No announcement yet.

Broken SID owns DNS record. Prevents any control of record.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Broken SID owns DNS record. Prevents any control of record.


    I have a Windows SBS 2003 server that was recovered by someone else after a catastrophic failure several months ago. There have been intermittent issues with DNS including failure of the DNS Server Service to work. Restarting the service would fix temporarily.

    I'm now seeing regular reports of the following:

    Log: DNS Server
    Type: Error
    Event: 4015
    Agent Time: 2011-08-19 10:51:34Z
    Event Time: 09:48:20 AM 19-Aug-2011 UTC
    Source: DNS
    Category: None
    Username: N/A
    Computer: <Servername>
    Description: The DNS server has encountered a critical error from the Active Directory.
    Check that the Active Directory is functioning properly.
    The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-02080490, problem 5012 (DIR_ERROR), data -1018".
    The event data contains the error.

    I have spent considerable time looking for resolution. I've found some old recrods in the forward lookup zone that should no longer exist and they're unable to be manually deleted. It seems to come down to a permissions error.

    A review of permissions in ADSIEDIT looks correct. DNSAdmins have full control of the objects.
    The logged in administrator account is a member of DNSAdmins.
    The administrator account is NOT a member of the Power Users group which is denied some access to objects.

    I ran dsacls "\\<servername>\CN=MicrosoftDNS, CN=System, DC=domain, dc=com” /G DNSADMINS:GA / I:T and it fails.

    I just discovered that on the particular DNS record that I am attempting to delete is owned by a broken SID. This server before its crash used a different administrator account than is currently used and I expect this broken SID belongs to that account which shows up nowhere in AD. As stated previously, I did not do the recovery and so have no idea of how it was done pertaining to AD and DNS.

    I tried to take ownership of the single record and was denied. I expect that the broken SID shows up higher in the chain of permissions but cannot isolate it and am reluctant to push permissions on child objects from higher levels without knowing the implications of doing such a reset.

    Can anyone point me in a direction to find the highest level at which this broken SID might have permission and how to remove it? This server won't be replaced or rebuilt in all liklihood for a couple of years. There are strange errors on the network that at this time don't seem to point to any major issues, but I don't want to ignore any trouble that might be brewing if it can be averted.

    Thanks in advance to any who can offer insight.