dss37
asked on
Disappearing host records in AD integrated DNS
Hello,
I need some help with troubleshooting this issue.
We are running two W2k3 AD integrated DNS servers. Couple days ago I noticed that some host records disappeared from forward lookup zone but PTR records still available for those nodes. I tried to add host records in manually, and after they replicated to another server 15 minutes later, those host records disappeared. There is nothing showing up in event viewer. I also enabled debugging. Debugging log is displaying different DNS queries and no information about host records .
Scavenging is not enabled.
Is there any additional logging that I can enable so that I can see what is going on with those host record and DNS server?
Thank you.
I need some help with troubleshooting this issue.
We are running two W2k3 AD integrated DNS servers. Couple days ago I noticed that some host records disappeared from forward lookup zone but PTR records still available for those nodes. I tried to add host records in manually, and after they replicated to another server 15 minutes later, those host records disappeared. There is nothing showing up in event viewer. I also enabled debugging. Debugging log is displaying different DNS queries and no information about host records .
Scavenging is not enabled.
Is there any additional logging that I can enable so that I can see what is going on with those host record and DNS server?
Thank you.
Are the records for clients with static IP addresses or for clients using DHCP?
If using DHCP, does DHCP update DNS?
If DHCP updates DNS, does it use specific credentials to do that?
Chris
ASKER
Actually those records for servers with static IP address configuration. So far I have not had any issues with DDNS updates. Those records for servers which do not support DDNS.
Thanks.
Thanks.
You might consider enabling Auditing on those records (you'll have to enable it in Group Policy as well) to see which security principal is issuing the delete request?
Chris
ASKER
Chris,
Thank you for the information. I will enable Auditing on our DNS.
Thank you for the information. I will enable Auditing on our DNS.
ASKER
Chris,
I enabled DNS Auditing and attempted to add a host record for one of the servers here is the output from Event log:
This is what I got when I created that host record.
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:30:42 PM
User: DOMAIN\user
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=BLADE01ILO,DC=Domain,CN =Microsoft DNS,DC=Dom ainDnsZone s,DC=Domai n,DC=com
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
Few minutes later that record disapeared from DNS zone and I received this message:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:32:48 PM
User: NT AUTHORITY\SYSTEM
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=BLADE01ILO,DC=Domain,CN =Microsoft DNS,DC=Dom ainDnsZone s,DC=Domai n,DC=com
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: MCDONNELL$
Client Domain: DOMAIN
Client Logon ID: (0x0,0xAF22650)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
My question is why both of this records look identical? Why first message is diplaying dNSTombstone Write property?
Thank you.
I enabled DNS Auditing and attempted to add a host record for one of the servers here is the output from Event log:
This is what I got when I created that host record.
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:30:42 PM
User: DOMAIN\user
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=BLADE01ILO,DC=Domain,CN
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
Few minutes later that record disapeared from DNS zone and I received this message:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:32:48 PM
User: NT AUTHORITY\SYSTEM
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=BLADE01ILO,DC=Domain,CN
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: MCDONNELL$
Client Domain: DOMAIN
Client Logon ID: (0x0,0xAF22650)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
My question is why both of this records look identical? Why first message is diplaying dNSTombstone Write property?
Thank you.
ASKER
Chris,
In this example I tried to create a record for a desktop system and it looks different and also this record did not disappear from DNS.
This is first message after Host record is created
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsZone
Object Name: DC=Domain.com,CN=Microsoft DNS,DC=Dom ainDnsZone s,DC=Domai n,DC=com
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Create Child
Properties:
Create Child
dnsNode
Additional Info: DC=it-user-ubuntu,DC=Domai n.com,cn=M icrosoftDN S,DC=Domai nDnsZones, DC=Domain, DC=com
Additional Info2: DC=it-user-ubuntu,DC=Domai n.com,CN=M icrosoftDN S,DC=Domai nDnsZones, DC=Domain, DC=com
Access Mask: 0x1
Second Message
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:59:02 PM
User: DOMAIN\user
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=74,DC=4.1.10.in-addr.ar pa,CN=Micr osoftDNS,D C=DomainDn sZones,DC= Domain,DC= com
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
Thank you.
In this example I tried to create a record for a desktop system and it looks different and also this record did not disappear from DNS.
This is first message after Host record is created
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsZone
Object Name: DC=Domain.com,CN=Microsoft
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Create Child
Properties:
Create Child
dnsNode
Additional Info: DC=it-user-ubuntu,DC=Domai
Additional Info2: DC=it-user-ubuntu,DC=Domai
Access Mask: 0x1
Second Message
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/26/2009
Time: 9:59:02 PM
User: DOMAIN\user
Computer: MCDONNELL
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=74,DC=4.1.10.in-addr.ar
Handle ID: -
Primary User Name: MCDONNELL$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: user
Client Domain: DOMAIN
Client Logon ID: (0x0,0x678408F)
Accesses: Write Property
Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode
Additional Info:
Additional Info2:
Access Mask: 0x20
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Chris,
This output of repadmin command and it shows 0 objects. Should I still run repadmin without the Advisory_Mode option?
