+ Post New Thread
Results 1 to 4 of 4
Windows Thread, A records disappear randomly in Forward lookup Zone DNS in Technical; Hi I hope you can bear with me as my knowledge with DNS isnt extensive. We have 2 DNS servers ...
  1. #1
    ranj's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    726
    Thank Post
    97
    Thanked 42 Times in 32 Posts
    Rep Power
    24

    A records disappear randomly in Forward lookup Zone DNS

    Hi

    I hope you can bear with me as my knowledge with DNS isnt extensive.

    We have 2 DNS servers running 2008 Server. Recently we have been having a few issues and I think it could be related to DNS.

    The first issue is randomly on a few machines around the building, students are not able to retrieve their mapped home drive but if the students logs onto a different machine it works perfectly. I did a lot of diagnosing on the machine and checking permissions on the folders but eventually ruled it out as it seemed to be machine specific and not moving around with the pupil. If I reimaged the machine it worked fine after that.

    The other issue I have seen recently is all of a sudden certain servers are not contactable on desktops. When looking at DNS I notice that the A record for that particular server has disappeared in DNS forward lookup zone. If I renter the A record and then run ipconfig /flushdns and /registerdns, give it a few moments then connection is established again and then it will be fine for weeks and then all of a sudden the A record will disappear but this time for a different server. I have checked Ipconfig /all on both server and client and all seems to be well. its picking up correct DNS servers, I donít see duplicate records in DNS.

    Does anyone have any idea of what could be going on here? as I am confused..

    One thing I will point out is months ago we did have issues when machines were getting ip conflicts and we found in DNS that multiple IP's were being assigned to the same machine. We believe we addressed this by adjusting our scavenge stale resource records (non refresh and refresh interval to 7 days). We also set enable automatic scavenging of stale records to 1 day as this was not originally setup.

    Could this be related to the issues we are having. Fortunately the issue isnít that bad but we do get this issue now and again and I would like to nip it in the bud if I can as its always tends to bite us and the most inconvenient times!!

    Thanks

  2. #2

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,608
    Thank Post
    49
    Thanked 444 Times in 330 Posts
    Rep Power
    136
    This has been used by the %logonserver%\sysvol\ attack vector by several payloads designed to disrupt Windows Domain Controllers.

    I would be highly suspicious of users that are logged into your network using accounts that have Domain Administrator Rights.
    Domain Admin Accounts should stay in the server room, everyone out side should be a Domain User with delegated rights where needed.
    Never use the Domain Admin Account to log into a workstation unless you know it's 100% clean.

    Audit your DNS,

    HOW TO: Set up DNS auditing for records that are removed from the local zones may help you:

    1. Enable Directory Service Access auditing in your default Domain Policy:
    a) Edit the Domain Security Policy
    b) Navigate to Local Policies -> Audit Policy
    c) Define 'Audit directory service access' for success and failure
    d) Refresh the policy on all Domain Controllers

    2. Enable auditing on the DNS zone:
    a) Open ADSIEdit (Start, Run, adsiedit.msc)
    b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container
    c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
    d) Right-click the zone and choose Properties
    e) On the Security tab, click the Advanced button
    f) Select the Auditing tab, and click Add
    g) Under User or Group, type in Everyone
    h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree

    3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.

    NOT My Tips but one passed down to me from an MS Tech after a school had it's entire domain wiped out by hackers that had gained access through the Network Managers compromised PC.

    We had traced that Servers and other records were being deleted from AD at random, through Auditing we discovered the compromised account and changed the password.
    The mystery deletions stopped immediately, the compromised systems were flattened and rebuilt and the Network Manager suitably disciplined.

  3. #3

    Join Date
    Jan 2009
    Location
    Northants
    Posts
    131
    Thank Post
    3
    Thanked 9 Times in 9 Posts
    Rep Power
    12
    Very interesting, i would also research what the DNS registration refresh interval is on the problem servers. this could be a scavenging issues as your timeouts are quite low.

  4. #4

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,608
    Thank Post
    49
    Thanked 444 Times in 330 Posts
    Rep Power
    136
    Quote Originally Posted by SkreeM1980 View Post
    Very interesting, i would also research what the DNS registration refresh interval is on the problem servers. this could be a scavenging issues as your timeouts are quite low.
    A valid point... I made the stupid assumption that all servers would be using Staic IP addresses in which case scavenging shouldnt be an issue but if "Some Servers" are DHCP clients then you could have a problem when it comes around to renewal time...

SHARE:
+ Post New Thread

Similar Threads

  1. DNS Reverse lookup not working
    By Sheridan in forum Windows Server 2008 R2
    Replies: 1
    Last Post: 8th February 2011, 08:45 PM
  2. DNS Zone Transfer
    By K.C.Leblanc in forum Wireless Networks
    Replies: 3
    Last Post: 3rd November 2010, 10:29 AM
  3. DNS Reverse lookup zones...?
    By Duane_Dibbley in forum Wireless Networks
    Replies: 0
    Last Post: 5th October 2010, 03:35 PM
  4. Problems with forward DNS-zone in server 2008.
    By sch in forum Windows Server 2008
    Replies: 2
    Last Post: 27th February 2010, 05:22 PM
  5. DNS Forward Lookup Zone query
    By SpuffMonkey in forum Windows
    Replies: 0
    Last Post: 19th February 2007, 04:20 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •