Hi all,

Three of our static DNS entries keep disappearing and we have to keep adding them back in.  Sometimes they stay in for 1-2 weeks, sometimes only a few hours.  We have many static entries but it is always these same three that give us issues.  We are running four Windows 2008 (non-R2) Domain Controllers.  Two of these machines are Server Core and the other two are full versions.

I have followed Ace's blog (thanks btw!) about looking for a duplicate zone but I don't think this is the case.  So I have turned on DNS auditing.  When the record gets deleted it logs EventID 5136 sixteen times:

<REMOVED LOG FOR READABILITY>

From these logs it appears that DC-SERVER3$ is what is deleting these items.  Is that a correct assumption?  DC-SERVER3 is one of the four domain controllers and is one of two running server core.

I am unsure where to go from here.  Any help would be MUCH appreciated.  Thanks!

 

• Edited by ZB0T Thursday, January 12, 2012 6:35 PM readability

I tried posting the event logs in a <code> block above but it was very unreadable.  Is there a better way to do this?  I will paste them here for the time being:

 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14674 Correlation ID: {1A62820C-B9A9-4942-BC2A-5232B31019AC} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14674 Correlation ID: {5E3BE0F3-7E9C-4670-8191-D95E499E4E0F} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14675 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14674 Correlation ID: {30EFB4E6-90CD-4143-B1C4-DC85382842A1} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14675 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dnsRecord Syntax (OID): 2.5.5.10 Value: %%14672 Operation: Type: %%14674 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: FALSE Operation: Type: %%14675 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 

2012-01-12 11:14:23	5136  A directory service object was modified. Subject: Security ID: S-1-5-21-3088655886-3068517834-3379253519-1105 Account Name: DC-SERVER3$ Account Domain: EXAMPLE Logon ID: 0xb9a4852 Directory Service: Name: private.example.com Type: %%14676 Object: DN: DC=client-pc,DC=private.example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=private,DC=example,DC=com GUID: {AD32E101-1D83-412F-BD1C-C68B9F063507} Class: dnsNode Attribute: LDAP Display Name: dNSTombstoned Syntax (OID): 2.5.5.8 Value: TRUE Operation: Type: %%14674 Correlation ID: {D1326DBB-9BA0-4838-A0A4-B90CEFF2A346} Application Correlation ID: - 

 

• Edited by ZB0T Thursday, January 12, 2012 6:44 PM

Based on the logs, it's saying the possible culprit is the DomainDnsZones partition.

When you looked in ADSI Edit, were you able to add and view both DomainDnsZones and FoerstDnsZones partitions?

If so, did you find any zones with a prefix of "InProgress..." or "CNF..."?

Run the following: dnscmd /Enumdirectorypartitions  What do you see?

Also, go back into ADSI Edit, and look at the following section. What do you see?

1. Navigate to CN=Partitions,CN=Configuration,DC=Domain,DC=Com
2. Look at the CrossRef objects on the right. 
3. Do you see the two partitions listed?

Also run dcdiag /v > c:\dcdiag.txt Open the file and look for any errors. I'm interested in anything with replication regarding the DomainDnsZones partition. If tehre are any other errors, post them, too.

Ace

 

 

Yes, in ADSI Edit I am able to add and view both DomainDnsZones and ForestDnsZones partitions.

 

I did not find any with a prefix of "InProgress..." or "CNF...".

 

I ran: dnscmd /Enumdirectorypartitions

C:\Windows\system32>dnscmd /Enumdirectorypartitions
Enumerated directory partition list:

        Directory partition count = 2
 DomainDnsZones.private.example.com             Enlisted Auto Domain
 ForestDnsZones.private.example.com               Enlisted Auto Forest

Command completed successfully.

