Cannot delete DNS TXT record in AD-integrated domain

Posted on 2007-08-09
Last Modified: 2013-11-05
We have an Active Directory-integrated domain to which we had previously added a TXT record to contain our SPF string.  No problems at all.

We then changed our public IP addresses and needed a new SPF string.  I created a new TXT record with then new SPF string and then deleted the old TXT record.  All seemed fine.  

We then started detecting random problems with remote servers rejecting our mail because our server's (new) IP address didn't match the SPF string the remote server was using.  That is when we detected the presence of two TXT records in the domain.

Long story short - I cannot delete the old TXT record.  I click on the record in the DNS management console, right-click and select delete.  I confirm that I do want to delete.  The main window at the right udpates to reflect the deletion (now only 1 [new] SPF TXT record present).  I close the DNS management tool thinking I'm done.  

Next time I open the tool I have 2 records again and the zone serial number has NOT changed.

I've tried updating the content of the first TXT record with the new SPF string.  Again it appears to work (screen updates, displaying two records with the same contents) but same story - the next time I open the DNS management tool (or perform a NSLOOKUP) I get one old and one new TXT record.

I've tried pausing DNS on both DCs before deleting the records and then restarting after the deletion.  Same story.

If I manually add (for example) an A record to this domain I can later delete it with no problem.  This appears to be something to do with TXT records.

If this were a non-AD zone I would consider editing the .dns file directly.  Unfortunately there is no .dns file with an AD-integrated zone.

Any suggestions on how to (really) get rid of this old TXT record once and for all?

Question by:Robert Hall
    LVL 70

    Expert Comment

    by:Chris Dent

    Hi Rob,

    You might want to try ADSIEdit.msc.

    If it's a Windows 2000 Domain you'll find the information under the Domain object, then System and MicrosoftDNS. Under there are the zones, and beneath that the records as objects.

    For Windows 2003 you'll need to connect to a non-default context, do you need instructions for that? I'm assuming you're on 2000 with the tag.

    LVL 1

    Author Comment

    by:Robert Hall

    Your suggestion seems to be pointing me in the right direction.  I hope you can provide just a bit more guidance.

    Using ADSI Edit I navigated to:

    Domain[servername] \ [CN=System] \ [CN=MicrosoftDNS] \ []

    After much head scratching and general poking around I found that [DC=@] has an attribute, NSRecord, which contains 27 different HEX octet strings.

    15 of those values begin with: 0x04.  Those values decode from HEX to text as garbage characters.

    6 of those values begin with: 0x17.  5 of those values decode to the domain's five name servers.  The sixth decodes to the domain's MX record with the lowest priority (priority: 10)

    (There are 4 MX records defined for the domain)

    One 0x18: MX record with highest priority value (40).

    Two 0x19: the remaining two MX records (priorities 20 & 30)

    One 0x42: the domain's SOA

    One 0x8A: the NEW TXT string (I want to keep this one)

    One 0xA1: the OLD TXT string (the one I want to delete)


    Do I merely delete the 0xA1 record (Remove button in ADSI Edits Multi-Valued Octet String Editor)?  

    Any benefit to deleting both the 0x8A and 0xA1 records and add a new TXT record with the correct SPF value?

    Do I need to restart [servername] at any point(s) along the way?  Is using Reload within DNS Management (after deleting records) enough to force a read of AD from [servername] and refresh the DNS zone?  Ill force a serial number increment if needed to propagate the updated zone file.

    The points are definitely yours.  I just want to avoid killing our AD and/or DNS by doing something I shouldnt. If it is possible I would like to avoid having to restart the machine, but if its better to do so I will.

    LVL 70

    Accepted Solution


    Yep, you'd only need to delete the old TXT entry. If it's not properly clearing from there on deletion in the GUI it'll just reappear when the zone reloads.

    No restarts are necessary, although they don't hurt. A reload should force it to display the value from the directory.

    If you have any concerns about the process you should create a backup of the zone, dnscmd can do that for you, although I'll have to pop back with instructions a little later on, rebuilding things at the moment :)

    Incrementing the Serials is not really necessary unless you have Secondary DNS Servers for the zone, AD replicates changes as single records based on the changes there.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
    Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now