none
Server 2012 DNS "The record cannot be deleted. Access was denied." RRS feed

  • Question

  • I have a 2008 R2 server that is a member of a Server 2012 domain. It has a dynamic "A" record in DNS that from time to time disappears. When this happens I try to create a static record, it fails with an Access Denied error, after which the original record, timestamped 10/21/2010, reappears. I would like to delete the dynamic record, which I am guessing is being removed by DNS scavenging, and replace it with a static record but when I try to delete it I get an error, "The record cannot be deleted. Access was denied. In the DNS logs there is an error, Event ID 4011, with the description,

    The DNS server was unable to add or write an update of domain name (server name) in zone acsnt.ad.net to the Active Directory.  Check that the Active Directory is functioning properly and add or update this domain name using the DNS console. The extended error debug information (which may be empty) is "00002098: SecErr: DSID-03150BC1, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". The event data contains the error.

    The data is 0000: 05 00 00 00

    In addition to the above event there are also event 4015 errors and event 4013 warnings.

    Has anyone ever run into this before? This is the only DNS record behaving this way but the server is critical and when this happens the users can no longer access it until the record is back.

    Monday, May 8, 2017 1:06 PM

Answers

  • Hi, Candy. Thank you for your reply.

    I had already looked into the DNS security settings and they look appropriate. I made the account I am using a member in the Domain Admins group, Enterprise Admins for the forest and DNS Admins. Then I tried to delete the record from every DNS server in the forest with no success.

    The question about the security setting got me thinking (always dangerous) so I took a look at the security on the individual record. It turns out that there was no group that had any access higher than Read. I was unable to add, remove, or edit anything. The only option available was to take ownership of the record. That did the trick and lo and behold I was able to fix the permissions and, after a replication cycle I was able to delete the dynamic record and create a static one.

    I did check a number of other records and they are all inheriting the normal permissions so I have no idea how this one got so messed up. I guess we'll never know.

    Tuesday, May 9, 2017 12:45 PM

All replies

  • Hi Brad52,

    >>The record cannot be deleted. Access was denied.

    First you should check which account is the record owner and if the account has the permission to fully control.

    If your account is a member of the DnsAdmins security group, you could manually add the DnsAdmins security group to the zone access control list (ACL) and grant Full Control.

    To do so, use one of the following methods to assign Full Control to DnsAdmins security group.

    Method 1: Use Active Directory Service Interfaces (ADSI) Editor to assign Full Control permissions to the DNSAdmins group

    1. Log on to your computer as administrator.
    2. Click Start, click Run, type adsiedit.msc, and then click OK.
    3. Expand Domain NC.
      This node contains a folder that begins with "DC=" and reflects the correct domain name, such as "DC=exampledomain DC=net".
    4. Expand CN=System, and then click CN=MicrosoftDNS.
    5. In the right pane, right-click the folder where you want to change the permissions, and then clickProperties.
    6. In the DomainComponent properties dialog box, click the Security tab.
    7. In the DnsAdmins Permissions list, click to select the Full Control check box for the Allow column, and then click OK two times.
    8. On the File menu, click Exit.

    Method 2: Use DNS to assign Full Control permissions to the DnsAdmins group

    1. Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
    2. In the console tree, click the applicable zone.
    3. On the Action menu, click Properties.
    4. In the Properties dialog box for the zone, click Security, and then click Add.
    5. In the Select Users, Computers, or Groups dialog box, type DnsAdmins, and then click OK in the Enter the object names to select text box.
    6. In the Permissions list for DnsAdmins, click to select the Full Control check box for the Allow column.
    7. Click Advanced, click DnsAdmins, and then click Edit.
    8. In the Apply onto drop-down menu, click to select This object and all child objects.
    9. Click OK three times.
    10. On the File menu, click Exit.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 9, 2017 5:18 AM
  • Hi, Candy. Thank you for your reply.

    I had already looked into the DNS security settings and they look appropriate. I made the account I am using a member in the Domain Admins group, Enterprise Admins for the forest and DNS Admins. Then I tried to delete the record from every DNS server in the forest with no success.

    The question about the security setting got me thinking (always dangerous) so I took a look at the security on the individual record. It turns out that there was no group that had any access higher than Read. I was unable to add, remove, or edit anything. The only option available was to take ownership of the record. That did the trick and lo and behold I was able to fix the permissions and, after a replication cycle I was able to delete the dynamic record and create a static one.

    I did check a number of other records and they are all inheriting the normal permissions so I have no idea how this one got so messed up. I guess we'll never know.

    Tuesday, May 9, 2017 12:45 PM
  • Hi Brad52,

    I am glad to hear that your issue was successfully resolved.

    Thanks for your posting here and sharing the resolution!

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 10, 2017 8:22 AM
  • Hi Brad52

    You could "mark it as answer" to help other community members find the helpful reply quickly.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 15, 2017 2:40 AM