 

Here is what I see in ADSI Edit (sorry, not sure if they are listed or not):

Name	Class	Distinguished Name
CN=3b8d9649-d33f-40ef-baa0-311fdc429f11   crossRef	CN=3b8d9649-d33f-40ef-baa0-311fdc429f11,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
CN=Enterprise Configuration                             crossRef	CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
CN=Enterprise Schema                                     crossRef	CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
CN=f7325c51-a90f-493e-acc7-c64a4e0ca90e  crossRef	CN=f7325c51-a90f-493e-acc7-c64a4e0ca90e,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com
CN=LSI                                                            crossRef	CN=LSI,CN=Partitions,CN=Configuration,DC=private,DC=example,DC=com

Here is the output of dcdiag  /v (the parts I thought you would find useful):

 

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Warning Event occurred.  EventID: 0x80001396

            Time Generated: 01/11/2012   22:38:55

            Event String:

            The DFS Replication service is stopping communication with partner DC-SERVER1 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

             

            Additional Information: 

            Error: 9033 (The request was cancelled by a shutdown) 

            Connection ID: 49A36F9D-810B-41BD-B8C3-4099563382E3 

            Replication Group ID: 4B73D7A2-96C2-45A1-9835-043D7E0F5C01

         An Warning Event occurred.  EventID: 0x80001396

            Time Generated: 01/11/2012   22:39:29

            Event String:

            The DFS Replication service is stopping communication with partner DC-SERVER3 for replication group Domain System Volume due to an error. The service will retry the connection periodically. 

             

            Additional Information: 

            Error: 9033 (The request was cancelled by a shutdown) 

            Connection ID: BABA95F6-FB8B-40DF-B1B0-D4B13859459C 

            Replication Group ID: 4B73D7A2-96C2-45A1-9835-043D7E0F5C01
            
            

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=private,DC=example,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=private,DC=example,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=private,DC=example,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=private,DC=example,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=private,DC=example,DC=com
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC-SERVER2 passed test Replications


      Starting test: SystemLog

         * The System Event log test
         An Error Event occurred.  EventID: 0xC00A0032

            Time Generated: 01/12/2012   13:46:10

            Event String:

            The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

         ......................... DC-SERVER2 failed test SystemLog


   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   Running enterprise tests on : private.example.com

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\dc-server2.private.example.com

         Locator Flags: 0xe00011fc
         PDC Name: \\dc-server1.private.example.com
         Locator Flags: 0xe00011fd
         Time Server Name: \\dc-server2.private.example.com
         Locator Flags: 0xe00011fc
         Preferred Time Server Name: \\dc-server2.private.example.com
         Locator Flags: 0xe00011fc
         KDC Name: \\dc-server2.private.example.com
         Locator Flags: 0xe00011fc
         ......................... private.example.com passed test LocatorCheck

 

• Edited by ZB0T Thursday, January 12, 2012 7:34 PM

Hi,

It seems to network issues between the DCs. can you ping between the DCs with ip address, computer name and FQDN ??

could you check sysvol and netlogon folder exist and you can access them on all the DC's?

For Troubleshooting missing SYSVOL and NETLOGON shares check this KB :

http://support.microsoft.com/kb/257338/en-us

are all the DCs are on the same site or else did u create any replication topology ??

please check ur Firewall configuration and check ports are open. using portquery tool.

please post us the below output : upload it on skydrive.live.com --> with open access

dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
repadmin /showrepl dc* /verbose /all /intersite

dnslint /ad /s

Agreed with Gopi. Something is blocking communications between the DCs. This could be antivirus (they have a cool, err, not so cool feature to protect network traffic that plays havoc with DC communications), firewalls between locations that are not wide opened, the wrong DNS addresses are being used on the DC NICs, or the DCs are multihomed.

Please post the info Gopi asked for. If you can also post an unedited ipconfig /all from each DC, as well as the event log EventID# of what each DC has, that will be very helpful.

Ace

 

Late Edit:
In addition, how long has this been going on? Run the following, please. What is the value you see? If blank, it's 60 days, otherwise it should be 180. Has this been going on beyond the value you see?

Dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com" -attr tombstoneLifetime

Hi,

No problems pinging between DCs or accessing sysvol and netlogon shares.

The DCs are all in one site.

I ran the portquery tool from one DC to the other 3 and posted the logs along with the others you requested here:

[link removed]

Thanks!!

• Edited by ZB0T Monday, January 23, 2012 7:23 PM

I am running Microsoft Forefront Endpoint Protection on each of the DCs.  Should I turn that off and run some tests?

