Hello,
I am experiencing very strange problems with my DNS (Server 2008 R2, AD integrated). Several A records for Windows clients are missing, and even if I register them as static they somehow disappear again. However, the AAAA records are still around (IPv6 is running in default configuration, I haven't touched that at all), but another strange thing here is, most of them are listed as STATIC records.
At present, the DHCP server is set to NOT register the clients with DNS. DNS accepts only secure updates, scavenging is disabled. (I am somewhat reluctant to disable dynamic updates on the DNS server completely because I think the DCs register and update lots of records dynamically). When I register all missing A records, most affected clients loose it again within an hour or so but some seem be fine. It seems to me that about 20 % of the clients are affected.
I have enabled Directory Service Changes auditing, and its in fact the machine account which appears to be responsible. Clients with A records generate 10 entries (ID 5136) in the DC's security log while the problematic clients generate only the first 5 events. So it appears to me that they can delete the record but not create a new one. All clients are set to register themselves with DNS.
As far as I remember I had Windows clients with missing A records in the past once in a while but the problem became really serious only about one and half weeks ago.
Does anyone have an idea of what might be going on here? Can I safely disable DNS dynamic updates without adversely affecting AD/DC functionality? Generally, we don't actually need dynamic updates.
Cheers, Georg.