[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1111
  • Last Modified:

Cannot delete DNS TXT record in AD-integrated domain

We have an Active Directory-integrated domain to which we had previously added a TXT record to contain our SPF string.  No problems at all.

We then changed our public IP addresses and needed a new SPF string.  I created a new TXT record with then new SPF string and then deleted the old TXT record.  All seemed fine.  

We then started detecting random problems with remote servers rejecting our mail because our server's (new) IP address didn't match the SPF string the remote server was using.  That is when we detected the presence of two TXT records in the domain.

Long story short - I cannot delete the old TXT record.  I click on the record in the DNS management console, right-click and select delete.  I confirm that I do want to delete.  The main window at the right udpates to reflect the deletion (now only 1 [new] SPF TXT record present).  I close the DNS management tool thinking I'm done.  

Next time I open the tool I have 2 records again and the zone serial number has NOT changed.

I've tried updating the content of the first TXT record with the new SPF string.  Again it appears to work (screen updates, displaying two records with the same contents) but same story - the next time I open the DNS management tool (or perform a NSLOOKUP) I get one old and one new TXT record.

I've tried pausing DNS on both DCs before deleting the records and then restarting after the deletion.  Same story.

If I manually add (for example) an A record to this domain I can later delete it with no problem.  This appears to be something to do with TXT records.

If this were a non-AD zone I would consider editing the .dns file directly.  Unfortunately there is no .dns file with an AD-integrated zone.

Any suggestions on how to (really) get rid of this old TXT record once and for all?

Robert Hall
Robert Hall
  • 2
1 Solution
Chris DentPowerShell DeveloperCommented:

Hi Rob,

You might want to try ADSIEdit.msc.

If it's a Windows 2000 Domain you'll find the information under the Domain object, then System and MicrosoftDNS. Under there are the zones, and beneath that the records as objects.

For Windows 2003 you'll need to connect to a non-default context, do you need instructions for that? I'm assuming you're on 2000 with the tag.

Robert HallIT ManagerAuthor Commented:

Your suggestion seems to be pointing me in the right direction.  I hope you can provide just a bit more guidance.

Using ADSI Edit I navigated to:

Domain[servername] \ [CN=System] \ [CN=MicrosoftDNS] \ [DC=mydomain.com]

After much head scratching and general poking around I found that [DC=@] has an attribute, NSRecord, which contains 27 different HEX octet strings.

15 of those values begin with: 0x04.  Those values decode from HEX to text as garbage characters.

6 of those values begin with: 0x17.  5 of those values decode to the domain's five name servers.  The sixth decodes to the domain's MX record with the lowest priority (priority: 10)

(There are 4 MX records defined for the domain)

One 0x18: MX record with highest priority value (40).

Two 0x19: the remaining two MX records (priorities 20 & 30)

One 0x42: the domain's SOA

One 0x8A: the NEW TXT string (I want to keep this one)

One 0xA1: the OLD TXT string (the one I want to delete)


Do I merely delete the 0xA1 record (Remove button in ADSI Edits Multi-Valued Octet String Editor)?  

Any benefit to deleting both the 0x8A and 0xA1 records and add a new TXT record with the correct SPF value?

Do I need to restart [servername] at any point(s) along the way?  Is using Reload within DNS Management (after deleting records) enough to force a read of AD from [servername] and refresh the DNS zone?  Ill force a serial number increment if needed to propagate the updated zone file.

The points are definitely yours.  I just want to avoid killing our AD and/or DNS by doing something I shouldnt. If it is possible I would like to avoid having to restart the machine, but if its better to do so I will.

Chris DentPowerShell DeveloperCommented:

Yep, you'd only need to delete the old TXT entry. If it's not properly clearing from there on deletion in the GUI it'll just reappear when the zone reloads.

No restarts are necessary, although they don't hurt. A reload should force it to display the value from the directory.

If you have any concerns about the process you should create a backup of the zone, dnscmd can do that for you, although I'll have to pop back with instructions a little later on, rebuilding things at the moment :)

Incrementing the Serials is not really necessary unless you have Secondary DNS Servers for the zone, AD replicates changes as single records based on the changes there.


Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now