I ran the Dsquery and it said 180.  The problem has been going on for at least 4 months, possibly longer (we're not totally sure when it started).

I will try and post the ipconfigs later tonight.  What do you mean by EventID# of what each DC has?  The EventIDs on each server when the delete happens?

Thanks again!

I have uploaded the unedited ipconfig /all from each server to skydrive.  Thanks!

I removed the firewall and antivirus (Microsoft Forefront Endpoint Protection) on each of the DCs.  I just lost one of the static DNS entries again.  I'm pretty sure it's not a firewall issue now.  Any other suggestions?  Thanks!

Provide an example of a record that's being deleted, please.

Does it conflict or is it the same as one of your DC records (LdapIpAddress or hostname)?

Is it a CNAME record?

The hostname happening most often is 'undersecretary'.  There are no DC's or hosts with the same name.  It is a HOST (A) record with an associated pointer PTR record.  The PTR record is never deleted, only the A record.

What are your scavenging settings in general, and on the record? Any time stamp on the record? How are you creating it?

For the zone, scavenging is on.  No-refresh interval = 7days.  Refresh interval = 7 days. 

The timestamp on the record just lists as static.  How would I check scavenging on the record itself?

If you choose Advanced under the View menu, then go into the properties of a record, you can see the "Delete this record when it becomes stale," as well as the time stamp, if there is one. If it's blank, then it's static.

If this is not the case, and you are not seeing any duplicate zones, I'm thinking it must be a record that is being updated by something else. Are you using WINS? If so, "undersecretary" a record in WINS?

Have you enabled auditing on the zone to see what account, if any, may be removing or deleting it? If so, any hits in the Security log?

.

Do any machine have an 'alternate' name with that name, created in the registry?

Adding multiple NetBIOS names for Windows servers
http://www.techrepublic.com/blog/datacenter/adding-multiple-netbios-names-for-windows-servers/2593 

Multiple names for one computer - Consolidate your SMB file servers without breaking UNC paths
http://blogs.technet.com/b/josebda/archive/2010/06/04/multiple-names-for-one-computer-consolidate-your-smb-file-servers-without-breaking-unc-paths.aspx

Sorry for the late reply.

Under the properties of the record "Delete this record when it becomes stale" is NOT checked and the timestamp is blank.

We are not using WINS.

I did enable auditing (see log above).  It is on the computer account of one of the DCs.  (Account Name: DC-SERVER3$)  ^^ from above.

• Edited by ZB0T Monday, February 13, 2012 8:09 PM fixed font

It looks like the DC is deleting or modifying it. I'm not sure what IP that record has, but if you delete the record, then create it as a CNAME, does that stick?

It almost appears as if there is another machine with that name on the network. Or there is a conflict with AD data, because the DC is doing it, not a specific user account. If you look at the DC's c:\windows\system32\config\netlogon.dns file, do you see any references in there for it?

How about other DCs?

Is it in the zone properties (check all tabs)?

Ace

Hello, I am coming in late to the party but we are having the same (pretty much exact issue).  The only major difference is that we are removing WINS from our environment - which I believe is why the issue ir rearing its ugly head.  We have triple verified we do not have duplicate zones.  We have mostly Win XP clients (so no ipv6) and are starting to roll out Windows 7 and Windows 2008 R2 with ipv6 enabled.  We are seeing DNS records getting dNStombstoned by the machine that has the ipv4 A record disappearing.  Here is an example of the audit record (the server is LTGSTORE1):

A directory service object was modified.
    
Subject:
    Security ID:        LIBRARY\LTGSTORE1$
    Account Name:        LTGSTORE1$
    Account Domain:        LIBRARY
    Logon ID:        0x1d75ae

Directory Service:
    Name:    ad.library.wisc.edu
    Type:    Active Directory Domain Services
    
Object:
    DN:    DC=LtgStore1,DC=ad.library.wisc.edu,cn=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=library,DC=wisc,DC=edu
    GUID:    {deleted for security}
    Class:    dnsNode
    
Attribute:
    LDAP Display Name:    dnsRecord
    Syntax (OID):    2.5.5.10
    Value:    <Binary>
    
Operation:
    Type:    Value Deleted
    Correlation ID:    {deleted for security}
    Application Correlation ID:    -

Welcome to the party! :-)

• Is this client a DHCP client, or a statically configured client?
• Or is it a static record?
• Is scavenging configured on this one machine?
• Is there another machine out there with the same name?

