question

Buckleau avatar image
0 Votes"
Buckleau asked Buckleau action

Static DNS records have disappeared

Environment:

We have 9 DC's running AD intergated DNS Server services, 3 at our head office and one each at 6 branch offices. 6 X Server2016 and 3 X Windows 2012R2 machines running at forest and domain functional level 2012R2.

Problem:

Came in this morning and found that about 75% of our server static IP addresses had disappeared. These have now been restored but I can't find any evidence of why they went. I've checked the following logs, Application, System, Security and the DNS-Server service log.

Is there anywhere else I should look to find where/why the missing records went.

windows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered CandyLuo-MSFT commented

Hi,

Under the properties of the record Delete this record when it becomes stale, make sure it is not checked and the timestamp is blank. Scavenging works on timestamps, so any DNS record with a timestamp will get processed and possibly deleted. First check your server DNS records and make sure they are static.

If you have confirmed DNS records are static, then We need to enable DNS auditing configuration which can help identify the root cause of DNS record deletion or at least narrow it down.

The following article talking about how to enable DNS server auding, you could have a look:

How to: DNS Server Auditing

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Event id 4662 will be logged in the Security event logs whenever the DNS record is modified or deleted.

Should as picture below:

85572-image.png

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.







image.png (42.8 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Candy
All the deleted server records were static as they were mostly VM's. We will investigate implementing DNS auditing as per the link you provided.
Are there any other logs that may include DNS alterations?

0 Votes 0 ·

When a server scavenges it will log a DNS event 2501 to indicate how many records were scavenged. You might also check DNS server scavenge events.

0 Votes 0 ·

Please try to mark the replies which help you. It will encourage the person who help you.
Appreciate your understanding. :)

If there is anything else we can do for you, please feel free to post in the forum.

0 Votes 0 ·