I had removed the computer accounts from AD and rebuilt some Windows 2003 servers and joined them back to the domain. The DNS A and PTR records still had the computer object permissions for the old computer objects, which showed up as un-resolvable SIDs. I manually gave the new computer objects proper rights to the A and PTR records and the errors stopped.
The Host record in DNS cannot be updated by the server because it does not have enough rights. On your DC, open DNS and look for the Host record for the server. Open and check the Security tab. Make sure the server name is there with Write permissions. If not, add it, and give it Write permission. This error should now go away (the server can update its own Host record in DNS again).
This event was in my case generated due to missconfiguration in DNS where the DNS server is set to Dynamic Updates but servers "A" records have Static Configuration.
1. Reconfigure the DNS server to do not update records dynamically.
2. Configure Records to do not be added statically.
This issue could be also with NETLOGON, where the server cannot communicate with DNS via the security tunnel. Try restarting NETLOGON to fix the problem.
I received this error on an ISA Server that I had just setup on the network. The problem was that I forgot to uncheck the "register this connection's addresses in DNS" option in the TCP/IP settings of the WAN-facing network adapter.
1. If the DNS forward and reverse lookup zones are active directory integrated and only allow secure update, make sure the ACL for the zones have authenticated users with “Create ChildObjects” permission only.
2. If you are issuing the ipconfig /registerdns command and get this error message, make sure you are logged in with a domain account.
I have seen this in companies that run DNS on UNIX. Those machines do not support (or allow) dynamic DNS updates as Windows does, hence the permissions related problem message.
I received this error on a few member servers running Windows Server 2003. When I checked the security of the host record for the Server, I noticed that it did not have the Server listed in the permissions. Member Servers that did not have this event ID had the Server listed in the permissions with Full control. I added the Server to the host record and gave it full permissions, and I no longer received the 11166 Event.
- Data: 0000: 00002338 = (9016 decimal) =DNS_ERROR_RCODE_BADSIG = "DNS signature failed to verify" - These problems appear when a permission error occurs on the DNS record. See ME871111
for details on this issue.
I was able to clear this error by deleting the A record of the offending server and then running "ipconfig /registerdns" on that server. What led me to trying this was I saw the permissions on that A record were different from several other A records I looked at. It looks as if the "bad" A record had been manually created as the machinename$ user was listed on the security tab with write permissions for other A records but not on the A record that DDNS could not update.