I don't think it's WINS, or it would suffix the WINS zone name.

Ace

We have seen it with both static and DHCP servers.  I have recently changed the DHCP setting that dynamically updates DNS from "always update DNS and PTR records" to "dynamically update only if requested by client".  Since I have done that it seems like things are working better.  It also could be the bazzilian other changes we have made in last two weeks.  I am keeping my fingers crossed.

To answer the other questions:

- Scavenging is on and set to the defaults of 7 days, 7days, 7days.

- There is no other machine with the same name(s).  we have seen the issue and most of the servers that have IPv6 enabled on them - so about ten machines total and have seen it on a couple Windows 7 machines.

I will follow up during the week with more information.

Thanks,

Pete

I want to follow up on this issue.  It does in fact look like the DHCP setting was the issue.  Since we have changed all of our scopes' DNS setting to "dynamically update only if requested by client" instead of "always update DNS and PTR records" things have been rock solid.  I will post again if we run into more issues but it is looking good.

I want to follow up on this issue.  It does in fact look like the DHCP setting was the issue.  Since we have changed all of our scopes' DNS setting to "dynamically update only if requested by client" instead of "always update DNS and PTR records" things have been rock solid.  I will post again if we run into more issues but it is looking good.

Good to hear. You may want to review the following for more specifics on these settings to understand how they work and why. Also take note of using credentials instead of the DnsUpdateProxy group.

.

DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

.

Ace

Peter,

I am only having the problem with a few servers that have static IP addresses assigned. So the servers that obtain their IP addresses from DHCP have been fine, what about the servers that are statically assigned? In the post from February 19 you said that "[w]e have seen it with both static and DHCP servers." How did the static ones get fixed?

Thanks,

David

For anyone still interested in this problem... Here is my own answer.

First of all, I still found this problem recently. On domain controllers, Windows 2008 R2, which have been running smooth for almost two years. My own environment contains (on a usual basis) around 200 DCs (covering >20 domains in a forest), all Windows Core to ease things. Yes, quite a good looking one !

Really disturbing. A few days ago, I discovered five of my DCs suddendly disappeared : no more DNS resolution. I register a domain controller (IPCONFIG /REGISTERDNS), checked for its record (NSLOOKUP %COMPUTERNAME% DnsServer) and saw it resolved OK. On the morrow, it had disappeared.

Having some time lately, I decided to find an answer suiting me before my 5 DCs become stale because of replication failures above tombstone lifetime. I took one of my DCs under the magnifying glass.

1) network monitor, capture settings "tcp.Port==53 || udp.port==53" : I can see registering the DC is OK. Some five minutes later it has disappeared. Almost at the same time, the monitor shows DNS/TCP activity (but contents of this DNS/TCP activity is encrypted, since secure updates only are allowed).

2) ADFIND -b DC=%COMPUTERNAME%,DC=domain_FQDN,DC=DomainDnsZones,DC= the_domain_NC -s base : shows the record still exists and has been DNS tombstoned (yes, attribute of the same name - dNSTombstoned - exists)

3) REPADMIN /SHOWOBJMETA * DC=%COMPUTERNAME%,DC=domain_FQDN,DC=DomainDnsZones,DC=the_domain_NC confirms the author of the change : dNSTombstoned attribute change originated from the DC itself, even though the DC is not its own DNS server (the PDC of its domain is).

4) IPCONFIG /ALL : ouch, 2 network cards online, one connected with the missing IP address, the other APIPA configured.

Tilt ! Idea !

NETSH INTERFACE SET INTERFACE "second_network_card" ADMIN=DISABLED & IPCONFIG /REGISTERDNS

=> no more disappearance !

I suspect a bug in DHCP client (which is responsible for DNS registration) in some specific cases : 2 network cards, one of which not statically configured but connected with no DHCP server available. At least in my situation.

My five DCs were configured the same. Same solution. All are now available.

Hope it may help !