Event ID 4000 causing DNS problems and Event ID 1000 userenv problems.

Event ID: 4004
Source DNS  
Type Error  
Description The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.  
Things to understand What is the role of a DNS server?  
Comments Anonymous (Last update 2/17/2004):
In my case, this error appeared after I changed the network and I forgot to change the reverse-lookupzone.

Ionut Marin (Last update 2/17/2004):
From a newsgroup post: "If you have 2 DC/DNS servers, to avoid this error, make sure you have the following under IP properties:
DC1:
  First DNS address points to DC2.
  Second DNS address points to itself.
DC2:
  First DNS address points to DC1.
  Second DNS address points to itself".

From a newsgroup post: "This can be caused if you have a single DC or two DCs and they point to themselves as the first entry in the DNS list in IP properties and the zone is AD Integrated. Reason could be that the DC has many services running on it (SQL, Exchange, etc.) or is a slower machine, and when the Netlogon service tries to register into the zone at boot time, AD is not quite initialized yet and so you get the error. You can either ignore it or change the zone to a Primary, or if you have multiple DCs, change the first entry to the partner and the second to itself".

Dennis Mueller
The error may occure if the "RootDNSServers"-entry was deleted and the DNS-job not restarted.

Adrian Grigorof
It is likely that DC either is not configured to use a DNS server that has as valid copy of the DNS zone, or the zone does not have the needed SRV records. Running DCDiag (from the Windows 2000 Resource Kit) may provide some information about the source of the errors. Also, NETDiag can be run for additional information.

Benjamin Scott
MS PSS reports this error may occur in a single-server environment, during server startup, for AD-integrated DNS zones.  Apparently, DNS is starting before AD is ready to answer queries, and DNS cannot wait for AD to start since AD needs DNS.  PSS reports the error can be ignored, as the DNS zones will load as soon as AD is ready.  PSS said that switching to a standard (not AD-integrated) zone would work around the problem.  

Event ID: 408
Source DNS  
Type Error  
Description DNS Server could not open socket for address [IP address of server]. Verify that this is a valid IP address on this machine. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parmeters\ListenAddress value in the services section of the registry and restart.) If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.  
Things to understand What is the role of a DNS server?  
Comments Adrian Grigorof (Last update 11/10/2003):
According to Microsoft, this problem was corrected in Windows 2000 SP2. See Q260186 for more details.

Ionut Marin (Last update 11/10/2003):
As per Microsoft: "These errors can occur on computers that have both of the following services installed on the same server: Network Address Translation (NAT) and DNS Server". See Q279678 to fix this problem.


Event ID: 9999
Source DNS  
Type Warning  
Description DNS Server has encounters numerous run-time events. These are usually caused by the reception of bad or unexpected packets, or from problems with or excessive replication traffic. The data is the number of suppressed events encountered in the last 15 minute interval.  
Things to understand What is a “runtime”?
What is the role of a DNS server?  
Comments Adrian Grigorof
As per Microsoft: "The occurrence of these event error messages does not necessarily indicate a problem with the DNS service" This event  indicates that a number of events were blocked by DNS from being logged in Event Viewer (the number itself is in the "Data" section). After this event, the logging starts again.  

Event ID: 407
Source DNS  
Type Error  
Description Description: DNS server could not bind a Datagram (UDP) socket to [IP_address]. The data is the error.  
Things to understand What is the role of a DNS server?  
Comments Adrian Grigorof (Last update 11/10/2003):
According to Microsoft, this problem was corrected in Windows 2000 SP2. See Q260186 for more details.

Ionut Marin (Last update 11/10/2003):
As per Microsoft: "These errors can occur on computers that have both of the following services installed on the same server: Network Address Translation (NAT)and DNS Server". See Q279678 for more details


For userenv errors http://www.eventid.net/display.asp?eventid=1000&source=userenv

1stITMAN

I found the same replies that you did for these problems.  However none fit nor worked for my situation.  I tried to run dcdiag but it would not work on our server.

