DNS Error ID 4000 on a domain controller

2011-05-18

Question

_{Wednesday, May 18, 2011 8:22 AM}

Hi all,

I had an AD with 2 DC, let's say DC1 and DC2, DC1 was the FSMO holder. DC1 have crushed and can't be restored so I've seized the FSMO roles to the DC2 and have cleaned the metadata with "ntdsutil metadata cleanup" no errors have arisen during theese tasks. I've rebooted DC2 and have theese problems:

DNS Error ID 4000 "The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."

If I go to my dns manager I can't se the AD integrated zone

All replies (28)

_{Wednesday, May 18, 2011 8:24 AM}

Try resolution mentioned here: http://technet.microsoft.com/en-us/library/dd349683(v=WS.10).aspx

Please make sure that the DC is not yet pointing to the old DC as a DNS server and that it is pointing to itself as primary DNS server.

Do you have missing zones?

If yes, which one of them?

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 8:36 AM}

Have just tryed that solution, it obvious not worked...

DC2 is now pointing to itself as DNS server

I'm missing all AD integrated zone both forward and reverse lookup

_{Wednesday, May 18, 2011 8:46 AM}

Okay,

create an AD integrated zone for your domain and then run ipconfig /registerdns and restart netlogon.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 9:14 AM}

Hello,

sounds that the second DC is not installed as DNS server? Please confirm this. If this is the case install the DNS server role and create a zone for your AD domain name. Then restart the netlogon service.

Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

_{Wednesday, May 18, 2011 9:15 AM}

I've tryed to create a forward AD integrated zone "test.intra" but failed with this message

"The zone cannot be crated, the data is invalid"

_{Wednesday, May 18, 2011 9:26 AM}

Check which event logs are created in the event viewer when creating your zone.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 9:37 AM}

The event log, section DNS, register Warning ID 4013 "The DNS Server was unable to open the active directory"

_{Wednesday, May 18, 2011 10:18 AM}

Okay,

is AD DS running?

Looks like I would suggest trying another thing.

Do you have a member server? Please install DNS on it, create a primary zone for your domain on it and then let your DC points to it as primary DNS server. Once done, run ipconfig /registerdns and restart netlogon service. Check that DNS records are registered in the new zone and then restart your DC.

Try this action plan and inform as for the results.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 12:46 PM}

How can I check that AD DS is running?

No I haven't an other member server.

_{Wednesday, May 18, 2011 12:56 PM}

Have a look to this article: http://technet.microsoft.com/en-us/library/cc732714(WS.10).aspx

Are you able to create a primary zone non-integrated to AD on your DC?

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 1:21 PM}

I'm on Windows Server 2003.

Yes, I'm able to create a primary non-integrated zone

_{Wednesday, May 18, 2011 1:45 PM}

Okay, create one for your domain and then run ipconfig /registerdns and restart netlogon. Once done, reboot the DC and check if all is okay or not.

If all is okay then try again to make your zone AD-integrated.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 2:01 PM}

Ok, I've created a primary non AD Integrated zone, I've run ipconfig /registerdns and have restarted NETLOGON, after having done theese steps in the registry I see 3 event of type"warning" source "Netlogon" ID 5781

1-> "Dynamic registration or deletion of one or more DNS records associated with DNS domain 'filco-ven.intranet.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

2-> "Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.filco-ven.intranet.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

3-> "Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.filco-ven.intranet.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition)."

nothing has changed after a reboot

_{Wednesday, May 18, 2011 3:09 PM}

If you look into your new zone, is there new records present? Are you able to change the type of the zone to AD-Integrated now?

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 3:14 PM}

I've only 1 SOA and 1 NS record.

If I try to make the zone AD Integrated I get this dialog box of error:

"the data on the primary zone failed to set. The active directory service is not avilable"

_{Wednesday, May 18, 2011 3:29 PM}

Okay,

have a look to this Microsoft KB316685: http://support.microsoft.com/kb/316685

Backup your system state and then try the registry modifications.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

_{Wednesday, May 18, 2011 3:34 PM}

Have just seen and tryed that solution with no success.

_{Monday, May 23, 2011 5:45 AM}

Hi Customer,

Please do following steps to recover your DNS zone,

create a forward zone "test.intra" without AD integrated, allow dynamic update
In test.intra zone, add A record point to DC2
Open C:\WINDOWS\system32\config\netlogon.dns with notepad on DC2 or DC1(if exist), copy the netlogon.dns content to DC2 C:\WINDOWS\system32\dns\test.intra.dns, just paste behind the original content, stop dns server service and then save test.intra.dns, start dns server service

Regards,

Rick Tan

_{Monday, May 23, 2011 8:57 AM}

Hi Rick,

I've followed the steps, after having restarted the DNS server I get the following errors:

Source: DNS

ID: 500

Type: Error

Description: The DNS server has detected that for the primary zone _msdcs.filco-ven.intranet its has no zone file name stored in registry data. You can either update the zone file name or delete the zone and recreate it using the DNS console. To delete the applicable zone from the registry, locate its subkey under DNS server parameters in the registry. You can then recreate the zone using the DNS console. For more information, see "To change a zone file name", "Tuning advanced server parameters" and "Add and Remove Zones" in the online Help.

Source: DNS

ID: 500

Type: Error

The DNS server has detected that the zone _msdcs.filco-ven.intranet has invalid or corrupted registry data. To correct the problem, you can delete the applicable zone subkey, located under DNS server parameters in the registry. You can then recreate the zone using the DNS console. For more information, see "Tuning advanced server parameters" and "Add and Remove Zones" in the online Help.

