Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 28, 2015 10:15 AM
Server 2008 R2
2003 Functional Level
I am trying to so a straight forward delete of an A record on our Domain DNS
I right click on the record in DNS Manager on within the Zone in question, and choose "Delete". I confirm I wish to delete and get the following error: "The record cannot be deleted. Refused"
So I looked at permissions. I am logged on as a Domain Admin, Enterprise Admin, DNS Admin etc. The Effective Permissions for my logged on username show I can delete (along with everything else)
In tried using the console command "dnscmd /recorddelete" and get the following error: Command failed: RCODE_REFUSED 9005 0x232D
Have now noticed I cannot add a record either!
Can anyone help with what the problem may be or how to fix it please?
Thanks in advance
All replies (3)
Tuesday, April 28, 2015 11:21 AM ✅Answered | 1 vote
Hi Andy,
Check that you don't have a GPO conflicting permissions.
1. Open GPMC, Select "Default Domain Controller Policy" and choose edit.
2. Under Computer configuration, expand Windows Settings\Security Settings\Local Policies\User Rights Assignment
3. Locate "Manage auditing and security log" and add Administrators.
As per the below post.
It can be due to duplicate AD integrated zone issue. Please use ADSI Edit to determine if there are any duplicates. If you find any, delete them.
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
References for further troubleshooting:
Manually DNS registration error (next)
Regards,
Satyajit
Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.
Tuesday, April 28, 2015 12:47 PM
Hi Satyajit,
Thanks for your reply, I had a look through the links and then came across the problem.
A little embarrassing that I didn't spot this before, but the HDD was completely full!
It had 30GB free yesterday but a colleague of mine had written a script to copy over some logs from another server but hadn't noticed it was copying over all logs each time it made a new folder, not just the latest ones.
Anyway, it filled up fast!
Once this space was freed up the records could be added and deleted fine.
Is there anything I need to look out for with replication to other DNS DCs that may have happened because the master DNS was full?
Thanks again
Andy
Wednesday, April 29, 2015 3:49 AM | 1 vote
Hi Andy,
Thanks for updating how you resolved the issue. Yes, its true sometimes we tend to oversee the simpler things.
It would be the right time to have a proactive monitoring setup, or atleast a script that would do it for you every morning.
DNS should start working automatically, but still for AD DNS concerns, a quick test is as below:
dcdiag /test:DNS
You are refering to "Master DNS was full", is it not AD-Inegrated DNS.
Depending upon what you have, client requests were either not processed or processed by other DCs.
In a standard zone storage model, DNS updates are conducted based upon a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone.
With directory-integrated storage, dynamic updates to DNS are conducted based upon a multimaster update model. In this model, any authoritative DNS server, such as a domain controller running a DNS server, is designated as a primary source for the zone.
You can find more detailed tests in the link below:
How to check\test that my DNS is working fine
Refernces:
Benefits of Active Directory integration
Regards,
Satyajit
Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.