A records disappear randomly in Forward lookup Zone DNS
I hope you can bear with me as my knowledge with DNS isnt extensive.
We have 2 DNS servers running 2008 Server. Recently we have been having a few issues and I think it could be related to DNS.
The first issue is randomly on a few machines around the building, students are not able to retrieve their mapped home drive but if the students logs onto a different machine it works perfectly. I did a lot of diagnosing on the machine and checking permissions on the folders but eventually ruled it out as it seemed to be machine specific and not moving around with the pupil. If I reimaged the machine it worked fine after that.
The other issue I have seen recently is all of a sudden certain servers are not contactable on desktops. When looking at DNS I notice that the A record for that particular server has disappeared in DNS forward lookup zone. If I renter the A record and then run ipconfig /flushdns and /registerdns, give it a few moments then connection is established again and then it will be fine for weeks and then all of a sudden the A record will disappear but this time for a different server. I have checked Ipconfig /all on both server and client and all seems to be well. its picking up correct DNS servers, I donít see duplicate records in DNS.
Does anyone have any idea of what could be going on here? as I am confused..
One thing I will point out is months ago we did have issues when machines were getting ip conflicts and we found in DNS that multiple IP's were being assigned to the same machine. We believe we addressed this by adjusting our scavenge stale resource records (non refresh and refresh interval to 7 days). We also set enable automatic scavenging of stale records to 1 day as this was not originally setup.
Could this be related to the issues we are having. Fortunately the issue isnít that bad but we do get this issue now and again and I would like to nip it in the bud if I can as its always tends to bite us and the most inconvenient times!!
This has been used by the %logonserver%\sysvol\ attack vector by several payloads designed to disrupt Windows Domain Controllers.
I would be highly suspicious of users that are logged into your network using accounts that have Domain Administrator Rights.
Domain Admin Accounts should stay in the server room, everyone out side should be a Domain User with delegated rights where needed.
Never use the Domain Admin Account to log into a workstation unless you know it's 100% clean.
Audit your DNS,
HOW TO: Set up DNS auditing for records that are removed from the local zones may help you:
1. Enable Directory Service Access auditing in your default Domain Policy:
a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define 'Audit directory service access' for success and failure
d) Refresh the policy on all Domain Controllers
2. Enable auditing on the DNS zone:
a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree
3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.
NOT My Tips but one passed down to me from an MS Tech after a school had it's entire domain wiped out by hackers that had gained access through the Network Managers compromised PC.
We had traced that Servers and other records were being deleted from AD at random, through Auditing we discovered the compromised account and changed the password.
The mystery deletions stopped immediately, the compromised systems were flattened and rebuilt and the Network Manager suitably disciplined.
Very interesting, i would also research what the DNS registration refresh interval is on the problem servers. this could be a scavenging issues as your timeouts are quite low.
A valid point... I made the stupid assumption that all servers would be using Staic IP addresses in which case scavenging shouldnt be an issue but if "Some Servers" are DHCP clients then you could have a problem when it comes around to renewal time...