Sdílet prostřednictvím

DNS Troubleshooter Related to DNS Administration

  • Článek

Permissions Issues

What to check for:

  • To perform DNS server administration, i.e. change DNS server parameters, a user must have FULL CONTROL permissions on the MicrosoftDNS container in Active Directory. Users who are members of the following groups have these permissions by default – Enterprise Admins, Domain Admins, and DNSAdmins. See KB article 313526.
  • To perform zone administration in Windows 2000, i.e. change zone parameters, a user must have FULL CONTROL permissions on the zone object within the MicrosoftDNS container in Active Directory. Users who are members of the following groups have these permissions by default – Enterprise Admins, Domain Admins, and DNSAdmins.
    • Note: It is not possible to allow a user to make changes to a zone and yet keep them from possibly deleting the zone.
  • To allow a user to read the server and/or zone parameters but not change them, they must have READ permissions on the MicrosoftDNS container and/or the Zone object.
  • If ACLs have been modified on zone, you can reset the zone security to the default using the following command:

Dsacls cn=MicrosoftDNS,cn=system,dc=example,dc=com /S /T

(this is for a domain called example.com)

  • For Windows 2003, you need to have Read control of the MicrosoftDNS container. The AD DACL (Discretionary Access Control Lists) will dictate permissions.

DNS Not Scavenging Stale Records

What to check for:

  • Verify that DNS Scavenging is enabled in the server Advanced properties. See KB article 296116
  • Verify that the zone in question has scavenging/Aging enabled.
  • Verify that the record(s) have a timestamp. In the DNS MMC, select View\ Advanced and then right-click the record and select properties.
  • Record time stamp must be older than the combination of the No-refresh + Refresh intervals to be subject to scavenging. Be aware that automatic scavenging of the zone will not occur until the DNS Server service has been running for a period of time equal to the Refresh Interval set on the zone.
  • To initiate a scavenge manually, in the DNS MMC, right-click on the DNS server and select “Scavenge stale resource records”.
  • If no one updates record between No-refresh + Refresh intervals, record will be marked as stale, and will be removed from DNS MMC but will exist under MicrosoftDNS container. “dNSTombstone” attribute will change to “True” when record become stale.
  • If a large number of records do not have a timestamp and are in need of having one set (to be subject to scavenging), the dnscmd utility can be used to accomplish this. Note: using this utility to force the aging of all records in a zone will cause records for hosts that are not dynamically updated to eventually be scavenged from the zone. USE THIS WITH CAUTION: The /ageallrecords will affect all records within DNS, even manually added records.

dnscmd <Server_IP> /ageallrecords <zone_name>