No DNS servers configured for local system.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="NETLOGON" />
        <EventID Qualifiers="0">5782</EventID>
        <Level>3</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-09-08T00:28:15.000000000Z" />
        <EventRecordID>5168</EventRecordID>
        <Channel>System</Channel>
        <Computer>SRV07.wtpd.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>%%9852</Data>
        <Binary>7C260000</Binary>
      </EventData>
    </Event>

    4. Enabled logging but not sure what to look for, I don't see any entries out of the ordinary

    5. my DNS tree is identical to yours

    Thursday, September 8, 2016 1:15 AM
  • Enabling ipv6 made no change, although oddly, when I resolve the name server in the SOA record, now only  record is auot added and not the AAAA (pv6) record. I thought it would work the other way around.

    Doug

    Thursday, September 8, 2016 1:38 AM
  • Hi dschaef8,

    When do you install the DNS role, before installing AD DS role, or during the process of installing AD DS role?

    Since it is a fresh install, please check the result of reinstallation. Remove both DS and DNS role, then restart the server, and re-install the AD DS role.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, September 13, 2016 1:52 AM
    Moderator
  • Hi dschaef8,

    Could the above replies be of help? If yes, you may mark it as answer, if not, feel free to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 20, 2016 8:50 AM
    Moderator
  • Have not had time to try your suggestions but fully plan to.
    Tuesday, September 20, 2016 10:26 PM
  • Hi dschaef8,

    Yeah, if you need further help, feel free to feed back.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 21, 2016 1:49 AM
    Moderator
  • Hi Anne, I cannot remove directory services or DNS roles because there is one member server in production that would be impacted. Is there any way to determine why the domain controller's A record continues to be removed?

    Thanks,


    Doug

    Tuesday, September 27, 2016 2:30 PM
  • Hi dschaef8,

    Check DNS event log in event viewer, see if you can find any things there.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 29, 2016 1:36 AM
    Moderator
  • I have enabled directory services audit logging based on this blog post: https://blogs.technet.microsoft.com/networking/2011/08/17/tracking-dns-record-deletion/ and it shows that the computer account (SRV07$) is deleting the record. I have deleted the record from directory services then recreate it in DNS manager by resolving the IP address in the NS record. I then see the record in DS with tombstone value set to FALSE. After a certain amount of time, the record is deleted in DNS mgr and in DS the tombstone value is then set to TRUE. The DS record never is deleted I assume because scavenging is disabled. I have the tcp ip settings enabled "register this connection's address in DNS" and "use this connections DNS suffix in the DNS registration" but the NIC never seems to auto register with DNS. I assume this allows the TTL on the record to expire (even though it's a static entry) and the NETLOGON service deletes the entry. Is it possible to set permissions on the record so the computer account cannot delete the record? I have also enabled DNS debugging but cannot see anything giving me any clues to resolve this. This is extremely frustrating. Any help is appreciated. Doug
    Thursday, September 29, 2016 2:40 AM