Question

Disappearing host records in AD integrated DNS

Asked by: dss37

Hello,
I need some help with troubleshooting this issue.
We are running two  W2k3 AD integrated DNS servers.  Couple days ago I noticed that some host records disappeared from forward lookup zone but PTR records still available for those nodes.  I tried to add host records in manually, and after they replicated to another server 15 minutes later, those host records disappeared.  There is nothing showing up in event viewer.  I also enabled debugging.  Debugging log is displaying different DNS queries and no information about host records .
Scavenging is not enabled.

Is there any additional logging that I can enable so that I can see what is going on with those host record and DNS server?  

Thank you.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-25 at 14:32:46ID24265262
Tags

dns

,

dns loging

,

host records

Topic

Domain Name Service (DNS)

Participating Experts
1
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. DNS Scavenging
    We have one AD domain with 2 sites, site A and Site B. Each site has its own IP range, and its own DHCP pool and its own AD DC's which replicate as normal. Standard stuff. Site A has a DHCP lease of 4 days. Site B has a DHCP lease of 8 hours, (long story IP address are li...
  2. DNS Scavenging Questions
    We have a Windows Server 2003 / SP2 domain with AD-Integrated DNS zones. We are accumulating a number of stale resource records from clients, and are having name resolution issues as a result. I would like to enable DNS scavenging, but need to make sure I understand exactly...
  3. want to use dns aging and scavenging to cleanup dns zones
    my dns is active directory integrated, configured for secure dynamic updates. dhcp updates dns for both a and ptr records. my dhcp is not updating dns properly and hence my dns is having stale records most of the computers have multiple records, which is causing name resoluti...
  4. DNS Scavenging
    Good afternoon, I'm seeing some issues with DHCP/DNS where there are duplications of IP/names due to old records. SBS2003 SP2 is set up to: Enable/Dynamic updates - Update DNS A & PTR only when requested by DHCP clients. DHCP lease is set to 8 days. Scavenge stale ...
  5. DNS Scavenging
    I read an article on this and listened to my coworker and the results are conflicting. We have scavenging turned on at the zone level. From what I read you need at least one DNS server (all zones integrated) with scanvenging also turned on in order to actually scavenge anyt...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: dss37Posted on 2009-03-25 at 22:28:33ID: 23987520

I ran netdiag and dcdiag on DNS and AD servers.  Passed all of the tests.

 

by: Chris-DentPosted on 2009-03-26 at 05:10:27ID: 23989413


Are the records for clients with static IP addresses or for clients using DHCP?

If using DHCP, does DHCP update DNS?

If DHCP updates DNS, does it use specific credentials to do that?

Chris

 

by: dss37Posted on 2009-03-26 at 07:48:45ID: 23991001

Actually those records for servers with static IP address configuration. So far I have not had any issues with DDNS updates.  Those records for servers which do not support DDNS.

Thanks.

 

by: Chris-DentPosted on 2009-03-26 at 07:54:01ID: 23991061


You might consider enabling Auditing on those records (you'll have to enable it in Group Policy as well) to see which security principal is issuing the delete request?

Chris

 

by: dss37Posted on 2009-03-26 at 08:25:34ID: 23991466

Chris,
Thank you for the information.  I will enable Auditing on our DNS.

 

by: dss37Posted on 2009-03-26 at 21:06:00ID: 23997987

Chris,
I enabled DNS Auditing and attempted to add a host record for one of the servers here is the output from Event log:

This  is what I got when I created that host record.

Event Type:    Success Audit
Event Source:    Security
Event Category:    Directory Service Access
Event ID:    566
Date:        3/26/2009
Time:        9:30:42 PM
User:        DOMAIN\user
Computer:    MCDONNELL
Description:
Object Operation:
    Object Server:    DS
    Operation Type:    Object Access
    Object Type:    dnsNode
    Object Name:    DC=BLADE01ILO,DC=Domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Handle ID:    -
    Primary User Name:    MCDONNELL$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    user
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0x678408F)
    Accesses:    Write Property
           
     Properties:
   Write Property
        Default property set
           dnsRecord
           dNSTombstoned
   dnsNode

    Additional Info:    
    Additional Info2:    
    Access Mask:    0x20

Few minutes later that record disapeared from DNS zone and I received this message:

Event Type:    Success Audit
Event Source:    Security
Event Category:    Directory Service Access
Event ID:    566
Date:        3/26/2009
Time:        9:32:48 PM
User:        NT AUTHORITY\SYSTEM
Computer:    MCDONNELL
Description:
Object Operation:
    Object Server:    DS
    Operation Type:    Object Access
    Object Type:    dnsNode
    Object Name:    DC=BLADE01ILO,DC=Domain,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Handle ID:    -
    Primary User Name:    MCDONNELL$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    MCDONNELL$
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0xAF22650)
    Accesses:    Write Property
           
     Properties:
   Write Property
        Default property set
           dnsRecord
           dNSTombstoned
   dnsNode

    Additional Info:    
    Additional Info2:    
    Access Mask:    0x20

My question is why both of this records look identical? Why first message is diplaying dNSTombstone Write property?

Thank you.




 

by: dss37Posted on 2009-03-26 at 21:32:13ID: 23998071

Chris,
In this example I tried to create a record for a desktop system and it looks different and also this record did not disappear from DNS.

