locked
Static DNS records disappearing RRS feed

  • Question

  • Hi all,

    Three of our static DNS entries keep disappearing and we have to keep adding them back in.  Sometimes they stay in for 1-2 weeks, sometimes only a few hours.  We have many static entries but it is always these same three that give us issues.  We are running four Windows 2008 (non-R2) Domain Controllers.  Two of these machines are Server Core and the other two are full versions.

    I have followed Ace's blog (thanks btw!) about looking for a duplicate zone but I don't think this is the case.  So I have turned on DNS auditing.  When the record gets deleted it logs EventID 5136 sixteen times:

    <REMOVED LOG FOR READABILITY>

    From these logs it appears that DC-SERVER3$ is what is deleting these items.  Is that a correct assumption?  DC-SERVER3 is one of the four domain controllers and is one of two running server core.

    I am unsure where to go from here.  Any help would be MUCH appreciated.  Thanks!

     


    • Edited by ZB0T Thursday, January 12, 2012 6:35 PM readability
    Thursday, January 12, 2012 6:26 PM

All replies

  • I tried posting the event logs in a <code> block above but it was very unreadable.  Is there a better way to do this?  I will paste them here for the time being:

     

    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14674 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14674 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14675 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14674 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 
    
    2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14674 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 
    


     



    • Edited by ZB0T Thursday, January 12, 2012 6:44 PM
    Thursday, January 12, 2012 6:37 PM
  • Based on the logs, it's saying the possible culprit is the DomainDnsZones partition.

    When you looked in ADSI Edit, were you able to add and view both DomainDnsZones and FoerstDnsZones partitions?

    If so, did you find any zones with a prefix of "InProgress..." or "CNF..."?

    Run the following: dnscmd /Enumdirectorypartitions  What do you see?

    Also, go back into ADSI Edit, and look at the following section. What do you see?

    1. Navigate to CN=Partitions,CN=Configuration,DC=Domain,DC=Com
    2. Look at the CrossRef objects on the right. 
    3. Do you see the two partitions listed?

    Also run dcdiag /v > c:\dcdiag.txt Open the file and look for any errors. I'm interested in anything with replication regarding the DomainDnsZones partition. If tehre are any other errors, post them, too.

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, January 12, 2012 6:53 PM
  • Yes, in ADSI Edit I am able to add and view both DomainDnsZones and ForestDnsZones partitions.

     

    I did not find any with a prefix of "InProgress..." or "CNF...".

     

    I ran: dnscmd /Enumdirectorypartitions

    C:\Windows\system32>dnscmd /Enumdirectorypartitions
    Enumerated directory partition list:
    
            Directory partition count = 2
     DomainDnsZones.private.example.com             Enlisted Auto Domain
     ForestDnsZones.private.example.com               Enlisted Auto Forest
    Command completed successfully.

     

    Here is what I see in ADSI Edit (sorry, not sure if they are listed or not):

    Name	Class	Distinguished Name
    CN=3b8d9649-d33f-40ef-baa0-311fdc429f11   crossRef	CN=3b8d9649-d33f-40ef-baa0-311fdc429f11,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
    CN=Enterprise Configuration                             crossRef	CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
    CN=Enterprise Schema                                     crossRef	CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
    CN=f7325c51-a90f-493e-acc7-c64a4e0ca90e  crossRef	CN=f7325c51-a90f-493e-acc7-c64a4e0ca90e,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
    CN=LSI                                                            crossRef	CN=LSI,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com

    Here is the output of dcdiag  /v (the parts I thought you would find useful):

     

          Starting test: DFSREvent
    
             The DFS Replication Event Log. 
             There are warning or error events within the last 24 hours after the
    
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
    
             Group Policy problems. 
             An Warning Event occurred.  EventID: 0x80001396
    
                Time Generated: 01/11/2012   22:38:55
    
                Event String:
    
                The DFS Replication service is stopping communication with partner DC-SERVER1 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 
    
                 
    
                Additional Information: 
    
                Error: 9033 (The request was cancelled by a shutdown) 
    
