How to find who manually created host records in Secure DNS Zones

Author: NetworkAdminKB.com
Created: 2009-06-04
Modified: 2009-10-18

Issue:

A user name is assigned permissions to a Host (A) records in a Secure DNS Zone.  This prevents the computer from registering its DNS records in DNS, and results in the following DNS error on the Client Side.

 

Event ID: 11166

Source: DnsApi

Description:

The system failed to register host (A) resource records (RRs) for network adapter

with settings:

 

   Adapter Name : {5CC9F918-82B4-45A3-B684-C84A57BFCCCC}

   Host Name : SERVER1

   Primary Domain Suffix : domain.com

   DNS server list :

            10.1.1.1, 10.1.1.2

   Sent update to server : 10.1.1.1

   IP Address(es) :

     10.2.2.2

 

The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

 

When viewing the security of the DNS Host (A) record you will see that a USER account is assigned Write permissions.

 

Here is an example of a correct DNS Host Record where the computer account is assigned Write access.  Sometimes Full Control access is assigned as well.

 

Cause:

A DNS Administrator is manually creating Host (A) records for computers that Dynamically Register themselves.  Computers that are capable of Dynamic DNS registration should be allowed to create their own records.

 

Solution:

1)      Train the DNS Administrator not to manually created records for computers that in Secure DNS zones, instead let the computer properly register itself via Dynamic DNS.

2)      Use one of the following methods to find all the affected computers the administrator has affected.

 

Method 1
Use EventCombMT from the Windows 2003 Resource Kit to scan the Event logs of all computers for Event ID 11166.  From there you can obtain a list of computer that may be affected by this issue.

 

To properly Dynamically Register the DNS record do the following.

Delete the DNS record from the DNS Zone

On the corresponding computer run the following command to properly register the record in DNS.

Ipconfig /registerdns

 

This method will only identify the computer that may be experiencing this issue and not the USER that created the DNS records.  You still need to manually check each record in DNS to determine who created the record.

 

Method 2

Use ADSI Edit, Excel, Notepad, and the DSACLS to list the ACLS on all DNS Records for a given DNS Zone.  This method will allow you to link specific records to the appropriate USER that created them.

 

1)      Use ADSI Edit to export the DNS zone information to a Tab Delimited Text file

a.       If the DNS Zone is replicated To all DNS Servers in the Active Directory Forest you should connect to the following.

                                                               i.      DC=ForestDnsZones,DC=domain,DC=com

                                                             ii.      The DNS information is stored here: CN=MicrosoftDNS

b.      If the DNS Zone is replicated To all DNS Servers in the Active Directory Domain you should connect to the following.

                                                               i.      DC=DomainDnsZones,DC=domain,DC=com

                                                             ii.      The DNS information is stored here: CN=MicrosoftDNS

c.       If the DNS Zone is replicated To all domain controllers in the Active Directory domain you should connect to the following

                                                               i.      DC=domain,DC=com

                                                             ii.      The DNS information is stored here: CN=MicrosoftDNS,CN=System

d.      Right Click a DNS Zone name and select Export List

2)      Use Excel to edit the exported file and save only the Distinguished Name column to a new text file.  The Distinguished Name column contains the actual DNS records as seen from the Active Directory partition.

a.       Import the file as TAB delimited to create the columns.

3)      Use Notepad to edit the new file to create a batch file as shown below.

a.       Add dsacls “ to the beginning of each line and add to the end of each line.

b.      Save the file as DNSZoneACL.Bat

4)      On the DNS Server/Domain Controller and in a directory that contains the DSACLS.exe file run the batch file as follows

a.       DNSZoneACL.Bat > output.txt

5)      After the DNSZoneACL.Bat completes open the Output.txt file with Notepad

a.       Perform a search for the offending User name to determine which records need to be reset.

b.      The offending records have the user account assigned with SPECIAL ACCESS / READ / WRITE as shown below.

6)      To properly Dynamically Register the DNS record do the following.

a.       Delete the DNS record from the DNS Zone

b.      On the corresponding computer run the following command to properly register the record in DNS.

                                                               i.      Ipconfig /registerdns

 

Method 3

Use the method outlined in How to identify Dynamic Records in DNS zones to identify the Non-Dynamic Records as well.  These are the records without the [AGE:#####] setting in the DNS zone.  Using Excel or a Text Editor that can sort by column are the easiest methods to quickly identify the records.

 

This method will only identify the records and not the USER that created them, you still need to manually check each record in DNS to determine who created the record.

 

More Information:

ADSI Edit and DSACLS are available as part of the Windows 2003 Support Tools

EventCombMT is available for download as part of the Account Lockout and Management Tools for Windows 2003

Article ID: 175, Created On: 9/18/2011, Modified: 9/18/2011