Failover Cluster: access to update the secure DNS Zone was denied.


After you have built a cluster, the Cluster Events page fills up with Event ID 1257 From FailoverClustering complaining about not being able to write to the DNS records in AD:

“Cluster network name resource failed registration of one or more associated DNS names(s) because the access to update the secure DNS Zone was denied.

Cluster Network name: X
DNS Zone: Y

Ensure that cluster name object (CNO) is granted permissions to the Secure DNS Zone.”



There may be other root cause scenarios, but in my case the problem was a static DNS reservation on the domain controller.

As usual, if you do not understand the action plan below, seek help or get educated before you continue. Your friendly local search  engine is a nice place to start if you do not have a local cluster expert. This action plan includes actions that will take down parts of your cluster momentarily, so do not perform these steps on a production cluster during peak load. Schedule a maintenance window.

  • Identify the source of the static reservation and apply public shaming and/or pain as necessary to ensure that this does not happen again. Cluster DNS records should be dynamic.
  • Identify the static DNS record in your Active Directory Integrated DNS forward lookup zone. Ask for help from your DNS or AD team if necessary.
  • Delete the static record
  • Take the Cluster Name Object representing the DNS record offline in Failover Cluster manager (or by powershell). Be aware that any dependent resources will also go offline.
  • Bring everything back online. This should trigger a new DNS registration attempt. You could also wait for the cluster to attempt this automatically, but client connections may fail while you are waiting.
  • Verify that the DNS record is created as a dynamic record. It should have a current Timestamp.

Author: DizzyBadger

SQL Server DBA, Cluster expert, Principal Analyst

4 thoughts on “Failover Cluster: access to update the secure DNS Zone was denied.”

  1. On great and easy solution is to re-register existing Network Name resources with a DNS server. This does not interrupt cluster availability.

    Get-ClusterResource -Name “Cluster Name“ | Update-ClusterNetworkNameResource

  2. If the cluster failed to drain a role (e.g. failed to connect to the witness), this exact error will show. You dont need to fiddle with DNS, you would need to solve the problem with the drain.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.