SQL 2019 Availability Group failover failing to update DNS of Availability Group Listener (DNS Operation Refused).

Andy 86 Reputation points


We are running SQL Server 2019 CU11 on Windows Server 2019.

We have recently run into an issue where availability group failovers are failing to update DNS for the listener.
We have some servers that will update without issue when a failover occurs.
However on our more recently builds we have added the following update - June 8, 2021—KB5003646 (OS Build 17763.1999). This appear to be when the issue started occurring.
We have gone back to our previous image and the failovers do work and as soon as we add KB5003646 and reboot the issue starts occurring.

In the properties of the listener (within the AG Role) in the Failover Cluster Manager we see DNS Status: DNS Operation Refused.

Any assistance would be appreciated.

Thank you.


Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,544 questions
SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,111 questions
Windows Server Clustering
Windows Server Clustering
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Clustering: The grouping of multiple servers in a way that allows them to appear to be a single unit to client computers on a network. Clustering is a means of increasing network capacity, providing live backup in case one of the servers fails, and improving data security.
969 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 39,466 Reputation points

    Hello DBA-Bandy,

    First I would check if the servers you are updating have installed the pre-requisite update stacks:

    The May 11, 2021 servicing stack update (SSU) (KB5003243), or the latest SSU (KB5003711)

    On the other hand, is not a strange issue regarding DNS Operation Refused, usually because the computer account or CNO has no access to update the DNS record.

    In this case, there are 2 options:

    1. Check the ACL for the Cluster name DNS record (Properties of the record>Security tab> add the CNO computer names as Full Control.
    2. Delete the DNS record and create again:
      Simply delete the A record, recreate again and ensure to check the box for “Allow any authenticated user to update DNS record with the same owner name"

    Hope it helps in your case!
    Best regards,

1 additional answer

Sort by: Most helpful
  1. YufeiShao-msft 7,076 Reputation points

    Hi @Andy ,

    The cluster name resource which has been added to the DNS prior to setup active passive cluster ( or any type) need to be updated by the Physical nodes on behalf of the resource record itself. When the active node owns the resources it want to update the A record in the DNS database and DNS record which was created won’t allow any authenticated user to update the DNS record with the same owner

    Delete the existing A record for the cluster name and re-create it and make sure select the box says “Allow any authenticated user to update DNS record with the same owner name “Don’t worry about breaking anything , this has “ZERO” impact to cluster simply delete the A record and re-create as it is suggested here.