活动目录中，DC的DNS记录是不是不要采用动态更新？

sunguru

公司域中三台DC.  经常出现 Directory service log里有warning， event 2088\r\n\r\nActive Directory could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. \r\n \r\nInvalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory forest, including logon authentication or access to network resources. \r\n \r\nYou should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. \r\n \r\nAlternate server name: \r\n dc.domainname \r\nFailing DNS host name: \r\n 04fb81d2-5952-45d1-b6e4-df14596e4848._msdcs.domainname \r\n \r\nNOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1: \r\n \r\nRegistry Path: \r\nHKLM\\System\\CurrentControlSet\\Services\\NTDS\\Diagnostics\\22 DS RPC Client \r\n \r\nUser Action: \r\n \r\n 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller\'s metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. \r\n \r\n 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing \"net view \\\\<source DC name>\" or \"ping <source DC name>\". \r\n \r\n 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller\'s host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns \r\n \r\n  dcdiag /test:dns \r\n \r\n 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: \r\n \r\n  dcdiag /test:dns \r\n \r\n 5) For further analysis of DNS error failures see KB 824449: \r\n   http://support.microsoft.com/?kbid=824449 \r\n \r\nAdditional Data \r\nError value: \r\n 11004 The requested name is valid, but no data of the requested type was found. \r\n \r\n\r\nFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.\r\n\r\n\r\n\r\n我发现DNS的srv 记录 cname 别名，GUID+domain name 经常只有两个DC的，或者只有一个\r\nDNS的正向查找区域里的A记录中，Delete this record when it becomes stale\r\n是勾上的， 时间戳也有。 把这个勾去掉。不允许删除DC的A,cname, srv的dns记录，\r\n但是过一段时间，勾又自动勾上了。\r\n这样，每两三天就会出现活动目录复制警告，互相找不到复制伙伴。\r\n\r\n是不是DNS动态更新后，自动删除了记录， 造成DC 之间不能复制\r\n\r\n请大侠赐教