Share via

SQL Server Always On Listener Randomly Disappearing from DNS and AD

Hanna Twins 0 Reputation points
2026-03-21T09:21:54.41+00:00

I'm the senior DBA for our company's main e-commerce platform, and my phone has been blowing up all night because the shopping cart application keeps losing database connectivity. We run a dual-datacenter WSFC setup with SQL Server 2019 Enterprise on top of two fully patched Windows Server 2022 VMs, plus a third machine acting as a file share witness.

Out of nowhere, the Always On Availability Group Listener just completely vanishes from both Active Directory and our DNS records. Directly querying the individual nodes works perfectly, but the applications rely on the routing name, which simply ceases to exsit. Bouncing the AG role sometimes brings the object back, but often I have to force a manual failover just to recreate the listener routing.

I ran the cluster validation wizard and the only minor red flag was a HostRecordTTL value of 1200 instead of the recommended 300 for multi-subnet environments. Does anyone have a clue why this listener drop is happening or where I should even begin looking through the logs? Thank you!

Windows for business | Windows Server | Storage high availability | Clustering and high availability
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 5,525 Reputation points Independent Advisor
    2026-03-23T16:53:53.3433333+00:00

    Hi Hanna Twins,

    I'm just checking in to see if you finally managed to get some sleep and if your e-commerce platform's database connectivity has stabilized!

    Did pre-staging that Virtual Computer Object (VCO) in Active Directory and locking down the CNO permissions permanently stop the listener from dropping out of nowhere? Or are your domain's DNS scavenging scripts still putting up a fight?

    If that AD permissions lockdown did the trick and your shopping cart is running smoothly again, I'd really appreciate it if you could click "Accept Answer". It hugely helps other exhausted DBAs find the exact workaround when they run into this cluster ghost!

    Tracy.

    0 comments
  2. Tracy Le 5,525 Reputation points Independent Advisor
    2026-03-21T13:32:11.04+00:00

    Hi Hanna Twins,

    Having your phone blow up all night over a dropping listener while trying to keep an e-commerce platform afloat is a DBA's worst nightmare. When an AG listener completely vanishes from both Active Directory and DNS out of nowhere, it is almost never a SQL Server bug. It is a Windows Server Failover Cluster (WSFC) permissions failure.

    The Root Cause: Your Cluster Name Object (CNO) — the underlying computer account for your WSFC — is losing its grip on the listener's Virtual Computer Object (VCO) in Active Directory. Because the CNO lacks the explicit rights to update the VCO's password or refresh its DNS timestamp, your domain's aggressive AD cleanup scripts or DNS Scavenging routines are seeing the listener as a "stale" ghost record and actively deleting it.

    Here is the bulletproof DBA workaround to permanently lock it down:

    1. Pre-stage and Lock the AD Permissions (The Dealbreaker) Do not let the cluster dynamically create the listener object in the default 'Computers' container. You need to anchor it manually.

    Open Active Directory Users and Computers (ADUC).

    Ensure you have Advanced Features turned on (View -> Advanced Features).

    Manually create a new Computer object with the exact name of your AG Listener.

    Right-click this new listener object -> Properties -> Security tab.

    Add your Cluster Name Object (CNO) (you will need to check "Computers" in the Object Types filter to find it) and grant it Full Control.

    Now, bounce the Listener resource in Failover Cluster Manager. It will bind to this hardcoded, permissions-locked object and stop vanishing.

    2. Stop DNS Scavenging Drops Open your DNS Manager, find your listener's A records, open their properties, and make sure "Delete this record when it becomes stale" is temporarily UNCHECKED while you stabilize the environment.

    3. Fix that TTL Warning (Optional but recommended) Since you are in a dual-datacenter (multi-subnet) setup, you absolutely want that TTL at 300 so your application clients failover faster. Run this quickly via PowerShell on the primary node: Get-ClusterResource "YourListenerName" | Set-ClusterParameter HostRecordTTL 300

    Lock down those AD permissions on a pre-staged object and you should finally get some sleep! If this completely stops the random listener drops and stabilizes your cart, please consider clicking "Accept Answer". It hugely helps other DBAs fighting this exact same WSFC ghost!

