Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 1, 2017 6:39 AM
Good day.
There is an infrastructure of two sites. Site A contains three DC 2012 R2 in 2008R2 mode (let's call them conditionally A1, A2, A3), each has a DNS service. Site B contains two RODC 2012 R2 (let's call them conditionally B1, B2), each has a DNS service.
The last two weeks on A1, A2 and B1 are the following errors:
4004
The time during which the DNS server tried to execute the "" operation of the Active Directory service timed out. Verify that Active Directory is functioning correctly. Event data contains error information.
The DNS server could not complete the enumeration of the 39.168.192.in-addr.arpa zone in the directory service. This DNS server is configured to retrieve and use data from Active Directory for the specified zone and can not load the zone without them. Check that the Active Directory is working properly, and repeat the enumeration of the zone. Additional debugging error information: "" (may be absent). Event data contains error information.
4016
The time during which the DNS server tried to execute on "DC = 36, DC = 200.10.10.in-addr.arpa, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.
The time during which the DNS server tried to execute on "DC = SERVERNAME, DC = DOMAINNAME.ru, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.
The time during which the DNS server tried to execute on "DC = _ldap._tcp.gc, DC = _msdcs.DOMAINNAME.ru, cn = MicrosoftDNS, DC = ForestDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.
The time during which the DNS server tried to execute on "DC = WORKSTATIONNAME, DC = DOMAINNAME.ru, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.
At the same time, there are no visible failures in the domain. Everything functions without problems. Errors are strewed for 6-8 hours with a period of 10 hours. Infrastructure in the form in which it operates is now more than a year and no changes have been made to it. Suddenly these errors fell.
In the AD logs there are no errors - from the word "absolutely"!
Dcdiag passes almost without errors. Those that it catches are related to stopping replication because of the backup systemstate.
I did not find a solution to the problem, although many people write about this.
All replies (13)
Friday, June 2, 2017 7:12 AM
Hi Denis Kotik,
>>Dcdiag passes almost without errors. Those that it catches are related to stopping replication because of the backup systemstate.
If you run the command of dcdiag /test:dns? If not, please post out warnings and errors in the dcdiag /test:dns results, so we can troubleshoot this issue efficiently.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 2, 2017 7:45 AM
This is dcdiag /test:dns results. And i forgot to say thaty we dont have internet connection in our domain.
DC1
Diagnostics of the Directory Server
Perform the initial setup:
An attempt is made to find the primary server ...
Primary Server = A1
* Defined forest AD.
The collection of the initial data is completed.
Performing mandatory initial checks
Validation server: CA \ A1
Running the test: Connectivity
......................... A1 - passed the Connectivity check
Performing Basic Checks
Validation server: CA \ A1
Running the scan: DNS
DNS checks are performed without hanging. Wait a few minutes ...
......................... A1 - DNS check failed
Performing partition checks on: ForestDnsZones
Performing partition checks on: DomainDnsZones
Performing partition checks on: Schema
Performing partition checks on: Configuration
Performing partition checks on: DOMAINNAME
Execution of company checks on: DOMAINNAME.ru
Running the scan: DNS
The results of checking domain controllers:
Domain Controller: A1.DOMAINNAME.ru
Domain: DOMAINNAME.ru
TEST: Basic (Basc)
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
Erver is running)
A1 PASS WARN n / a n / a n / a n / a n / a
......................... DOMAINNAME.ru - passed DNS check
================
DC2
Diagnostics of the Directory Server
Perform the initial setup:
An attempt is made to find the primary server ...
Primary Server = A2
* Defined forest AD.
The collection of the initial data is completed.
Performing mandatory initial checks
Validation server: CA \ A2
Running the test: Connectivity
......................... A2 - passed the Connectivity test
Performing Basic Checks
Validation server: CA \ A2
Running the scan: DNS
DNS checks are performed without hanging. Wait a few minutes ...
......................... A2 - DNS check failed
Performing partition checks on: ForestDnsZones
Performing partition checks on: DomainDnsZones
Performing partition checks on: Schema
Performing partition checks on: Configuration
Performing partition checks on: DOMAINNAME
Execution of company checks on: DOMAINNAME.ru
Running the scan: DNS
The results of checking domain controllers:
Domain Controller: A2.DOMAINNAME.ru
Domain: DOMAINNAME.ru
TEST: Basic (Basc)
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
Erver is running)
A2 PASS WARN n / a n / a n / a n / a n / a
......................... DOMAINNAME.ru - passed DNS check
Monday, June 5, 2017 8:08 AM
Hi Denis Kotik,
>> DNS checks are performed without hanging. Wait a few minutes ...
* ......................... A1 - DNS check failed*
>>TEST: Basic (Basc)
* Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)*
Please check if the DNS server is a Bind in your domain.
For your reference:
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 5, 2017 1:27 PM
Sorry but it was my fault. Started dcdiag dns test without administrative permissions.
Here is real dcdiag log, its the same for every DC:
Diagnostics of the Directory Server
Perform the initial setup:
An attempt is made to find the primary server ...
