Active Directory Integrated DNS Records Deletion by System

domain-name-system active-directory windows-server-2012-r2

I have an issue where records are 'disappearing' from my primary DNS zone. The client records for these devices are static entries. The entries replicate correctly but get randomly removed. I have tracked the edits back to the PDC with auditing. Where do I go from here?

Here is the setup:

  • 4 Win7 clients connected through VPN to my domain.
  • Three Server 2012R2 DCs; Two at my local site and one on Azure.
  • DNS is integrated into Active Directory.
  • DNS Scavenging is off.
  • "Delete record when stale" is unchecked.

From my searching online I have found an article about disappearing DNS records. Used ASDIEdit to check the Partitions in the Configuration and was able to load the DomainDnsZones and ForestDnsZones as well. I also setup auditing on the DNS entries. This enabled me to track what was making the edits...

Subject:

Security ID: SYSTEM

Account Name: SYSTEM

Account Domain: NT AUTHORITY

Logon ID: 0x44936

Directory Service:

Name: example.com

Type: Active Directory Domain Services

Object:

DN: DC=computer_name,DC=example.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com

GUID: DC=computer_name,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com

Class: dnsNode

Attribute:

LDAP Display Name: dNSTombstoned

Syntax (OID): 2.5.5.8

Value: TRUE

Great so I know my DC made the edit. That doesn't tell me why and leaves me stuck. Any suggestions?

Update: It appears after changing the Zones Dynamic update settings from Unsecure & Secure to Secure only the deletions still occur.

I am looking into the possibility of a replication issue at the moment. When I update the PDC static entry, it replicates fine to the second DC but does not replicate to the DC in a seperate site.


The solution was given in the comments by msemack. The issue was due to the Dynamic Updates setting on the zone set to Unsecured and Secure rather than Secure only.


Enable the Advanced view (View -> Advanced) and make sure that Delete this record when it becomes stale is not checked in the Properties dialog for the record.

Active Directory manages A and AAAA records for Domain Controllers automatically. This seems to have higher priority than the checkbox. Microsoft has a knowledge base article that describes how you can disable this behaviour. Again, this is only relevant if the affected records belong to a DC.

This article also lists some possible causes for the problem you are describing.

Related

Two domains, two SSL certificates, one IP
Copy SQL Server Databases
How to route traffic from private network to openvpn subnet (and back)
Installing additional LUA modules into Redis
Nginx not redirecting but is working
Which domains list my server in their glue records?
Best way to clone a Linux system
How to determine new file name from audit log on renaming?
Sizing of journal disks with Microsoft Storage Spaces parity volume
Proxmox Nat Networking Issue
What do I need to consider when setting TCP idle timeouts?
Monitoring DFS namespace usage