                Connection ID: 49A36F9D-810B-41BD-B8C3-4099563382E3 
    
                Replication Group ID: 4B73D7A2-96C2-45A1-9835-043D7E0F5C01
    
             An Warning Event occurred.  EventID: 0x80001396
    
                Time Generated: 01/11/2012   22:39:29
    
                Event String:
    
                The DFS Replication service is stopping communication with partner DC-SERVER3 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 
    
                 
    
                Additional Information: 
    
                Error: 9033 (The request was cancelled by a shutdown) 
    
                Connection ID: BABA95F6-FB8B-40DF-B1B0-D4B13859459C 
    
                Replication Group ID: 4B73D7A2-96C2-45A1-9835-043D7E0F5C01
                
                
    
          Starting test: Replications
    
             * Replications Check
             * Replication Latency Check
                DC=ForestDnsZones,DC=private,DC=example,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                DC=DomainDnsZones,DC=private,DC=example,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                CN=Schema,CN=Configuration,DC=private,DC=example,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                CN=Configuration,DC=private,DC=example,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
                DC=private,DC=example,DC=com
                   Latency information for 1 entries in the vector were ignored.
                      1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
             ......................... DC-SERVER2 passed test Replications
    
    
          Starting test: SystemLog
    
             * The System Event log test
             An Error Event occurred.  EventID: 0xC00A0032
    
                Time Generated: 01/12/2012   13:46:10
    
                Event String:
    
                The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
    
             ......................... DC-SERVER2 failed test SystemLog
    
    
       Running partition tests on : ForestDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... ForestDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... ForestDnsZones passed test
    
             CrossRefValidation
    
       
       Running partition tests on : DomainDnsZones
    
          Starting test: CheckSDRefDom
    
             ......................... DomainDnsZones passed test CheckSDRefDom
    
          Starting test: CrossRefValidation
    
             ......................... DomainDnsZones passed test
    
             CrossRefValidation
    
       Running enterprise tests on : private.example.com
    
          Test omitted by user request: DNS
    
          Test omitted by user request: DNS
    
          Starting test: LocatorCheck
    
             GC Name: \\dc-server2.private.example.com
    
             Locator Flags: 0xe00011fc
             PDC Name: \\dc-server1.private.example.com
             Locator Flags: 0xe00011fd
             Time Server Name: \\dc-server2.private.example.com
             Locator Flags: 0xe00011fc
             Preferred Time Server Name: \\dc-server2.private.example.com
             Locator Flags: 0xe00011fc
             KDC Name: \\dc-server2.private.example.com
             Locator Flags: 0xe00011fc
             ......................... private.example.com passed test LocatorCheck
    
    


     


    • Edited by ZB0T Thursday, January 12, 2012 7:34 PM
    Thursday, January 12, 2012 7:33 PM
  • Hi,

    It seems to network issues between the DCs. can you ping between the DCs with ip address, computer name and FQDN ??

    could you check sysvol and netlogon folder exist and you can access them on all the DC's?

    For Troubleshooting missing SYSVOL and NETLOGON shares check this KB :

    http://support.microsoft.com/kb/257338/en-us

    are all the DCs are on the same site or else did u create any replication topology ??

    please check ur Firewall configuration and check ports are open. using portquery tool.

    please post us the below output : upload it on skydrive.live.com --> with open access

    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite

    dnslint /ad /s


    Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.
    Thursday, January 12, 2012 9:17 PM
  • Agreed with Gopi. Something is blocking communications between the DCs. This could be antivirus (they have a cool, err, not so cool feature to protect network traffic that plays havoc with DC communications), firewalls between locations that are not wide opened, the wrong DNS addresses are being used on the DC NICs, or the DCs are multihomed.

    Please post the info Gopi asked for. If you can also post an unedited ipconfig /all from each DC, as well as the event log EventID# of what each DC has, that will be very helpful.

    Ace

     

    Late Edit:
    In addition, how long has this been going on? Run the following, please. What is the value you see? If blank, it's 60 days, otherwise it should be 180. Has this been going on beyond the value you see?

    Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com" -attr tombstoneLifetime

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Friday, January 13, 2012 4:41 AM
  • Hi,

    No problems pinging between DCs or accessing sysvol and netlogon shares.

    The DCs are all in one site.

    I ran the portquery tool from one DC to the other 3 and posted the logs along with the others you requested here:

    [link removed]

    Thanks!!


    • Edited by ZB0T Monday, January 23, 2012 7:23 PM
    Friday, January 13, 2012 8:24 PM
  • I am running Microsoft Forefront Endpoint Protection on each of the DCs.  Should I turn that off and run some tests?

    I ran the Dsquery and it said 180.  The problem has been going on for at least 4 months, possibly longer (we're not totally sure when it started).

    I will try and post the ipconfigs later tonight.  What do you mean by EventID# of what each DC has?  The EventIDs on each server when the delete happens?

    Thanks again!

    Friday, January 13, 2012 8:27 PM
  • I have uploaded the unedited ipconfig /all from each server to skydrive.  Thanks!
    Monday, January 16, 2012 7:17 PM
  • I removed the firewall and antivirus (Microsoft Forefront Endpoint Protection) on each of the DCs.  I just lost one of the static DNS entries again.  I'm pretty sure it's not a firewall issue now.  Any other suggestions?  Thanks!
    Wednesday, February 8, 2012 2:40 PM
  • Provide an example of a record that's being deleted, please.

    Does it conflict or is it the same as one of your DC records (LdapIpAddress or hostname)?

    Is it a CNAME record?


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 8, 2012 2:43 PM
  • The hostname happening most often is 'undersecretary'.  There are no DC's or hosts with the same name.  It is a HOST (A) record with an associated pointer PTR record.  The PTR record is never deleted, only the A record.
    Wednesday, February 8, 2012 2:46 PM
  • What are your scavenging settings in general, and on the record? Any time stamp on the record? How are you creating it?

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 8, 2012 3:03 PM
  • For the zone, scavenging is on.  No-refresh interval = 7days.  Refresh interval = 7 days. 

    The timestamp on the record just lists as static.  How would I check scavenging on the record itself?

    Wednesday, February 8, 2012 3:19 PM
  • If you choose Advanced under the View menu, then go into the properties of a record, you can see the "Delete this record when it becomes stale," as well as the time stamp, if there is one. If it's blank, then it's static.

    If this is not the case, and you are not seeing any duplicate zones, I'm thinking it must be a record that is being updated by something else. Are you using WINS? If so, "undersecretary" a record in WINS?

    Have you enabled auditing on the zone to see what account, if any, may be removing or deleting it? If so, any hits in the Security log?

    .

    Do any machine have an 'alternate' name with that name, created in the registry?

    Adding multiple NetBIOS names for Windows servers
    http://www.techrepublic.com/blog/datacenter/adding-multiple-netbios-names-for-windows-servers/2593 

    Multiple names for one computer - Consolidate your SMB file servers without breaking UNC paths
    http://blogs.technet.com/b/josebda/archive/2010/06/04/multiple-names-for-one-computer-consolidate-your-smb-file-servers-without-breaking-unc-paths.aspx 


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Thursday, February 9, 2012 4:11 AM
  • Sorry for the late reply.

    Under the properties of the record "Delete this record when it becomes stale" is NOT checked and the timestamp is blank.

    We are not using WINS.

    I did enable auditing (see log above).  It is on the computer account of one of the DCs.  (Account Name: DC-SERVER3$)  ^^ from above.

    • Edited by ZB0T Monday, February 13, 2012 8:09 PM fixed font
    Monday, February 13, 2012 8:08 PM
  • It looks like the DC is deleting or modifying it. I'm not sure what IP that record has, but if you delete the record, then create it as a CNAME, does that stick?

    It almost appears as if there is another machine with that name on the network. Or there is a conflict with AD data, because the DC is doing it, not a specific user account. If you look at the DC's c:\windows\system32\config\netlogon.dns file, do you see any references in there for it?

    How about other DCs?