I only have 1 DC and DNS server and I do not have a reverse zone set up.

I know about AD and how it wants to talk to DNS when the server first boots up.  The problem is forceing me to reboot so that clients can connect to the server and email can work etc...


My server is logon server, a email server, and database server for Lytec (a medical practice management) software.

I am not sure I understand the role of the DNS server and runtime???  

I have used event ID it only gives you a generic response and does not really explain what to do or what is going on.

>I tried to run dcdiag but it would not work on our server.
How's that? Does it give any errors?

And how about netdiag?..

should I post the results of the netdiag and if I can get the dcdiag to work, shoul I post them as well?

Jon

Yes this will help in diagnosing

>should I post the results of the netdiag
Yes it would be handy.

>if I can get the dcdiag to work
Even if you can't, post exact message that appears when you execute "dcdiag" command from command prompt.

This is the error I get when trying to run dcdiag from the command prompt.
    "The procedure entry point DsISMangledDnW could not be located in the dynamic link library NTDSAPI.dll"

Also as a side note I have to change directories to the resource folder in order to get dcdiag or netdiag to even think about running.  other programs of this nature usually know and run from the c:

Here is the netdiag info:


    Computer Name: SERVER
    DNS Host Name: SERVER.XXX.local
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 6 Model 11 Stepping 4, GenuineIntel
    List of installed hotfixes :
        KB329115
        KB819696
        KB823182
        KB823559
        KB824105
        KB824141
        KB824146
        KB825119
        KB826232
        KB828028
        KB828035
        KB828749
        Q147222
        Q816093


Netcard queries test . . . . . . . : Passed



Per interface results:

    Adapter : Local Area Connection

        Netcard queries test . . . : Passed

        Host Name. . . . . . . . . : SERVER
        IP Address . . . . . . . . : 192.168.1.20
        Subnet Mask. . . . . . . . : 255.255.255.0
        Default Gateway. . . . . . : 192.168.1.1
        Dns Servers. . . . . . . . : 192.168.1.20


        AutoConfiguration results. . . . . . : Passed

        Default gateway test . . . : Passed

        NetBT name test. . . . . . : Passed
            No remote names have been found.

        WINS service test. . . . . : Skipped
            There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{CEC6277A-226B-4130-929F-FF93F4D40884}
    1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server '192.168.1.20
' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
        NetBT_Tcpip_{CEC6277A-226B-4130-929F-FF93F4D40884}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
        NetBT_Tcpip_{CEC6277A-226B-4130-929F-FF93F4D40884}
    The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
    [WARNING] Failed to query SPN registration on DC 'testserver.SBHS.local'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
    No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


The command completed successfully

Ok,
Check this PAQ to get dcdiag working.

dcdiag.exe - Entry Point Not Found:
https://www.experts-exchange.com/questions/20585683/dcdiag-exe-Entry-Point-Not-Found.html

netdiag output looks fine exept this line:

    [WARNING] Failed to query SPN registration on DC 'testserver.SBHS.local'.

This is not nesessarily an error though. Check this MSKB article:
Netdiag.exe Does Not Query SPN Registration When Down-Level Name Is Different:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;297384

Is testserver another DC in your domain? If so, does it have same problems or working fine?

Don't forget to fix and run dcdiag.

also check here http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=7091

I went to the experts PAQ suggested and tried to reinstall the adminpak.  That did not make dcdiag work.  I got the same error as earlier.
I also downloaded the Windows 2000 SP4 Support tools and installed them.  No change, dcdiag still did not work and I received the same error as listed earlier.


Testserver was a literally a test server to help me learn more about groupwsie and how to manage a server.  I removed it a couple weeks ago.   It is not connected to the server.  

Any suggestions on the dcdiag problem.

I will up the points if thats what it takes.

jon

How about copying or even checking version number of the dll on all your servers, if it differs then well we ahold be able to copy it over and re-register it I hope.