    Tracy.

    0 comments
  3. Q&A Assist
    2026-03-21T09:22:12.9766667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Listener disappearance from DNS and Active Directory in an Always On Availability Group is typically caused by underlying Windows Failover Cluster (WSFC) issues with creating or maintaining the Client Access Point (CAP) object, not by SQL Server itself.

    Key areas to investigate:

    1. Active Directory permissions for the Cluster Name Object (CNO)
      When a listener is created, WSFC creates and manages a computer object in AD and corresponding DNS records. If the CNO lacks permissions to create or update that computer object, the listener name can fail to come online or be removed:
      • Confirm that the CNO has the required rights in the OU where the listener computer object resides (create, delete, and modify computer objects).
      • Failures here typically surface as:
        • Msg 19471 – WSFC cluster could not bring the Network Name resource online.
        • Msg 19476 – Failed to create network name and IP address for the listener.
      • If SQL Server does not show a clear cause, collect and review:
        • Windows Cluster log.
        • Windows System event log. These will show whether AD or DNS operations are failing when the listener resource is brought online.
    2. DNS registration and IP conflicts
      Listener creation and maintenance can fail if:
      • The listener IP is outside the cluster-allowed IP range.
      • There is a duplicate or invalid IP address in DNS.
      • DNS registration fails due to policy or permissions. The KB notes that inability to create a listener is often due to:
      • Insufficient cluster permissions to create/change the AD cluster name account.
      • Failure to register the IP address in DNS (duplicate/invalid IP).
      • Violations of Windows policies.
    3. Cluster logs for non-SQL errors when the listener disappears
      SQL Server may not report the root cause when the listener fails or disappears because WSFC is the component actually creating and managing the CAP. When the listener vanishes and you bring the AG role offline/online or fail over, check:
      • Failover Cluster Manager → Roles → AG role → Resources → Network Name/Listener resource state and recent events.
      • Cluster log around the time the listener disappears for:
        • Name resource going to Failed or Offline.
        • AD or DNS registration errors.
    4. Multi-subnet specifics and client behavior
      In multi-subnet environments, the listener’s DNS record contains multiple IPs and uses the RegisterAllProvidersIP behavior. This affects connection timeouts but not the existence of the DNS/AD object itself. However, if DNS registration is unstable, clients may intermittently fail to resolve or connect:
      • Ensure applications use the MultiSubnetFailover parameter so they handle multiple IPs correctly and avoid sequential connection attempts that can lead to timeouts.
      • The HostRecordTTL warning (1200 vs 300) mainly affects how quickly clients see IP changes, not whether the listener object disappears. It is worth tuning, but it is unlikely to be the root cause of the object vanishing.
    5. If the listener must be recreated frequently
      The KB describes that when a listener cannot be created or maintained, it is usually due to:
      • Lack of sufficient Windows cluster permissions in AD.
      • DNS registration issues (duplicate/invalid IP, policy restrictions).
      • Windows/domain policies blocking required operations. Focus on:
      • Validating CNO and listener computer object permissions in AD.
      • Checking DNS for duplicate A records or scavenging policies that might be removing the record.
      • Reviewing domain security policies that might delete or disable computer objects created by the cluster.

    Summary of next steps:

    1. Review Windows Cluster log and System event log at the time the listener disappears for AD/DNS-related failures on the Network Name resource.
    2. Verify CNO permissions in AD (create/delete/modify computer objects in the OU where the listener object lives).
    3. Check DNS for duplicate or conflicting records for the listener name and confirm the IP is in the cluster-allowed range.
    4. In a multi-subnet setup, ensure clients use MultiSubnetFailover and consider adjusting HostRecordTTL, but treat this as tuning rather than root-cause.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.