Field Notes: The case of the disappearing Name Server (NS) records

I recently assisted a customer with Name Server (NS) records in DNS, disappearing from their DNS zones. All of the Domain Controllers are configured as DNS servers, yet when viewing the NS records for the Active Directory-integrated DNS zones, only a few of these servers had NS records.

The administrators manually re-added the NS records to the DNS zones, only to find that the NS records were missing when reviewing the DNS zone configurations later.


Background

Every DNS server that is authoritative for an Active Directory-integrated DNS zone creates its respective NS record in the DNS zone, which also means that the replication scope of the DNS zone will determine which servers are registered for the specific DNS zone.

When a DNS zone is replicated to all DNS servers in the forest, the zone will contain NS records for all servers in the forest, and when the zone is replicated to all DNS servers in the domain, the zone will only contain NS records for servers in the specific domain where the Active Directory-integrated DNS zone is created.


Active Directory-integrated DNS zone replication scope


Forest-zone replication scope: Contains DNS servers from the all domains in the forest.


Domain-zone replication scope: Contains DNS servers from the specific domain only.


The NS records can be managed by selecting the properties of the DNS zone in DNS Manager.


In most deployments, every Domain Controller is also a DNS server.

The DNS Server will create the NS record and Active Directory replication will propagate the change to the relevant DNS Servers, as per the configured DNS zone replication scope.

When NS record registrations are functioning properly, these NS records can be removed from the DNS zone, and the NS records will be re-added when the DNS Server service is restarted.

In this instance, the customer manually added the missing NS records but they were being removed when the DNS Server service restarted.


Resolution

There are two configurations that may impact the creation of NS records in DNS:

  • Configuration in the Windows registry of a DNS Server, which affects all DNS zones hosted by the DNS server.
  • Configuration on a DNS zone, which may affect any DNS Server hosting the configured DNS zone.

The registry

In the registry of an affected DNS Server, find the DNS Server service parameters at the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

The following registry value, by default, does not exist in the registry and has to be manually created when required:

Registry value: DisableNSRecordsAutoCreation
Data type: REG_DWORD
Data range: 0x0 | 0x1
Default value: 0x0



If this registry value exists and is set to 1, the DNS server will not automatically create NS records, for all Active Directory-integrated DNS zones hosted by this server. Changing the value to 0 or deleting the entry will reset automatic NS record behavior to default, resulting in the DNS Server creating NS records for all Active Directory-integrated DNS zones that it is hosting. You must restart the DNS Server service for this value to take effect.

This registry value did not exist on the customers DNS Servers, which is the default configuration, and thus the server would attempt to create a NS record.


The DNS Zone

View the AllowNSRecordsAutoCreation configuration of the DNS zone, use the following command:

dnscmd <servername> /zoneinfo <zonename> /AllowNSRecordsAutoCreation

With default configuration the results should be as per the image below. This means all DNS Servers are allowed to automatically create NS records for the zone.

Default configuration


In the customers environment we executed the same command and received different results as per the example below:

Customized configuration


What this result means is that the DNS zone is restricted to allow NS record registrations only from the two specific IP addresses listed in the result.

When there are 50 DNS servers for example and only 10 IP addresses are listed, only those 10 servers will be able to create their NS records for the specific zone.

This would explain why only some NS records are listed, and not the records from all the DNS servers in the forest or domain. This was causing the NS records on the customer environment to be removed after they have been manually added.

This was easily fixed by executing the following command, which will reset the NS records creation configuration to the defaults, for the specific DNS zone:

dnscmd <servername> /config <zonename> /AllowNSRecordsAutoCreation

Reset NS record creation to default value


The command needs to be completed for each DNS zone to configure, but only needs to be executed on one DNS Server. Active Directory replication will propagate the changes as per the configured DNS zone replication scope. You can wait for the NS records to be created automatically, or restart the DNS Server service on the affected servers to speed up the process.


Conclusion

There are very specific situations where an adminitrator may need, or want to limit the creation of NS records. There may be a requirement to limit NS record creation for a specific DNS zone to only a few servers, or you may want to prevent specific DNS servers from creating NS records in all the DNS zones that it is hosting, for example a DNS Server in a branch office.

Feel free to explore the reference article for specific instances where NS record registrations may need to be limited.

Be sure to document any changes made on DNS servers or DNS zones and specify the reason for the specific configurations. This will ensure future administrators understand the configurations, and when reviewing these custom configurations, also have enough information to determine if they are still required.


Reference:

Problems that can occur with more than 400 Domain Controllers in Active Directory integrated DNS zones:

https://support.microsoft.com/en-za/help/267855/problems-with-many-domain-controllers-with-active-directory-integrated

Author