none
DNS records lost on some client. RRS feed

  • Question

  • Hi,

    I have a strange situation. I found out that WIN 7 and some WIN 2012 R2 servers lost their DNS record.

    No DHCP is used on the site/subnet called OtherSite. DNS Scavenging is running with default settings.

    I found out that when clients (WIN 7 or WIN 2012 R2) refreshes their DNS record on WIN 2012 R2 AD integrated DNS server, the permissions of the record will be changed.

    Normally at first DNS record creation the record permissions are as followed:

    Everyone: Read / inherited from None

    SYSTEM: Full / inherited from None

    TheDomain\WIN7client1$: Full / inherited from None

    TheDomain\Domain Admins: Full / inherited from None

    TheDomain\Enterprise Admins: Full / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    TheDomain\Administrators: Read, Write, Special / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    TheDomain\Pre-Windows 2000 Compatible Access: Special (list content) / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    ENTERPRISE DOMAIN CONTROLLERS: Special (all but full)  / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    ENTERPRISE DOMAIN CONTROLLERS: Speicial (all but full) / DC=TheDomain.com cn=MicrosoftDNS,DC=ForestDnsZones,DC=TheDomain,DC=com

    After first DNS dynamic client refreshment the permissions looks like this:

    TheDomain\WIN7Client1$: Read, Write / inherited from None

    TheDomain\Enterprise Admins: Full / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    TheDomain\Administrators: Read, Write, Special / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com
    TheDomain\Pre-Windows 2000 Compatible Access: Special (list content) / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    ENTERPRISE DOMAIN CONTROLLERS: Special (all but full)  / inherited from DC=ForestDnsZones,DC=TheDomain,DC=com

    ENTERPRISE DOMAIN CONTROLLERS: Speicial (all but full) / DC=TheDomain.com cn=MicrosoftDNS,DC=ForestDnsZones,DC=TheDomain,DC=com

    Owner is allways TheDomain\WIN7client1. 

    ACTIVE DIRECTORY SPECS:

    Single forest, single domain, isolated from from the Internet.

    Sites:

    TheSite (using DHCP with dynamic updates, no problems)

    Two WIN 2008 R2 Domain Controllers. DC1, DC2.

    10.10.20.0/24

    OtherSite (no DHCP, problems with DNS records)

    One WIN 2012 R2 Domain Controller. DC3.

    10.10.40.0/24

    Replication seems to be fine with IPsec through firewall. Clients have access only to the site's DC(s).

    All DCs are global catalog.

    DNS:

    Active Directory integrated DNS. 

    Forward lookup zones: TheDomain.com, _msdcs.TheDomain.com

    Reverse lookup zones: 10.10.20.0/24 and 10.10.40.0/24

    Dynamic updates: Secure only.

    All servers were set to scavenge (7/7), but now I changed it to be running only on DC1.

    I've tried to delete the records with ADSI.edit and then restared DNS server service on DC3. After that "ipconfig /registerdns" works fine and a perfect DNS record will be created. After the first DNS refreshment from client, the permissions will change.

    I found a duplicated Forward lookup zone and deleted it (http://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/)

    If anyone has suggestion how to solve this, I would be really really grateful!

    Thanks,

    Ken

    Tuesday, May 9, 2017 8:08 AM

All replies

  • Hi kentuolla,

    >After that "ipconfig /registerdns" works fine and a perfect DNS record will be created. After the first DNS refreshment from client, the permissions will change.

    1. According to your description, the "Othersite" do not use DHCP server, then, do the clients use static IP addresses? If they are using static IP addresses, then what does the "refreshment" mean? Do you mean refresh the DNS console, or the clients re-register the DNS records with a new timestamp?

    Could you provide a screenshot of the ACL of the records before and after refresh, so that we may clear to see the changes?

    2. Please run dcdiag /test:dns to check if the DNS is in health state.

    Besides, it's recommended to use DHCP server to assign IP addresses and register DNS records for clients, it will be much easier to manage.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, May 11, 2017 3:31 AM
    Moderator
  • Hi,

    1. Computers in "Othersite" uses static IP addresses. With refreshment I mean the client re-register the DNS records with a new timestamp.

    2. "dcdiag /test:dns"  -> passed test DNS.

    I agree the comment about DHCP. The computers in "Othersite" are running machines in a factory and the IP:s will/must be the same. Static IPs also gives some security protection if some one connects the network card to wrong network.

    Best Regards,

    Ken

    Thursday, May 11, 2017 6:58 AM
  • Hi Anne,

    I uploaded the screen shots on OneDrive: (https://1drv.ms/f/s!AsrbJt1k50WabmLKQ_TdyT7hufo)

    The last picture is about permissions of "OK" record.

    Thanks and best regards,

    Ken


    • Edited by kentuolla Thursday, May 11, 2017 7:37 AM
    Thursday, May 11, 2017 7:31 AM
  • Hi kentuolla,

    I checked it on my lab and got the same result with you, when refresh the DNS record, the ACL of the DNS entry will be changed.

    SC1 is the record without refresh:

    S2 is the record refreshed:

    It seems the behavior is by design. Do you get any specific issue after the ACL changed?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 16, 2017 3:05 AM
    Moderator
  • Hi Anne,

    Thanks for checking and for your help. The permissions on the DNS records looks still the same. Some computers keeps the permissions after refreshments and some will keep only inhereted permissions.
    (-https://1drv.ms/f/s!AsrbJt1k50WabmLKQ_TdyT7hufo-)

    The main problem was that some computers DNS records were deleted frequently. Scavencing was deleting them because timestamp was not refreshed. Now all records seems to get refreshed by clients. I've made several changes and maybe some of the changes has resolved the main problem.

    I can live with this situation as long as the DNS records won't get deleted. Timestamps looks now ok: all dynamic records have timestamps between May 9th - May 17th. (No refreshment interval is 7 days, so scavenging/aging seems to be working just as it should).

    These were the changes that I've made:

    1. Removed Duplicate DNSzone with ADSI Edit.
    2. Removed one old DC static DNS A record from DNS -> Forward Lookup Zones -> DomainDNSZones.
    4. Disabled Automatic svavenging of stale records on DC2 and DC3.
    3. Added everything but full permission for "Enterprise Domain Controllers" on ADUC -> System -> MicrosoftDNS.
    4. Changed in DNS settings reverse lookup zones replication scope: "To all DNS servers running on domain controllers in this forest". Also _msdcs.TheDomain.com scope: To all DNS servers running on domain controllers in this forest". Forwad Lookup Zones were allready set for forest wide replication.
    5. Raised Forest functional level from 2003 to 2008 R2. Domain functional level was allready 2008 R2. (TheDomain.com has 2*2008r2 DCs and one 2012 R2 DC).

    Thanks again,

    Ken

    Wednesday, May 17, 2017 7:23 AM
  • Hi kentuolla,

    Thanks for your feedback, and if the DNS is stable now, you may mark your reply as answer, so that the useful information can be highlighted.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 1, 2017 6:34 AM
    Moderator