Start Free Trial

asked on

Event ID 566 related to DNS/Tombstone on Windows 2003 R2 PDC

Event ID 566, Failure Audit in Security Event viewer, seem to be getting these all the time and cannot figure out what is wrong.

Can anyone help?

Thanks

Chris

Object Operation:
     Object Server:      DS
     Operation Type:      Object Access
     Object Type:      dnsNode
     Object Name:      DC=2,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=xxdomain01,DC=company,DC=com
     Handle ID:      -
     Primary User Name:      xx-FP-01$
     Primary Domain:      xxDOMAIN01
     Primary Logon ID:      (0x0,0x3E7)
     Client User Name:      xx-xx-01$
     Client Domain:      xxDOMAIN01
     Client Logon ID:      (0x0,0x3B746ADF)
     Accesses:      Write Property

     Properties:
      ---
            Default property set
                  dnsRecord
                  dNSTombstoned
      dnsNode

     Additional Info:
     Additional Info2:
     Access Mask:      0x20

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Something looks odd there. Look at the DN that starts with DC objects:
"DC=2,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=xxdomain01,DC=company,DC=com"

Or did you type that? Normally in a distiquished name, the DC objects are at the end of the line, like where you show xxdomain01, company and com

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

dhoffman, I changed the company related information to something generic xxdomain01, company, com

jsoup, the functional level is that of an upgraded 2000 domain to 2003 R2. I will go review your article and report back.

Thanks both for the quick response.

Chris

ASKER

The domain reports as Windows 2000 Native in ADUC.
All servers in the domain (single) are Windows 2003 R2 either Standard or Web Edition.

Should I raise the level to 2003, is the issue related to 2000 domains? We are all Windows XP SP2 clients/Vista Business.

Thanks

I have in the past said yes to such a request, but I have been bitten to many times now. Make sure you cover the entires in the article. If you are sure it 2000 and not 2oo3 it look like DNS.

ASKER

Yes, all servers are 2003 R2 but domain is 2000 Native
I will check the articles again

Do you have any 2000 server at all??

ASKER

Great article. We have all the DNS records as stated. I have 2 GC's though my file and print plus the Exchange server. This is not a problem is it? Also we still have our WINS service running, I guess that is not needed as we are running Native mode and Windows XP SP2 upwards?

ASKER

No, ALL are Windows 2003, not running SP2 yet though.

Why not SP2 on the Server?

ASKER

Our phone system needs upgrading for one thing before I install, I need to check some other compatibility issues too.

Then SP2 is the next step. unless you think it the wrong direction..

ASKER

so do SP2 before raising domain level? The servers are patched up to date other than SP2 so are reasonable current.

I would not risk it. Consider how much work, to recover if it creates other issues.

ASKER

As my DNS checks out as per your article I am at a loss - I am no DNS expert by any means :-)

What do you think I should do next then?

Then SP2 is the next step. so do SP2 before raising domain level? yes. Unless you think it the wrong direction..
I would not risk Doing any other thing untill you are current. Consider how much work, to recover, if it creates other issues.

ASKER

I will Acronis image each server before upgrading to SP2 so I should be good :-)

Acronis has saved me many hours of work.

Wait your question "Event ID 566 related to DNS/Tombstone on Windows 2003 R2 PDC"
has R2 it has SP2 please check.

ASKER

If R2 is SP2 why are my R2 servers wanting to install it via Windows update?

http://technet.microsoft.com/en-us/windowsserver/bb430831.aspx
Check the control panel, System does it say SP2 or R2

I note sure about it. it look like it. http://www.microsoft.com/technet/windowsserver/evaluate/features/compare.mspx
Windows Server 2003 R2 with SP2

ASKER

SP2 applies to Windows 2003 and 2003 R2

http://www.microsoft.com/downloads/details.aspx?familyid=95ac1610-c232-4644-b828-c55eec605d55&displaylang=en

