Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6702 Source: DNS

DNS Server has updated its own host (A) records. In order to insure that its DS-integrated peer DNS servers are able to replicate with this server, an attempt was made to update them with the new records through dynamic update. An error was encountered during this update, the record data is the error code.

If this DNS server does not have any DS-integrated peers, then this error should be ignored.
If this DNS server's ActiveDirectory replication partners do not have the correct IP address(es) for this server, they will be unable to replicate with it.

To insure proper replication:
1) Find this server's ActiveDirectory replication partners that run the DNS server.
2) Open DnsManager and connect in turn to each of the replication partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this server.
5) If there are no A records for this server, add at least one A record corresponding to an address on this server, that the replication partner can contact. (In other words, if there multiple IP addresses for this DNS server, add at least one that is on the same network as the ActiveDirectory DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is only necessary that the records are fixed up on enough replication partners so that every server that replicates with this server will receive (through replication) the new data.

0000: 2d 23 00 00
From a newsgroup post: "I checked on Microsoft's technet website and it mentioned something about the 'root hints' tab. I went there and my server's hostname was there along with the 2 entries I put in. I removed all of them and haven't gotten an event viewer message for 2 days. Last night I restarted the server and the DNS stopped working again. Going back and checking all of the tabs, the servers listed in the "root hints" were back. I had deleted them also from the Active Directory. Strange....††So I went back to the Technet website and entered a query of root hints.††It returned article ME249868 Replacing Root Hints with the Cache.dns File. I followed the directions in the article and restarted the DNS server. I now had all of the internet root servers in the root hints tab and my servers did not come back when restarted."

* * *

T735806 provides details on the steps necessary to make sure that the DNS server information is replicated to replication partners(if present).

The Data portion of the event can be translated into an error code. For example data 2d 23 is equivalent with Error code 9005 (DNS operation refused).
This event can occur when you use a single-label domain name on a Windows Server 2003-based computer. See ME914050 for details on this issue.
As per Microsoft: "This server could not register its dynamically updated locator records with DNS on any other domain controller in its directory service (DS) forest. Possible causes include:
- There are no other domain controllers.
- The other domain controllers in this forest do not have the correct IP address for this server". See MSW2KDB for more information.

From a newsgroup post: "Sometimes this can be caused by having two NICs in a machine. On the outer NIC, it is suggested to disable the File and Print Sharing service, Client for Microsoft Networks service and NetBIOS. It also can be due to using an ISPís DNS in your IP properties. Usually getting rid of this and using a forwarder fixes this problem".

See the link to "Microsoft event 6702 from source DNS" for additional information on this event.
This Error occurs, when on a Server, that is providing the DNS-Service; the Server tries to register his own addresses in the DNS-Server. In the TCP/IP-Settings of each Network adapter and all RAS-Connections uncheck under DNS "register the addresses of this connection". This should help you get rid of this problem.
If you are running netlogon on a domain controller then the default refresh interval for updating dynamic DNS records is once per hour. You can control this by adding registry key HKEY_LOCALMACHINE/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters/DnsRefreshInterval
DWORD: A setting of 86400 will reduce the frequency to once per day. See the link to "Active Directory with Virtual Private Network and Demand Dial Deployments.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.