This is first message after Host record is created

Object Operation:
    Object Server:    DS
    Operation Type:    Object Access
    Object Type:    dnsZone
    Object Name:    DC=Domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Handle ID:    -
    Primary User Name:    MCDONNELL$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    user
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0x678408F)
    Accesses:    Create Child
           
     Properties:
   Create Child
    dnsNode

    Additional Info:    DC=it-user-ubuntu,DC=Domain.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Additional Info2:    DC=it-user-ubuntu,DC=Domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Access Mask:    0x1

Second Message

Event Type:    Success Audit
Event Source:    Security
Event Category:    Directory Service Access
Event ID:    566
Date:        3/26/2009
Time:        9:59:02 PM
User:        DOMAIN\user
Computer:    MCDONNELL
Description:
Object Operation:
    Object Server:    DS
    Operation Type:    Object Access
    Object Type:    dnsNode
    Object Name:    DC=74,DC=4.1.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=Domain,DC=com
    Handle ID:    -
    Primary User Name:    MCDONNELL$
    Primary Domain:    DOMAIN
    Primary Logon ID:    (0x0,0x3E7)
    Client User Name:    user
    Client Domain:    DOMAIN
    Client Logon ID:    (0x0,0x678408F)
    Accesses:    Write Property
           
     Properties:
   Write Property
        Default property set
           dnsRecord
           dNSTombstoned
   dnsNode

    Additional Info:    
    Additional Info2:    
    Access Mask:    0x20


Thank you.

 

by: Chris-DentPosted on 2009-03-27 at 02:34:35ID: 23999146


Okay, we have a few things we need to check for then. The first is Lingering Objects. Please run:

repadmin /RemoveLingeringObjects <DCName> <DCGUID> DC=DomainDNSZones,DC=Domain,DC=com /Advisory_Mode

It should report any instances in the Event Log in the Directory Service log as Event ID 1942. If it does find any feel free to delete them by using the same command without the /Advisory_Mode option.

You can see the DCGUID if you run:

repadmin /ShowReps

You'll have to scroll up to the top of the output for that one, that is required for the command at the top.

Chris

 

by: dss37Posted on 2009-03-27 at 17:37:22ID: 24006597

Hi Chris,
This output of repadmin command and it shows 0 objects. Should I still run repadmin without the Advisory_Mode option?
Thanks,

Event Type:    Information
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    1938
Date:        3/27/2009
Time:        8:04:08 PM
User:        DOMAIN\user
Computer:    Server
Description:
Active Directory has begun the verification of lingering objects in advisory mode on the local domain controller. All objects on this domain controller will have their existence verified on the following source domain controller.  

Source domain controller:
d1f37c2b-8f07-44da-bc87-d8d8c936240e._msdcs.Domain.com  

Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller will be listed in subsequent event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:    Information
Event Source:    NTDS Replication
Event Category:    Replication
Event ID:    1942
Date:        3/27/2009
Time:        8:04:08 PM
User:        DOMAIN\user
Computer:    Server
Description:
Active Directory has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.  

Source domain controller:
d1f37c2b-8f07-44da-bc87-d8d8c936240e._msdcs.Domain.com
Number of objects examined and verified:
0  

Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.

 

by: dss37Posted on 2009-03-31 at 05:51:10ID: 24028288

Any more suggestions, recommendations?  

 

by: Chris-DentPosted on 2009-04-01 at 02:51:22ID: 24037396


If there are no Lingering Objects it would be a good idea to check for Conflicting Objects. You should be able to use ADSIEdit for this.

Open up ADSIEdit.msc (part of the Support Tools), then you'll need to right click and select "Connect To". You will need to enter a specific Distinguished Name (or Naming Context) for the connection, it should be "DC=DomainDNSZones,DC=Domain,DC=com".

Once that's loaded, drill down to the zone past "MicrosoftDNS" and look for any objects with CNF:<GUID> in the name.

Chris

 

by: dss37Posted on 2009-04-09 at 22:31:19ID: 24113526

Chris,
I created  test domain by moving three DC's and DNS servers from our domain in to isolated network. The only thing I did is that I removed 2 GC's and one DNS server from test domain.  After DC completed replicating and there was no more errors in event viewer I ran repadmin /RemoveLingeringObjects comand and still reporting 0 objects in event viewer. Just for testing I ran repadmin without AdvisoryMode.  Later I added few records to DNS forward zone and records were no longer disapearing.  I opend ADSIEDIT and looked at dns zone and there was no dead or noexisting records.  For ex. if record for server1.domain.com is in dns it was also showing in ADSIEDIT.  I compared ADSIEDIT results with our production domain and in production domain there is allot of records are showing in ADSIEdit when they no longer available in DNS.   I am still testing and comparing information between my test and production enviroments.

Thanks

 

by: dss37Posted on 2009-04-22 at 06:32:15ID: 24204573

Hi Chris,
Thank you for your help with this issue.  I was able to resolve this problem by running

repadmin /RemoveLingeringObjects <DCName> <DCGUID> DC=DomainDNSZones,DC=Domain,DC=com

On all of our DNS servers even when I ran this command in Advisory mode it was reporting 0 records.  After I ran repadmin /RemoveLingeringObjects  missing dns records repopulated forward lookup zone in our domain without any intervention on my part.

Thank you.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...