Primary Server = A1
* Defined forest AD.
The collection of the initial data is completed.
Performing mandatory initial checks
Validation server: CA \ A1
Running the test: Connectivity
......................... A1 - passed the Connectivity check
Performing Basic Checks
Validation server: CA \ A1
Running the scan: DNS
DNS checks are performed without hanging. Wait a few minutes ...
......................... A1 - passed DNS check
Performing partition checks on: ForestDnsZones
Performing partition checks on: DomainDnsZones
Performing partition checks on: Schema
Performing partition checks on: Configuration
Performing partition checks on: DOMAINNAME
Execution of company checks on: DOMAINNAME.ru
Running the scan: DNS
The results of checking domain controllers:
Domain Controller: A1.DOMAINNAME.ru
Domain: DOMAINNAME.ru
TEST: Forwarders / Root hints (Forw)
Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru
A report on the results of checking the DNS servers used by the above domain controllers:
DNS-server: 128.63.2.53 (h.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 128.63.2.53
DNS-server: 128.8.10.90 (d.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 128.8.10.90
DNS-server: 192.112.36.4 (g.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.112.36.4
DNS-server: 192.203.230.10 (e.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.203.230.10
DNS server: 192.228.79.201 (b.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.228.79.201
DNS-server: 192.33.4.12 (c.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server
DNS-server: 192.36.148.17 (i.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.36.148.17
DNS-server: 192.5.5.241 (f.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.5.5.241
DNS-server: 192.58.128.30 (j.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.58.128.30.
DNS-server: 193.0.14.129 (k.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 193.0.14.129
DNS Server: 198.41.0.4 (a.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 198.41.0.4
DNS server: 199.7.83.42 (l.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 199.7.83.42
DNS-server: 202.12.27.33 (m.root-servers.net.)
1 - check for this DNS server failed
PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 202.12.27.33
DNS Result Check Report:
Auth Basc ForW Del Dyn RReg Ext
_________________________________________________________________
Domain: DOMAINNAME.ru
A1 PASS PASS FAIL PASS WARN PASS n / a
......................... DOMAINNAME.ru - DNS check failed
Tuesday, June 6, 2017 8:17 AM
Hi Denis Kotik,
>>Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru
This warning occurred because both of the methods of Dynamic updates selected on the DNS Server is “Nonsecure and Secure”, please convert the zone to “Secure only” on Dynamic updates and then have a test again.
In addition, if the Dynamic updates add/delete test record process works properly, we can ignore this warning without issue.
>>Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.
Did you configure the forwarder? Is the forwarder working properly?
The root hints error are because of the wrong forwarder configured.
When you access external website it will use root hints and forwarder to resolve external website, but if forwarder is wrongly configured root hints will fail and that why you see that result.
You could configure the forwarder with 8.8.8.8 and again run the dcdiag /test:DNS to check if still problem.
You also could contact contact your ISP, get the public DNS server for you domain and again run the command.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 6, 2017 8:46 AM
>>Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.
Did you configure the forwarder? Is the forwarder working properly?
The root hints error are because of the wrong forwarder configured.
When you access external website it will use root hints and forwarder to resolve external website, but if forwarder is wrongly configured root hints will fail and that why you see that result.
You could configure the forwarder with 8.8.8.8 and again run the dcdiag /test:DNS to check if still problem.
You also could contact contact your ISP, get the public DNS server for you domain and again run the command.
Hi, thank you for answer. But we dont have and dont need internet connection in our domain. So i think this is normal error for disconnected network.
About "Secure only" - Ill try it.
Tuesday, June 6, 2017 8:53 AM
Hi Denis Kotik,
Thanks for your posting here.
If you have any updates, please feel free to let me know.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 6, 2017 8:56 AM
So there is a problem. We have non-authorative dhcp in our domain. I think it will be problem to add addresses from tihis dhcp to dns if i will turn on "Secure only", isnt it?
Tuesday, June 6, 2017 9:25 AM
Hi Denis Kotik,
>>We have non-authorative dhcp in our domain.
Non-authorative dhcp will not be affected.
Generally, it will be no problem.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 6, 2017 12:17 PM
>>Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru
Ok. This error disappeared after i turned on "Secure only" mode. But what now? Everything seems to be ok in domain but today we had a lot of 4016 errors again. Im just really dont know where to search now. All logs are good except dns. And ithink its not good to ignore such problem.
Wednesday, June 7, 2017 8:50 AM
Hi Denis Kotik,
Please use ADSI Edit to make sure there is no duplicate zones exist.
**Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones **
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, June 7, 2017 9:17 AM
Hi Candy.
Thank you for trying to help me, but still nothing. Looked in ADSI. We havent any duplicate zones.
Wednesday, June 7, 2017 9:26 AM
Hi Denis Kotik,
I have researched for a period of time but I did not find other useful information related to this issue.
I suggest you could open a case with Microsoft, more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
Here is the link:
https://support.microsoft.com/en-us/gp/support-options-for-business
Best Regards,
Candy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].