Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, April 1, 2011 7:16 PM
We are getting this error when we try to add a CNAME record on our 2008 R2 Domain Controllers. We are able to add the records to our 2003 DCs but they are going away soon so we can't rely on that much longer. We get the same result whether we are adding a record from our desktop running DNS as a Domain Admin, or logging directly into the DC.
We have found that if we set the DNS zone to allow both secure and nonsecure updates then we can add the record but we can't leave this DNS zone set that way.
Any help would be appreciated.
Thanks!
All replies (7)
Saturday, April 2, 2011 1:49 AM ✅Answered | 2 votes
Can you describe the actual record you are trying to add, including if it's conflicting with an existing record (which would cause a collision with an existing record), or possibly an incompatible character, etc?
As Oscar requested, any event log errors would be helpful, including if you are getting an error message with an error code when trying to create it, such as an 9709 (0x25ED), which would indicate a collision.
Another possibility is if it only works with the "Secure and Unsecure" updates setting, try opening the DNS console with the RunAs, and give it a shot.
If the RunAs doesn't work, check to see if the user right assigments in the Default Domain Controllers policy "Manage auditing and security log" for Administrators have not been altered. I beleive, if memory serves correct, you must have that User Right. For your reference, the setting is in the following location, then if you do have to change it, restart the DNS Server Service:
- Open GPMC, Select "Default Domain Controller Policy" and choose edit.
- Under Computer configuration, expand Windows Settings\Security Settings\Local Policies\User Rights Assignment
- Locate "Manage auditing and security log" and add Administrators
- Restart the DNS Server Service
- Then either wait at least 5 minutes, or Open a CMD prompt, run gpupdate /force,or just restart the server
- Try to create the record again
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, April 1, 2011 9:21 PM
Hi
Is there anything in the "Server Roles\DNS Server" part of the event viewer that can help explain the problem?
Oscar Virot
Monday, February 18, 2013 5:18 PM
ACE,
Thanks for the advice, outcome successful. You would think that establishing the DNS role and being the Administrator this issue would not happen.
Thanks Again
Vons
Lavonda Smith
Monday, February 18, 2013 8:49 PM
I'm glad to hear a two year old thread helped you out! :-)
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Monday, June 23, 2014 11:30 AM
Greetings,
I'm having this same issue. Replacing the Windows 2003 DCs with Windows 2008 R2. We cannot add any A Host records from the Windows 2008 DCs. However, we can add A host records using the last remaining Windows 2003 DC.
The Adminstrators group has always been in the "Manage auditing and security log" policy; however, we are still unable to create A Host Records from the new Windows 2008 R2 DCs.
We also have two events in the the logs:
EventID 4013
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
EventID 4015
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1: 0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
Any assistance would be greatly appreciated.
Terry
Monday, June 23, 2014 1:04 PM
Greetings,
I'm having this same issue. Replacing the Windows 2003 DCs with Windows 2008 R2. We cannot add any A Host records from the Windows 2008 DCs. However, we can add A host records using the last remaining Windows 2003 DC.
Hi.
Please follow the advice in the thread, if it doesn't help please open a new thread. So the solutions for different problems are separated.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Even if you are not the author of a thread you can always help others by voting as Helpful. This can be beneficial to other community members reading the thread. Oscar Virot
Tuesday, June 24, 2014 2:48 AM
Greetings,
I'm having this same issue. Replacing the Windows 2003 DCs with Windows 2008 R2. We cannot add any A Host records from the Windows 2008 DCs. However, we can add A host records using the last remaining Windows 2003 DC.
<snipped>
I agree with Oscar.
In the meantime, trying to assist is difficult without config info (ipconfig /all, how many DCs, same site, etc). Based on the eventIDs posted, it's telling me that whatever DNS the DC's pointing to, does not host the zone, or the DC is multihomed. Too many factors...
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.