Failed to add A record

Question

_{Monday, November 15, 2010 6:28 AM}

  Ths is really weird.When I tried to add a A record,I got an error "The host record "hostname.domain.com" cannot be created.The node cannot be created".

  Doesn't seems to be permission issue for me.I did succesffuly added some records previously.If I try hard enough,I will be able to add the record later on.Any idea on this?

All replies (11)

_{Monday, November 15, 2010 6:50 AM}

Just to remove any assumptions, are you an administrator on the machine or domain?

Assuming you're an admin, some things to check or try:

• Refreshed the console?
• Event log errors?
• Restarted the DNS service?
• Is the A record you're trying to create an existing CNAME record?
• What operating system and SP level?

If this is Windows 2000:

"The host record <HostName>.<DomainName>.com cannot be created. Refused" error message when you add a DNS record to an Active Directory integrated zone in Windows 2000
http://support.microsoft.com/kb/815224

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, November 15, 2010 9:19 AM}

Thanks Ace

•    Yeap.Doesnt work
• No error was logged
• Is this ok in a productin environment?
• Nope.Not existing Cname record
• DNS is hosted on a DC which is W2K3R2 SP2

_{Monday, November 15, 2010 11:07 PM}

Hmm, it's starting to sound like a duplicate zone issue.

As a test, create another zone, make it AD integrated, and choose the middle button for the replication scope (choosing the middle button puts it into the DomainDnsZones partition), then try to create records.

If that works, then well, either way, I would like you to take a peak to see if it is a dupe zone issue. Follow the instructions in my blog, below.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, November 17, 2010 8:38 AM}

Hi,

Thanks for posting here.

Could you also verfiy the DNS.exe version on your server and post it here?

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

_{Thursday, February 24, 2011 8:01 PM}

Hello.

I have the same issue. I have Windows Server 2008 R2 with DefaultDomainZone and cannot add A record ("Refused") only when I have Secured Only dynamic updates. When I choose Secure and Unsecure - it works. Permissions are correct, I even unlinked policy on DC to see if this is policy setting but no, also failed. Please help!

R.E.M. - YEAH!

_{Thursday, February 24, 2011 8:36 PM}

Rem,

We'll need additional info to diagnose the problem. Please post the following:

1. A complete ipconfig /all from the DC/DNS server.
2. A complete ipconfig /all from a sample workstation.
3. Event log errors on the DCs.
4. Event log errors on the workstations.
5. Windows Firewall or any other type of firewall is active on the DCs and/or workstations.

Secure uses Kerberos to authenticate the registration request. If unsecure works, and secure does not, then it tells me a few things:

• AD communications is not properly working.
• The computer trying to register is not joined to the domain.
• The DC/DNS server is multihomed (more than one active, unteamed NIC, IP and or RRAS is installed on it.
• Firewall rules (Windows or otherwise) preventing certain necessary ports for the Kerb auth sequence.

The additional info will help diagnose this for you.

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, July 12, 2012 11:00 PM}

Having same issue.  Moved my website to hosted can get to it from outside domain be inside is dead.  nslookup says no such domain when looking up www.mydomain.org.  sees my servers when ns lookup mydomain.org.  tried adding "A" record and get The host record ddddddddd.mydomain.org cannot be created. Refused.  tried new cname and got A new record cannot be created. Refused.

DC ipconfig

Windows IP Configuration

   Host Name . . . . . . . . . . . . : HS
   Primary Dns Suffix  . . . . . . . : mr238.org
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mr238.org

Ethernet adapter Local Area Connection 4:

   Connection-specific DNS Suffix  . : mr238.org
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #40
   Physical Address. . . . . . . . . : A4-BA-DB-51-0B-D2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e1b6:4be1:149c:fd5e%15(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.0.229(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Thursday, July 12, 2012 3:06:37 PM
   Lease Expires . . . . . . . . . . : Friday, July 13, 2012 1:21:11 PM
   Default Gateway . . . . . . . . . : 10.0.0.254
   DHCP Server . . . . . . . . . . . : 10.0.50.253
   DHCPv6 IAID . . . . . . . . . . . : 447003355
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-88-9E-37-00-10-18-7D-B9-30
   DNS Servers . . . . . . . . . . . : 10.0.50.253
                                       10.40.50.253
   Primary WINS Server . . . . . . . : 10.0.50.253
   Secondary WINS Server . . . . . . : 10.15.50.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client) #39
   Physical Address. . . . . . . . . : A4-BA-DB-51-0B-D0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a897:459c:128e:85f7%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.50.253(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 379894491
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-88-9E-37-00-10-18-7D-B9-30
   DNS Servers . . . . . . . . . . . : ::1
                                       10.0.50.253
                                       10.0.0.254
                                       10.25.50.253
   Primary WINS Server . . . . . . . : 10.25.50.253
   Secondary WINS Server . . . . . . : 10.0.50.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{63D3D25E-0326-48F8-9A01-3D3BE9BA1B40}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.mr238.org: Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mr238.org
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

event log

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.

