Hi, we have 2 domain controllers, both virtual Hyper-V Windows 2008 R2 servers (not RODC). All of a sudden we couldn't add a new DNS record ("The host XXX cannot be created: Refused). This happens on both domain controllers. Windows firewall is turned off on both servers.
When checking eventlog on DC1 event 4015 is created each time we attempt to add a record:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)".
On DC2 I get the same events, but I also see a few 4013 as well.
I have searched around for so many hours and many people seem to have resolved their issues by either granting Administrators access to Manage Auditing And Security Logs on Domain Controllers Security Policy, or by making sure SYSTEM is the owner on DNS through ADSI edit. I've verified both, on both domain controllers. Also there is no enforced link on the policies, so Default domain policy should not interfer. I even tried granting Administrators Manage Auditing And Security Logs on Default Domain Policy to be on the safe side.
dcdiag & dcdiag /test:dns reports no errors on both domain controllers. Would much appreciate if someone can point me in the right direction here, this has so far been a very time consuming problem to troubleshoot.
In advance, thank you.