?
Solved

Event ID 566 related to DNS/Tombstone on Windows 2003 R2 PDC

Posted on 2007-10-04
38
Medium Priority
?
2,180 Views
Last Modified: 2012-05-05
Event ID 566, Failure Audit in Security Event viewer, seem to be getting these all the time and cannot figure out what is wrong.

Can anyone help?

Thanks

Chris

Object Operation:
       Object Server:      DS
       Operation Type:      Object Access
       Object Type:      dnsNode
       Object Name:      DC=2,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=xxdomain01,DC=company,DC=com
       Handle ID:      -
       Primary User Name:      xx-FP-01$
       Primary Domain:      xxDOMAIN01
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      xx-xx-01$
       Client Domain:      xxDOMAIN01
       Client Logon ID:      (0x0,0x3B746ADF)
       Accesses:      Write Property
                  
       Properties:
      ---
            Default property set
                  dnsRecord
                  dNSTombstoned
      dnsNode

       Additional Info:      
       Additional Info2:      
       Access Mask:      0x20


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:Chris-Moore
  • 16
  • 16
  • 5
  • +1
38 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 20015599
Something looks odd there. Look at the DN that starts with DC objects:
"DC=2,DC=100.168.192.in-addr.arpa,CN=MicrosoftDNS,CN=System,DC=xxdomain01,DC=company,DC=com"

Or did you type that? Normally in a distiquished name, the DC objects are at the end of the line, like where you show xxdomain01, company and com
0
 
LVL 8

Accepted Solution

by:
JSoup earned 750 total points
ID: 20015680
http://www.ultimatewindowssecurity.com/Details.aspx?ID=38
Whereas event 565 logs the permissions requested by user/program, event 566 logs the permissions actually exercised by the user/program after opening it. While an object may accessed several times during the same open, Windows only logs event 566 the first time a given permission is actually exercised. This event is similar to 567 but is limited to Active Directory object accesses.

This event is part of operation based auditing which is new to W3.

You will only see event 566 on domain controllers.

Consider This  :::  SolutionBase: Be aware of the Global Catalog Server in a multidomain structure
http://articles.techrepublic.com.com/5100-6345_11-5246874.html
Once you find out whether your Global Catalog Server is working properly, the rest is up to you. The easiest fix is to make sure you have all of your domains at the same functional level as your forest. If that isnt the problem, then it could be DNS. Check out my article "When troubleshooting Windows 2000, start with DNS" for what to do when DNS loses the Global Catalog Server service record.


In order to understand potential problems that can arise with the Global Catalog Server, you have to get a better understanding of the different types of domains in Active Directory, especially the new domain functional levels and forest functional levels in Windows Server 2003. Domain functional levels

The term functional level replaces the term mode as it was used in Windows 2000 to refer to the type of domain controllers in a domain. There are four domain functional levels in Windows 2003 Active Directory:

Windows 2000 Mixed
Windows 2000 Native
Windows Server 2003 Interim
Windows Server 2003
0
 

Author Comment

by:Chris-Moore
ID: 20016182
dhoffman, I changed the company related information to something generic xxdomain01, company, com

jsoup, the functional level is that of an upgraded 2000 domain to 2003 R2.  I will go review your article and report back.

Thanks both for the quick response.

Chris
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Chris-Moore
ID: 20016246
The domain reports as Windows 2000 Native in ADUC.
All servers in the domain (single) are Windows 2003 R2 either Standard or Web Edition.

Should I raise the level to 2003, is the issue related to 2000 domains?  We are all Windows XP SP2 clients/Vista Business.

Thanks
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017266
I have in the past said yes to such a request, but I have been bitten to many times now.  Make sure you cover the entires in the article. If you are sure it 2000 and not 2oo3 it look like DNS.
0
 

Author Comment

by:Chris-Moore
ID: 20017308
Yes, all servers are 2003 R2 but domain is 2000 Native
I will check the articles again
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017447
Do you have any 2000 server at all??
0
 

Author Comment

by:Chris-Moore
ID: 20017460
Great article.  We have all the DNS records as stated.  I have 2 GC's though my file and print plus the Exchange server.  This is not a problem is it?  Also we still have our WINS service running, I guess that is not needed as we are running Native mode and Windows XP SP2 upwards?
0
 

Author Comment

by:Chris-Moore
ID: 20017473
No, ALL are Windows 2003, not running SP2 yet though.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017529
Why not SP2 on the Server?
0
 

Author Comment

by:Chris-Moore
ID: 20017592
Our phone system needs upgrading for one thing before I install, I need to check some other compatibility issues too.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017666
Then SP2 is the next step. unless you think it the wrong direction..
0
 

Author Comment

by:Chris-Moore
ID: 20017717
so do SP2 before raising domain level?  The servers are patched up to date other than SP2 so are reasonable current.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017743
I would not risk it. Consider how much work, to recover if it creates other issues.
0
 

Author Comment

by:Chris-Moore
ID: 20017781
As my DNS checks out as per your article I am at a loss - I am no DNS expert by any means :-)

What do you think I should do next then?
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20017853
Then SP2 is the next step. so do SP2 before raising domain level?  yes.  Unless you think it the wrong direction..
I would not risk Doing any other thing untill you are current. Consider how much work, to recover, if it creates other issues.
0
 

Author Comment

by:Chris-Moore
ID: 20017942
I will Acronis image each server before upgrading to SP2 so I should be good :-)
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20018022
Acronis  has saved me many hours of work.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20018036
Wait your question "Event ID 566 related to DNS/Tombstone on Windows 2003 R2 PDC"
has R2 it has SP2 please check.
0
 

Author Comment

by:Chris-Moore
ID: 20018680
If R2 is SP2 why are my R2 servers wanting to install it via Windows update?
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20018732
http://technet.microsoft.com/en-us/windowsserver/bb430831.aspx
Check the control panel, System  does it say SP2  or R2
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20018744
I note sure about it.  it look like it. http://www.microsoft.com/technet/windowsserver/evaluate/features/compare.mspx 
Windows Server 2003 R2 with SP2
0
 

Author Comment

by:Chris-Moore
ID: 20019129
SP2 applies to Windows 2003 and 2003 R2

http://www.microsoft.com/downloads/details.aspx?familyid=95ac1610-c232-4644-b828-c55eec605d55&displaylang=en

Overview
Microsoft Windows Server 2003 Service Pack 2 (SP2) is a cumulative service pack that includes the latest updates and provides enhancements to security and stability. In addition, it adds new features and updates to existing Windows Server 2003 features and utilities. SP2 can be installed directly on the following operating systems:
Windows Server 2003 Editions (all 32-bit x86)
Windows Server 2003 R2 Editions
0
 

Author Comment

by:Chris-Moore
ID: 20019184
How about dynamic DNS updates, I just found something about needing credentials and a user account specifically for DHCP/DNS dynamic updates.   I have no user created for this but there is a password or stars in the password boxes.  This is in DHCP Admin, the Server Properties and then Credentials tab.  Maybe clients have no rights to update DNS??  This is the first I kno about having to create a specific account for DHCP/DNS authorisation.  You know about this?

http://support.microsoft.com/kb/816592
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20019236
Look it is your responsibility, your effort and your time.  So if you feel that we don't need SP2 then that the next step.   My 2 cents is SP2 is need as the next step and then promotion.  Others would say go ahead, do it because it yoyr time.
Get some sleep, maybe it will be clearer by tomorrow.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20019240
R2 is not SP2 agreed.
0
 
LVL 39

Assisted Solution

by:ChiefIT
ChiefIT earned 750 total points
ID: 20020372
Howdy all,

Mind if I join?

A tombstone object relates to active directory. This article can discribe a tombstone object better than I can. http://support.microsoft.com/kb/248047

As the article says, there are a couple phases to deleting a tombstoned object. If I am not mistaken, DCdiag should be able to help you pick up in greater detail the tombstoned object.

What I had to do when I had tombstone errors is manually remove the metadata left behind from a prior server. I used the ntdsutil.exe utility to remove this metadata. Is it possible you have metadata from an improperly demoted domain controller?