Thanks,
Event Type: InformationEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1938Date: 3/27/2009Time: 8:04:08 PMUser: DOMAIN\userComputer: Server
Description:
Active Directory has begun the verification of lingering objects in advisory mode on the local domain controller. All objects on this domain controller will have their existence verified on the following source domain controller.
Source domain controller:
d1f37c2b-8f07-44da-bc87-d8 d8c936240e ._msdcs.Do main.com
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller will be listed in subsequent event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: InformationEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1942Date: 3/27/2009Time: 8:04:08 PMUser: DOMAIN\userComputer: Server
Description:
Active Directory has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
d1f37c2b-8f07-44da-bc87-d8 d8c936240e ._msdcs.Do main.com
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.
This output of repadmin command and it shows 0 objects. Should I still run repadmin without the Advisory_Mode option?
Thanks,
Event Type: InformationEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1938Date: 3/27/2009Time: 8:04:08 PMUser: DOMAIN\userComputer: Server
Description:
Active Directory has begun the verification of lingering objects in advisory mode on the local domain controller. All objects on this domain controller will have their existence verified on the following source domain controller.
Source domain controller:
d1f37c2b-8f07-44da-bc87-d8
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller will be listed in subsequent event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: InformationEvent Source: NTDS ReplicationEvent Category: Replication Event ID: 1942Date: 3/27/2009Time: 8:04:08 PMUser: DOMAIN\userComputer: Server
Description:
Active Directory has completed the verification of lingering objects on the local domain controller in advisory mode. All objects on this domain controller have had their existence verified on the following source domain controller.
Source domain controller:
d1f37c2b-8f07-44da-bc87-d8
Number of objects examined and verified:
0
Objects that have been deleted and garbage collected on the source domain controller yet still exist on this domain controller have been listed in past event log entries. To permanently delete the lingering objects, restart this procedure without using the advisory mode option.
ASKER
Any more suggestions, recommendations?
If there are no Lingering Objects it would be a good idea to check for Conflicting Objects. You should be able to use ADSIEdit for this.
Open up ADSIEdit.msc (part of the Support Tools), then you'll need to right click and select "Connect To". You will need to enter a specific Distinguished Name (or Naming Context) for the connection, it should be "DC=DomainDNSZones,DC=Doma
Once that's loaded, drill down to the zone past "MicrosoftDNS" and look for any objects with CNF:<GUID> in the name.
Chris
ASKER
Chris,
I created test domain by moving three DC's and DNS servers from our domain in to isolated network. The only thing I did is that I removed 2 GC's and one DNS server from test domain. After DC completed replicating and there was no more errors in event viewer I ran repadmin /RemoveLingeringObjects comand and still reporting 0 objects in event viewer. Just for testing I ran repadmin without AdvisoryMode. Later I added few records to DNS forward zone and records were no longer disapearing. I opend ADSIEDIT and looked at dns zone and there was no dead or noexisting records. For ex. if record for server1.domain.com is in dns it was also showing in ADSIEDIT. I compared ADSIEDIT results with our production domain and in production domain there is allot of records are showing in ADSIEdit when they no longer available in DNS. I am still testing and comparing information between my test and production enviroments.
Thanks
I created test domain by moving three DC's and DNS servers from our domain in to isolated network. The only thing I did is that I removed 2 GC's and one DNS server from test domain. After DC completed replicating and there was no more errors in event viewer I ran repadmin /RemoveLingeringObjects comand and still reporting 0 objects in event viewer. Just for testing I ran repadmin without AdvisoryMode. Later I added few records to DNS forward zone and records were no longer disapearing. I opend ADSIEDIT and looked at dns zone and there was no dead or noexisting records. For ex. if record for server1.domain.com is in dns it was also showing in ADSIEDIT. I compared ADSIEDIT results with our production domain and in production domain there is allot of records are showing in ADSIEdit when they no longer available in DNS. I am still testing and comparing information between my test and production enviroments.
Thanks
ASKER
Hi Chris,
Thank you for your help with this issue. I was able to resolve this problem by running
repadmin /RemoveLingeringObjects DC=DomainDNSZones,DC=Domai n,DC=com
On all of our DNS servers even when I ran this command in Advisory mode it was reporting 0 records. After I ran repadmin /RemoveLingeringObjects missing dns records repopulated forward lookup zone in our domain without any intervention on my part.
Thank you.
Thank you for your help with this issue. I was able to resolve this problem by running
repadmin /RemoveLingeringObjects DC=DomainDNSZones,DC=Domai
On all of our DNS servers even when I ran this command in Advisory mode it was reporting 0 records. After I ran repadmin /RemoveLingeringObjects missing dns records repopulated forward lookup zone in our domain without any intervention on my part.
Thank you.
ASKER