Symptoms
After you install this security update, the DNS Server service may not start, or you may receive an access violation error message shortly after the service starts, or after the operating system starts.
Cause
This issue may occur if DNS is configured to have a CNAME and a SOA record that both exist for the "@" record. The "@" record identifies the root of a DNS zone. This can frequently be identified in the DNS Manager as a record with the "(same as parent folder)" name. The SOA and NS records are allowed in this folder. RFC 2181 describes name uniqueness checks for CNAME records. According to RFC 2181, the CNAME may not exist in the “same as parent folder" ("@") of a zone.
Workaround
To avoid this issue, identify and remove the "@" CNAME record that is causing the issue from the misconfigured zone before you install security update 2647170.
To help identify problematic zones, run the following sample PowerShell script. PowerShell is installed by default in Windows Server 2008 R2. PowerShell must be installed as a feature in Windows Server 2008 and must be manually installed in Windows Server 2003.
$count = 0
$var = get-wmiobject -query "select * from win32_service where name = 'dns'"
if ($var -ne $null)
{
if ($var.state.tolower() -eq "running")
{
[array] $global:badcnamedomains = $null
$var = get-wmiobject -namespace "root\microsoftdns" -query "select * from microsoftdns_zone"
if ($var -ne $null)
{
foreach ($var2 in $var)
{
$query = "select * from microsoftdns_cnametype where containername = '" + $var2.name + "'"
$var3 = get-wmiobject -namespace "root\microsoftdns" -query $query | where {$_.ownername -eq $var2.name}
if ($var3 -ne $null)
{
$count += 1
$global:badcnamedomains += $var3.domainname
}
}
}
else
{
write-host "No zones returned"
}
}
}
if ($count -gt 0)
{
write-host "Total number of zones found: $count"
write-host "The zones are:"
write-host $global:badcnamedomains
}
elseif ($count -eq 0)
{
write-host "No zones found with the issue"
}
$count = $null
$global:badcnamedomains = $null
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
To run the sample PowerShell script, copy the text, and then paste it into a PowerShell Command Prompt window that is running with administrative permissions. The script will identify CNAME records that conflict with SOA records in locally held DNS zones. To delete the CNAME records that do not comply with RFC 2181, type the following command at command prompt, and then press Enter:
DNSCMD /recorddelete DNS zone name @ cname
To resolve the problem if the access violation error has already occurred
If you already have installed security update 2647170 before removing the offending CNAME record, you may have to roll back to the previously installed version of DNS. Then, remove the conflicting @ CNAME record from the misconfigured zone, and then reinstall security update 2647170.