locked
Static DNS record deleted automatically- Windows 2008 R2 SP1 RRS feed

  • Question

  • Hi,

    I have scoured the Interweb and tried all suggestions to no avail for this one. Here's the scenario:

    My client has a Windows 2008 R2 SP1 (Windows 2003 domain/forest functional level) server which is a DC and DNS server. The problem is that a DNS record for an Exchange 2010 server is getting deleted every 10 or 40 minutes. This started occurring for no obvious reason a few weeks ago. The impact is that users cannot connect to Exchange (caching does not seem to help with this, which is odd). I disabled scavenging, which did not resolve the issue. I enabled auditing and found a 4662 event revealing that the domain administrator account was deleting the server A record (and pointer record). Why this is happening is what I am trying to investigate next: possible bug? The zone is configured as non secure- maybe making it securing it would help? But this does not explain why the record is being deleted. There is no NIC teaming implemented, which I understand can cause issues. 

    As an interim measure I created a script employing dnscmd that recreates the record every 15 minutes, which works for the most part, but not always, which is why I added a deny permission on the record for the domain Administrators group, seems so far to have prevented the record from being deleted.

    Any advise on the cause of this and how to investigate why the record is being deleted will be much appreciated!

      

      

    Wednesday, January 8, 2014 10:51 PM

Answers

  • This can be due to aging/scavenging improper configuration.You can also run repadmin /showobjmeta to find on which DC deletions has been performed, if DC is also a DNS server.Also, enable auditing for DNS.

    http://searchwindowsserver.techtarget.com/tip/What-to-do-when-DNS-records-disappear

    Tracking DNS Record Deletion

    http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thursday, January 9, 2014 2:01 AM
  • Hi- can you please advise how I can perform further inspection with the member of the domain admin groups?

    Thanks

    How many users are member of domain admin group, who all uses domain admin account to manage AD or there any scripts being configured to use domain admin credentials which does this. Its more of manual work. If this domain admin is the common account used by multiple people then you need to talk to them.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, January 9, 2014 5:08 AM
  • Hi,

    You can try to reset the password of the user account that is being displayed in the event description so that if there were any service or process which is using the cached credentials of that user to deleted the record.

    Regards,

    Lany Zhang

    Thursday, January 9, 2014 4:23 PM

All replies

  • This can be due to aging/scavenging improper configuration.You can also run repadmin /showobjmeta to find on which DC deletions has been performed, if DC is also a DNS server.Also, enable auditing for DNS.

    http://searchwindowsserver.techtarget.com/tip/What-to-do-when-DNS-records-disappear

    Tracking DNS Record Deletion

    http://blogs.technet.com/b/networking/archive/2011/08/17/tracking-dns-record-deletion.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thursday, January 9, 2014 2:01 AM
  • Hi- thanks for that. However I have seen those links and already followed them: I turned off scavenging (default 7 day configuration) and the record still gets deleted (scavenging date is not due till a later data in any case). Also the record is static so it would not get scavenged? The option to delete the record if stale is unchecked.

    I already enabled auditing and identified event 4662, which identified that the domain administrator account that is deleting the record:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          8/01/2014 11:47:25 AM
    Event ID:      4662
    Task Category: Directory Service Access
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DC.domain.com.au
    Description:
    An operation was performed on an object.

    Subject :
    Security ID: DOMAIN\administrator
    Account Name: administrator
    Account Domain: DOMAIN
    Logon ID: 0x2e1b093

    Object:
    Object Server: DS
    Object Type: dnsNode
    Object Name: DC=EXCHANGEHOST,DC=domain.com.au,CN=MicrosoftDNS,CN=System,DC=domain,DC=com,DC=au
    Handle ID: 0x0

    Operation:
    Operation Type: Object Access
    Accesses: Write Property

    Access Mask: 0x20
    Properties: Write Property
    {771727b1-31b8-4cdf-ae62-4fe39fadf89e}
    {e0fa1e69-9b45-11d0-afdd-00c04fd930c9}
    {d5eb2eb7-be4e-463b-a214-634a44d7392e}
    {e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}


    Additional Information:
    Parameter 1: -
    Parameter 2:

    Please advise!

    Thanks

     
    Thursday, January 9, 2014 2:37 AM
  • Yes, if record is static it will not get scavenged, but if you run dnscmd /ageallrecords, it will mark timestamp to even static records. Since, you have already identified the account being used to delete the record, you can do further inspection with the member of the domain admin groups.

    http://awinish.wordpress.com/2011/02/08/dns-scavenging-auditing-concepts/


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, January 9, 2014 3:09 AM
  • Hi- can you please advise how I can perform further inspection with the member of the domain admin groups?

    Thanks

    Thursday, January 9, 2014 4:53 AM
  • Hi- can you please advise how I can perform further inspection with the member of the domain admin groups?

    Thanks

    How many users are member of domain admin group, who all uses domain admin account to manage AD or there any scripts being configured to use domain admin credentials which does this. Its more of manual work. If this domain admin is the common account used by multiple people then you need to talk to them.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, January 9, 2014 5:08 AM
  • Hi- the account identified that deletes the record is the Domain Administrator account. I have checked with limited administrators who use the account and they are definitely not manually deleting it. I have also checked scheduled tasks and group polices scripts- they are not using the credentials to delete the record. Something else appears to be the problem here. The static record is being deleted regularly every 10 to 40 minutes. I am racking my brains to find out how the account credentials are being used to delete the record. Any more ideas welcome!

    Thanks

     
    Thursday, January 9, 2014 5:17 AM
  • Hi,

    You can try to reset the password of the user account that is being displayed in the event description so that if there were any service or process which is using the cached credentials of that user to deleted the record.

    Regards,

    Lany Zhang

    Thursday, January 9, 2014 4:23 PM
  • Hi all,

    I am having exactly the same issue. Exchange 2010 server A record gets deleted for no reason. I have already checked all the links listed above with no luck.

    I have AD 2008 R2 environment.

    The 4662 event I found actually points to domain controller instead of a user. here is my event log. Are there any solutions at all or no one knows the solution??

    An operation was performed on an object.

    Subject :

    Security ID: SYSTEM

    Account Name: ADDC1$

    Account Domain: Local

    Logon ID: 0x21cd6c0b

    Object:

    Object Server: DS

    Object Type: dnsNode

    Object Name: DC=Exch2010,DC=corp.local,CN=MicrosoftDNS,CN=System,DC=corp,DC=local

    Handle ID: 0x0

    Operation:

    Operation Type: Object Access

    Accesses: Write Property

    Access Mask: 0x20

    Properties: Write Property

    {771727b1-31b8-4cdf-ae62-4fe39fadf89e}

    {e0fa1e69-9b45-11d0-afdd-00c04fd930c9}

    {d5eb2eb7-be4e-463b-a214-634a44d7392e}

    {e0fa1e8c-9b45-11d0-afdd-00c04fd930c9}

     

    Additional Information:

    Parameter 1: -

    Parameter 2:

    Tuesday, January 20, 2015 5:44 PM
  • Did you ever figure this out? I am having it (lost once on an exchange server and many times on a different member server). None of the articles seem to apply. It is NOT scavenging. Its static. It started happening suddenly. Did anyone ever fix? If so how?
    Monday, September 16, 2019 6:32 PM