After that the server started but I get only the "fake" zone test.intra, witho only the "A" record created. I'have no other zones.

_{Monday, May 23, 2011 3:00 PM}

Hi Andrea,

Oh, please change test.intra zone type to AD integrated zone. AD replication will recover the DNS record.

Regards,
Rick Tan

_{Monday, May 23, 2011 3:27 PM}

When I change the zone properties setting it to be AD integrated I get two dialog box of error:

The data on the primary zone failed to set. The active directory service is not available

The replication scope could not be set. For more information, see "DNS Zone Replication in Active Directory" in help and support. The error was. the specified directory partition does not exists.

_{Tuesday, May 24, 2011 6:43 AM}

Hi Andrea,

Well, restore dns from netlogon.dns works for my test.
Please run DCdiag /fix and Netdiag /fix on your server. Then try to change test.intra zone type to AD integrated zone.
Please run ADSI tool to open "DC=domaindnszones,DC=test,DC=intra", check MicrosoftDNS--testdomain.com if it exist and could be accessible.
If still not work, please post ipconfig/all result to us.

Regards,
Rick Tan

_{Tuesday, May 24, 2011 7:40 AM}

I've run dcdiag /fix and netdiag /test the I've tried to set my zone to be AD integrated: same error that before

With ADSIEdit I can locate the "DC=domaindnszones,DC=filco-ven,DC=intranet" CN=MicrosoftDNS exists

this is the outoput of ipconfig /all

C:\Documents and Settings\Administrator.FILCO-VEN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SRVW3KDC2
   Primary Dns Suffix . . . . . . . : filco-ven.intranet
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : filco-ven.intranet

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
   Physical Address. . . . . . . . . : 00-50-56-BD-15-A9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.0.111
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.111

C:\Documents and Settings\Administrator.FILCO-VEN>

_{Tuesday, May 24, 2011 10:03 AM}

Hi Andrea,

Have you seen DC=filco-ven.intranet in CN=MicrosoftDNS? Check its properties rights for your account.

I thought you could try to establish another server and dcpromo to DC to see if it load the DNS zone.

Regards,
Rick Tan

_{Tuesday, May 24, 2011 10:54 AM}

Hi Rick,

I think that there is a misunderstanding between us. Now the situation is:

1) In DNS management I can see the zone "filco-ven.intranet" with all its SRV records and the only A record

2) I can't set this zone to be AD integrated because I get the errors I post before

3) I can't open DSA "Naming information cannot be located becaus: unspecified error"

Here is the output of dcdiag:

C:\Documents and Settings\Administrator.FILCO-VEN>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SRVW3KDC2
      Starting test: Connectivity
         ......................... SRVW3KDC2 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SRVW3KDC2
      Starting test: Replications
         ......................... SRVW3KDC2 passed test Replications
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         DC=ForestDnsZones,DC=filco-ven,DC=intranet
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         DC=DomainDnsZones,DC=filco-ven,DC=intranet
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes
            Replicating Directory Changes All
            Replication Synchronization
            Manage Replication Topology
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=filco-ven,DC=intranet
         Error BUILTIN\Administrators doesn't have
            Replicating Directory Changes
            Replicating Directory Changes All
            Replication Synchronization
            Manage Replication Topology
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=filco-ven,DC=intranet
         ......................... SRVW3KDC2 failed test NCSecDesc
      Starting test: NetLogons
         ......................... SRVW3KDC2 passed test NetLogons
      Starting test: Advertising
         ......................... SRVW3KDC2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SRVW3KDC2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SRVW3KDC2 passed test RidManager
      Starting test: MachineAccount
         ......................... SRVW3KDC2 passed test MachineAccount
      Starting test: Services
         ......................... SRVW3KDC2 passed test Services
      Starting test: ObjectsReplicated
         ......................... SRVW3KDC2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SRVW3KDC2 passed test frssysvol
      Starting test: frsevent
         ......................... SRVW3KDC2 passed test frsevent
      Starting test: kccevent
         ......................... SRVW3KDC2 passed test kccevent
      Starting test: systemlog
         ......................... SRVW3KDC2 passed test systemlog
      Starting test: VerifyReferences
         ......................... SRVW3KDC2 passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : filco-ven
      Starting test: CrossRefValidation
         ......................... filco-ven passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... filco-ven passed test CheckSDRefDom

   Running enterprise tests on : filco-ven.intranet
      Starting test: Intersite
         ......................... filco-ven.intranet passed test Intersite
      Starting test: FsmoCheck
         ......................... filco-ven.intranet passed test FsmoCheck

C:\Documents and Settings\Administrator.FILCO-VEN>

_{Wednesday, May 25, 2011 2:11 AM}

Hi Andrea,

Please check KB261203 for the DSA error. Your DC2 should have just one NIC and does not run RRAS/NAT, ICS.

http://support.microsoft.com/kb/261203

Regards,
Rick Tan

_{Thursday, May 26, 2011 6:55 AM}

My DC2 has only one NIC and does not run RRAS/NAT nor ICS.

_{Thursday, May 26, 2011 2:00 PM}

Hi Andrea,

Just to rule out any possiblity of a duplicate zone in AD, which I've seen in the past will cause similar issues, take a look at the following. If there are any dupes, please delete them.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Also, you mentioned the original DC crashed. Curious - did you perform a Metadata Cleanup to remove the crashed DC's reference?

Complete Step by Step Guideline to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

Ace

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

DNS Error ID 4000 on a domain controller

Question

All replies (28)

Additional resources