    Is it in the zone properties (check all tabs)?

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 13, 2012 9:21 PM
  • Hello, I am coming in late to the party but we are having the same (pretty much exact issue).  The only major difference is that we are removing WINS from our environment - which I believe is why the issue ir rearing its ugly head.  We have triple verified we do not have duplicate zones.  We have mostly Win XP clients (so no ipv6) and are starting to roll out Windows 7 and Windows 2008 R2 with ipv6 enabled.  We are seeing DNS records getting dNStombstoned by the machine that has the ipv4 A record disappearing.  Here is an example of the audit record (the server is LTGSTORE1):

    A directory service object was modified.
        
    Subject:
        Security ID:        LIBRARY\LTGSTORE1$
        Account Name:        LTGSTORE1$
        Account Domain:        LIBRARY
        Logon ID:        0x1d75ae

    Directory Service:
        Name:    ad.library.wisc.edu
        Type:    Active Directory Domain Services
        
    Object:
        DN:    DC=LtgStore1,DC=ad.library.wisc.edu,cn=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=library,DC=wisc,DC=edu
        GUID:    {deleted for security}
        Class:    dnsNode
        
    Attribute:
        LDAP Display Name:    dnsRecord
        Syntax (OID):    2.5.5.10
        Value:    <Binary>
        
    Operation:
        Type:    Value Deleted
        Correlation ID:    {deleted for security}
        Application Correlation ID:    -

    Friday, February 17, 2012 9:54 PM
  • Welcome to the party! :-)

    • Is this client a DHCP client, or a statically configured client?
    • Or is it a static record?
    • Is scavenging configured on this one machine?
    • Is there another machine out there with the same name?

    I don't think it's WINS, or it would suffix the WINS zone name.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, February 18, 2012 6:38 AM
  • We have seen it with both static and DHCP servers.  I have recently changed the DHCP setting that dynamically updates DNS from "always update DNS and PTR records" to "dynamically update only if requested by client".  Since I have done that it seems like things are working better.  It also could be the bazzilian other changes we have made in last two weeks.  I am keeping my fingers crossed.

    To answer the other questions:

    - Scavenging is on and set to the defaults of 7 days, 7days, 7days.

    - There is no other machine with the same name(s).  we have seen the issue and most of the servers that have IPv6 enabled on them - so about ten machines total and have seen it on a couple Windows 7 machines.

    I will follow up during the week with more information.

    Thanks,

    Pete

    Sunday, February 19, 2012 3:42 AM
  • I want to follow up on this issue.  It does in fact look like the DHCP setting was the issue.  Since we have changed all of our scopes' DNS setting to "dynamically update only if requested by client" instead of "always update DNS and PTR records" things have been rock solid.  I will post again if we run into more issues but it is looking good.
    Monday, February 20, 2012 7:56 PM
  • I want to follow up on this issue.  It does in fact look like the DHCP setting was the issue.  Since we have changed all of our scopes' DNS setting to "dynamically update only if requested by client" instead of "always update DNS and PTR records" things have been rock solid.  I will post again if we run into more issues but it is looking good.

    Good to hear. You may want to review the following for more specifics on these settings to understand how they work and why. Also take note of using credentials instead of the DnsUpdateProxy group.

    .

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, February 21, 2012 4:48 AM
  • Peter,

    I am only having the problem with a few servers that have static IP addresses assigned. So the servers that obtain their IP addresses from DHCP have been fine, what about the servers that are statically assigned? In the post from February 19 you said that "[w]e have seen it with both static and DHCP servers." How did the static ones get fixed?

    Thanks,

    David

    Wednesday, October 15, 2014 7:44 PM
  • For anyone still interested in this problem... Here is my own answer.

    First of all, I still found this problem recently. On domain controllers, Windows 2008 R2, which have been running smooth for almost two years. My own environment contains (on a usual basis) around 200 DCs (covering >20 domains in a forest), all Windows Core to ease things. Yes, quite a good looking one !