The correlation between a tombston object and DNS (error 566) problem is something I am confused about. This is just a guess. You might have a DNS entry pointing to a tombstone GUID in AD.

Tombstones are hard to get rid of. One method I have done as a proven method is to demote the server to a standalone. That removes the AD database. Then promote it back into the domain. Register its DNS and force replicate to get the domain controller back on track. Demoting it will leave DNS and DHCP still in tact. So, you may not need to reregister the DNS record of that DC.

I hope this helps.
0
 

Author Comment

by:Chris-Moore
ID: 20021545
Thanks ChiefIT for pitching in.  As this is my PDC and holds most FSMO roles, etc. is it safe to demote and will my BDC i.e. the Exchange server simply seize the roles and I should be okay?

I started poking around DNS also and see a load of old I presume stale machines listed in the reverse DNS so these are not being purged as I think they should.  Maybe JSoup is right and I have some DNS issues hiding still.

Does the credentials for dynamic DNS affect anything like I have described?  As this is an upgraded 2k domain to 2k3 did something default for a password or is it using non-secure.

Thanks to you and JSoup for pitching in here.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20023952
Since you asked about dynamic DNS entries:
http://support.microsoft.com/kb/816592

Even reverse lookup zones should be deleted with Dynamic DNS scavaging. However, I have seen a case where dynamic DNS doesn't delete my DNS records. This happened when an old machine wasn't deleted from the network. Rather the machine was disabled in Active directory. We had to go into Active directory and delete the GUID for the machines that were once disabled.

If you have a lot of disabled machines, also check DHCP. DHCP and DNS hold onto records of disabled machines.

If you named you upgraded your server and named it the same FQDN as the old server, you probably have some metadata that needs to be removed from all servers within the network. The NTDSUTIL can help you remove this metadata.

I hope this helps you out.

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20024465
Reply Two:

""As this is my PDC and holds most FSMO roles, etc. is it safe to demote and will my BDC i.e. the Exchange server simply seize the roles and I should be okay?""

This too is a very good question. If you plan to demote, we need to be careful to keep the Holder of roles in place for the promotion. I never have demoted a PDC holder of roles. It always seems to be the BDC. So, I am going to turn to some fellow experts and ask their opinion on this matter.

Anyone willing to provide this info?
How does the PDC keep the holder of roles when a demotion has been done?

Chris, I am going under the assumption demoting a DC is knowledge you already have. Please advise.
0
 

Author Comment

by:Chris-Moore
ID: 20024764
To demote you use DCPROMO I guess, not too familiar with the tool.

Thanks for keeping with this!
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20024930
Thing you will need
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

Sorry I can't be of more help right now. I pop in to see how thing are going.
A customer had supper fish tank in his office that wash away his server and network.

Glad to see the CHifIT helping out
0
 

Author Comment

by:Chris-Moore
ID: 20025011
Thanks, I will see what I can do this weekend.

Good luck with the soggy servers!!
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20025617
Jsoup:

Salt water tank or fresh water tank. Salt water will ruin the electronics. Fresh water let it thoroughly dry out and give it a shot.
0
 
LVL 8

Expert Comment

by:JSoup
ID: 20025953
ChiefIT
Your E-mail was held by the Spammer program. I will get to it tomorrow, sorry.
I dont real know whether Salt water tank or fresh water the customer is in another state.
I do remote Support and management for my customers.  Never had to do a DRP recover..
3" X 9' X 4'.6" It pushed three wall out
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 20126382
How goes the battle Chris?
0
 

Author Comment

by:Chris-Moore
ID: 21061701
Apologies this got pushed down the pile a little.  Seems most machines are not reporting the error now and only one is left filling the log.  I'll work on that as a local issue.

Not sure how I should split the points on this one as you both offered advice but the issue seems to have quietened down by itself with no action taken as such.

Don't want to delete it as I value your time and effort on helping me out.  50/50 okay?
0
 
LVL 8

Expert Comment

by:JSoup
ID: 21061964
fine for me

ChiefIT,
It your call.    I will give it up if you feel it should be yours..  I having funnnnnnnnnnnnnn.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question