Overview
Microsoft Windows Server 2003 Service Pack 2 (SP2) is a cumulative service pack that includes the latest updates and provides enhancements to security and stability. In addition, it adds new features and updates to existing Windows Server 2003 features and utilities. SP2 can be installed directly on the following operating systems:
Windows Server 2003 Editions (all 32-bit x86)
Windows Server 2003 R2 Editions

ASKER

How about dynamic DNS updates, I just found something about needing credentials and a user account specifically for DHCP/DNS dynamic updates. I have no user created for this but there is a password or stars in the password boxes. This is in DHCP Admin, the Server Properties and then Credentials tab. Maybe clients have no rights to update DNS?? This is the first I kno about having to create a specific account for DHCP/DNS authorisation. You know about this?

http://support.microsoft.com/kb/816592

Look it is your responsibility, your effort and your time. So if you feel that we don't need SP2 then that the next step. My 2 cents is SP2 is need as the next step and then promotion. Others would say go ahead, do it because it yoyr time.
Get some sleep, maybe it will be clearer by tomorrow.

R2 is not SP2 agreed.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Thanks ChiefIT for pitching in. As this is my PDC and holds most FSMO roles, etc. is it safe to demote and will my BDC i.e. the Exchange server simply seize the roles and I should be okay?

I started poking around DNS also and see a load of old I presume stale machines listed in the reverse DNS so these are not being purged as I think they should. Maybe JSoup is right and I have some DNS issues hiding still.

Does the credentials for dynamic DNS affect anything like I have described? As this is an upgraded 2k domain to 2k3 did something default for a password or is it using non-secure.

Thanks to you and JSoup for pitching in here.

Since you asked about dynamic DNS entries:
http://support.microsoft.com/kb/816592

Even reverse lookup zones should be deleted with Dynamic DNS scavaging. However, I have seen a case where dynamic DNS doesn't delete my DNS records. This happened when an old machine wasn't deleted from the network. Rather the machine was disabled in Active directory. We had to go into Active directory and delete the GUID for the machines that were once disabled.

If you have a lot of disabled machines, also check DHCP. DHCP and DNS hold onto records of disabled machines.

If you named you upgraded your server and named it the same FQDN as the old server, you probably have some metadata that needs to be removed from all servers within the network. The NTDSUTIL can help you remove this metadata.

I hope this helps you out.

Reply Two:

""As this is my PDC and holds most FSMO roles, etc. is it safe to demote and will my BDC i.e. the Exchange server simply seize the roles and I should be okay?""

This too is a very good question. If you plan to demote, we need to be careful to keep the Holder of roles in place for the promotion. I never have demoted a PDC holder of roles. It always seems to be the BDC. So, I am going to turn to some fellow experts and ask their opinion on this matter.

Anyone willing to provide this info?
How does the PDC keep the holder of roles when a demotion has been done?

Chris, I am going under the assumption demoting a DC is knowledge you already have. Please advise.

ASKER

To demote you use DCPROMO I guess, not too familiar with the tool.

Thanks for keeping with this!

Thing you will need
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

Sorry I can't be of more help right now. I pop in to see how thing are going.
A customer had supper fish tank in his office that wash away his server and network.

Glad to see the CHifIT helping out

ASKER

Thanks, I will see what I can do this weekend.

Good luck with the soggy servers!!

Jsoup:

Salt water tank or fresh water tank. Salt water will ruin the electronics. Fresh water let it thoroughly dry out and give it a shot.

ChiefIT
Your E-mail was held by the Spammer program. I will get to it tomorrow, sorry.
I dont real know whether Salt water tank or fresh water the customer is in another state.
I do remote Support and management for my customers. Never had to do a DRP recover..
3" X 9' X 4'.6" It pushed three wall out

How goes the battle Chris?

ASKER

Apologies this got pushed down the pile a little. Seems most machines are not reporting the error now and only one is left filling the log. I'll work on that as a local issue.

Not sure how I should split the points on this one as you both offered advice but the issue seems to have quietened down by itself with no action taken as such.

Don't want to delete it as I value your time and effort on helping me out. 50/50 okay?

fine for me

ChiefIT,
It your call. I will give it up if you feel it should be yours.. I having funnnnnnnnnnnnnn.