Binary data:

In Words

0000: 00000013

In Bytes

0000: 13 00 00 00 ....

No firewalls used on machines

_{Friday, July 13, 2012 12:45 AM}

Thanks for posting the info. I see a few things that need to be addressed:

.

Observations and Analysis:

1. This is a multihomed DC. That means there are more than one NIC, more than one IP, RRAS is installed, and/or an iSCSI interface is configured. Multihomed DC are extremely problematic and cause numerous AD problems, such as what you're seeing.
2. Both NIC's IP addresses are on the same subnet. Reason why I say this is because the mask, 255.255.0.0, puts 10.0.50.253 & 10.0.50.253 on the same subnet.
3. Both NICs have a gateway. Multihoming, although it is not recommended on a DC, must ONLY have one gateway address.
4. IP Routing is enabled. Problematic with DCs. Probably means RRAS is installed for VPN or dialup remote access.

.

Recommendations for this DC:

• Disable one of the NICs, or team them. To team them, you must consult with the server hardware vendor for NIC drivers, or download the NIC drivers from the NIC vendor.
• After doing so, restart the machine.
• Disable IP routing. That is done by disabling RRAS on the DC. Install RRAS on a non-DC. If it's for VPN, you don't need two NICs, unless you want to team them.
• Make sure all DCs are single homed or the NICs are teamed, and RRAS is not installed on them.

.

More information on Multihoming a DC and why it causes problems:

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure a DC with some cool registry mods:
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, August 18, 2014 5:09 PM}

I realize this is old.

However,  what it turned out to be in my case was that I had copied the name from an email and pasted into the DNS A record creation field. There was a space at the end. Once I removed the space at the end, the record was successfully created.

Were you copying and pasting by any chance?

_{Tuesday, August 19, 2014 12:55 PM}

I too realized that this thread is too old still posting the step that solved my issue. 

Mine was also the same error as mentioned originally in this thread. 

The name that i was trying to create in DNS was "Sorterbelt to MU_25b&MU26b"...Replacing the "&" with a "and" fixed the problem for me.

Cheers...

_{Wednesday, August 20, 2014 4:16 AM}

I too realized that this thread is too old still posting the step that solved my issue. 

Mine was also the same error as mentioned originally in this thread. 

The name that i was trying to create in DNS was "Sorterbelt to MU_25b&MU26b"...Replacing the "&" with a "and" fixed the problem for me.

Cheers...

FYI, the underscore is a gray area surrounding DNS hostnames. It's allowed with SRVs, but it causes problems with hostnames and some (many) look at the underscore as an illegal DNS character and is not recommended. .

I would also recommend to not use spaces.

Here are my notes on it:

=========================== The AD DNS domain name has two underscores in it. There's a gray area surrounding the use of underscores in a subdomain name, because they are loosely reserved to distinguish service records (SRV records), but they definitely can't be used as a hostname. Please check your hosts to make sure no machines are using an underscore in their hostsnames. We may be able to get away with it in the domain name, but there may be RFC 1123 compliant apps that rely on strict naming standards, will have difficulty with itm, and may not be able to resolve it. One example if using AD with an underscore in the host or domain name, may not be able to use zone transfers to non-Windows DNS servers, such as BIND, Treewalk, or other DNS servers. Another big example are SMTP (mail server) host names or the domain name, which based on RFC 1035, MUST and will reject a command initiated from an SMTP host with an underscore in it's hostrecord and/or domain name, and will promptly reply with an SMTP 501 response.

More info:

Complying with Name Restrictions for Hosts and Domains 
http://technet.microsoft.com/en-us/library/cc959336.aspx

Windows 2003 DNS and the Underscore
[SMTP servers that receive a command in which invalid character codes have been employed, and for which there are no other reasons for rejection, MUST reject that command with a 501 response.]
http://networkadminkb.com/kb/Knowledge%20Base/DNS/Windows%202003%20DNS%20and%20the%20Underscore.aspx

Underscores in DNS 
http://domainkeys.sourceforge.net/underscore.html

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.