    Really disturbing. A few days ago, I discovered five of my DCs suddendly disappeared : no more DNS resolution. I register a domain controller (IPCONFIG /REGISTERDNS), checked for its record (NSLOOKUP %COMPUTERNAME% DnsServer) and saw it resolved OK. On the morrow, it had disappeared.

    Having some time lately, I decided to find an answer suiting me before my 5 DCs become stale because of replication failures above tombstone lifetime. I took one of my DCs under the magnifying glass.

    1) network monitor, capture settings "tcp.Port==53 || udp.port==53" : I can see registering the DC is OK. Some five minutes later it has disappeared. Almost at the same time, the monitor shows DNS/TCP activity (but contents of this DNS/TCP activity is encrypted, since secure updates only are allowed).

    2) ADFIND -b DC=%COMPUTERNAME%,DC=domain_FQDN,DC=DomainDnsZones,DC= the_domain_NC -s base : shows the record still exists and has been DNS tombstoned (yes, attribute of the same name - dNSTombstoned - exists)

    3) REPADMIN /SHOWOBJMETA * DC=%COMPUTERNAME%,DC=domain_FQDN,DC=DomainDnsZones,DC=the_domain_NC confirms the author of the change : dNSTombstoned attribute change originated from the DC itself, even though the DC is not its own DNS server (the PDC of its domain is).

    4) IPCONFIG /ALL : ouch, 2 network cards online, one connected with the missing IP address, the other APIPA configured.

    Tilt ! Idea !

    NETSH INTERFACE SET INTERFACE "second_network_card" ADMIN=DISABLED & IPCONFIG /REGISTERDNS

    => no more disappearance !

    I suspect a bug in DHCP client (which is responsible for DNS registration) in some specific cases : 2 network cards, one of which not statically configured but connected with no DHCP server available. At least in my situation.

    My five DCs were configured the same. Same solution. All are now available.

    Hope it may help !

    EDIT : if it does help, please mark as answer, since I really believe I've seen no other convincing answer on that precise matter anywhere else on the web, and it should help other people searching :)
    • Edited by LHdx Monday, March 30, 2015 9:53 AM
    Saturday, March 28, 2015 8:40 PM
  • Hi LHdx,

    Thanks for posting how you resolved that.

    One question just so I understand the original scenario. Did the five RODCs have two NICs in them, with one connected to the network and the other not connected (not teamed)? And if yes to that question, did you disable the non-connected NICs or just leave then as "disconnected?"

    From what I've see in the past, if one leaves an additional, unused NIC as  "disconnected" and not disable it, the operating system still looks at the active NIC, disconnected or connected, as an eligible communication connection, especially if that NIC is the first NIC in the binding order.

    As a best practice, I've always disabled any unused, disconnected, unteamed NICs.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, March 29, 2015 3:26 PM
  • Hi

    To be exact, they were no RODCs but plain core server GCs (but it won't matter :))

    Of course, since the 2nd card got an APIPA address, it means (1) it was enabled and connected, (2) not teamed and (3) without  DHCP server replying. An unconnected network interface doesn't get APIPA address, nor does a teamed network interface in itself (the team get an IP, not each individual member).

    On the binding order side, I haven't really checked, though I believe it was the second NIC which was APIPA'ed.

    Monday, March 30, 2015 9:51 AM
  • sorry for digging up an old post, but I have a 2008 R2 DC with same problem (the DC itself deletes its own static record - I have DS object access auditing enable and event log to prove - after reboot, the culprit account is hostname$). I can add the record back, but it will delete itself a moment later. Very annoying. While I do have multiple NICs, all of them were disabled but one. 

    scavenging is enabled in my environment but I am confident it's set up properly and align with best practices. Plus, this DC seemed to be the only one has problem.

    The only other thing was in TCP/IP stack, DNS boxes, it points to itself in the first box. This shouldn't be considered a mis-configuration, technically, but I flip primary DNS and secondary anyway so it's no longer using itself as primary. After that, things seemed stabilized. Maybe this is indeed the cause and will help someone.


    • Edited by strongline Sunday, June 26, 2016 2:40 AM
    Sunday, June 26, 2016 2:36 AM