We have been seen Audit failures for some time on both of our DC's. We are
running Windows Server 2003 R2 SP2 on both DC. 2003 native domain and DNS
integrated running on both DC's.

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 22/03/2010
Time: 17:18:50
User: SUPPORT\<machine Account>
Computer: <DC 1>
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object
Name: DC=28,DC=21.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=***,DC=co,DC=uk
Handle ID: -
Primary User Name: SERVER12$
Primary Domain: *****
Primary Logon ID: (0x0,0x3E7)
Client User Name: ****
Client Domain: SUPPORT
Client Logon ID: (0x0,0x1F1CDD08)
Accesses: Write Self

Properties:
---
Default property set
dnsRecord
dNSTombstoned
dnsNode

Additional Info:
Additional Info2:
Access Mask: 0x8




We are also seeing the following audit failures:

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 22/03/2010
Time: 15:08:00
User: ***\VPCSCVMM2K8R2$
Computer: SERVER12
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: computer
Object Name: CN=VPCSCVMM2K8R2,OU=WSUS
Computers,OU=Computers,OU=****,DC=****,DC=co,DC=uk
Handle ID: -
Primary User Name: SERVER12$
Primary Domain: ****
Primary Logon ID: (0x0,0x3E7)
Client User Name: VPCSCVMM2K8R2$
Client Domain: ****
Client Logon ID: (0x0,0x1F0FF974)
Accesses: Write Property

Properties:
---
Public Information
servicePrincipalName
computer

Additional Info:
Additional Info2:
Access Mask: 0x20


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Hopefully someone can point us in the right direction.

The first one definitely comes from a server trying to write a DNS record.
Check your DNS server that it has dynamic updates enabled. Also run
scavenging that will remove stale, tombstoned records.

The second one may also come from DNS. Is that server in a workgroup? If it
is, it may not have permission to update its DNS record.


"Lee" <Lee@newsgroup> wrote in message
news:4157F467-B07C-4200-8D34-ED10C381EEC1@newsgroup

> We have been seen Audit failures for some time on both of our DC's. We are
> running Windows Server 2003 R2 SP2 on both DC. 2003 native domain and DNS
> integrated running on both DC's.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 566
> Date: 22/03/2010
> Time: 17:18:50
> User: SUPPORT\<machine Account>
> Computer: <DC 1>
> Description:
> Object Operation:
> Object Server: DS
> Operation Type: Object Access
> Object Type: dnsNode
> Object
> Name:
> DC=28,DC=21.16.172.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=***,DC=co,DC=uk
> Handle ID: -
> Primary User Name: SERVER12$
> Primary Domain: *****
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: ****
> Client Domain: SUPPORT
> Client Logon ID: (0x0,0x1F1CDD08)
> Accesses: Write Self
>
> Properties:
> ---
> Default property set
> dnsRecord
> dNSTombstoned
> dnsNode
>
> Additional Info:
> Additional Info2:
> Access Mask: 0x8
>
>
> We are also seeing the following audit failures:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Directory Service Access
> Event ID: 566
> Date: 22/03/2010
> Time: 15:08:00
> User: ***\VPCSCVMM2K8R2$
> Computer: SERVER12
> Description:
> Object Operation:
> Object Server: DS
> Operation Type: Object Access
> Object Type: computer
> Object Name: CN=VPCSCVMM2K8R2,OU=WSUS
> Computers,OU=Computers,OU=****,DC=****,DC=co,DC=uk
> Handle ID: -
> Primary User Name: SERVER12$
> Primary Domain: ****
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: VPCSCVMM2K8R2$
> Client Domain: ****
> Client Logon ID: (0x0,0x1F0FF974)
> Accesses: Write Property
>
> Properties:
> ---
> Public Information
> servicePrincipalName
> computer
>
> Additional Info:
> Additional Info2:
> Access Mask: 0x20
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Hopefully someone can point us in the right direction.
>
>
>

"Dusko Savatovic" <savatovic@newsgroup> wrote in message news:F29B5117-4EFD-4286-83C1-F384AB912E4E@newsgroup

> The first one definitely comes from a server trying to write a DNS record.
> Check your DNS server that it has dynamic updates enabled. Also run
> scavenging that will remove stale, tombstoned records.
>
> The second one may also come from DNS. Is that server in a workgroup? If it
> is, it may not have permission to update its DNS record.
>

It could also be something simple such as using an ISP, the router, or some other external DNS server (not the internal DC/DNS) set in the machine's IP properties.

If the poster can provide us an unedited ipconfig /all, we can evaluate and point out any possible mis-configurations.





--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.