1stITMAN,

Sorry but I am not sure what you are asking.  Which DLL would you like me to check?  I have only one server currently working here.

Jon

Sorry the dll  NTDSAPI.dll check version etc.. against other servers

ok.  what happened????  I guess what I did worked but I did not check it from the c:\.  I navigated to the folder the dcdiag was under to run it.

dcdiag works now and it works from the c:\..........

here are the results

C:\>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\SERVER
      Starting test: Connectivity
         ......................... SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SERVER
      Starting test: Replications
         [Replications Check,SERVER] A recent replication attempt failed:
            From TESTSERVER to SERVER
            Naming Context: CN=Schema,CN=Configuration,DC=XXXX,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2004-03-03 16:45.20.
            The last success occurred at 2004-01-28 20:45.13.
            844 failures have occurred since the last success.
            The guid-based DNS name ad5177d8-5d87-4f92-bb0b-23a242691ca0._msdcs.XXXX.local
            is not registered on one or more DNS servers.
         [TESTSERVER] DsBind() failed with error 1722,
         The RPC server is unavailable..
         [Replications Check,SERVER] A recent replication attempt failed:
            From TESTSERVER to SERVER
            Naming Context: CN=Configuration,DC=XXXX,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2004-03-03 16:45.20.
            The last success occurred at 2004-01-28 21:26.58.
            844 failures have occurred since the last success.
            The guid-based DNS name ad5177d8-5d87-4f92-bb0b-23a242691ca0._msdcs.XXXX.local
            is not registered on one or more DNS servers.
         [Replications Check,SERVER] A recent replication attempt failed:
            From TESTSERVER to SERVER
            Naming Context: DC=XXXX,DC=local
            The replication generated an error (8524):
            The DSA operation is unable to proceed because of a DNS lookup failure.
            The failure occurred at 2004-03-03 16:45.20.
            The last success occurred at 2004-01-28 21:34.42.
            844 failures have occurred since the last success.
            The guid-based DNS name ad5177d8-5d87-4f92-bb0b-23a242691ca0._msdcs.
XXXX.local
            is not registered on one or more DNS servers.
         ......................... SERVER passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER passed test NetLogons
      Starting test: Advertising
         ......................... SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER passed test MachineAccount
      Starting test: Services
            SMTPSVC Service is stopped on [SERVER]
         ......................... SERVER failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SERVER passed test frssysvol
      Starting test: kccevent
         ......................... SERVER passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x0000041B
            Time Generated: 03/03/2004   17:10:59
            Event String: The DHCP/BINL service has determined that it is
         ......................... SERVER failed test systemlog

   Running enterprise tests on : XXXX.local
      Starting test: Intersite
         ......................... XXXX.local passed test Intersite
      Starting test: FsmoCheck
         ......................... XXXX.local passed test FsmoCheck

4auHuk

Thanks for the analysis.

Yes I just unplugged testserver from the network and took it home.  I can plug it back in and try dcpromo.  I have never had to promote or demote a server so this should be fun.  

Here are some errors in the FRS event log:

The first one I am listing showed up after the last time I rebooted.  Seems like rebooting helps restore the sysvol?
The second error is from today and refers to what you wrote about with testserver

Event Type:      Information
Event Source:      NtFrs
Event Category:      None
Event ID:      13516
Date:            2/26/2004
Time:            10:01:39 PM
User:            N/A
Computer:      SERVER
Description:
The File Replication Service is no longer preventing the computer SERVER from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13508
Date:            3/5/2004
Time:            8:57:54 AM
User:            N/A
Computer:      SERVER
Description:
The File Replication Service is having trouble enabling replication from TESTSERVER to SERVER for c:\winnt\sysvol\domain using the DNS name testserver.XXXX.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name testserver.XXXX.local from this computer.
 [2] FRS is not running on testserver.XXX.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.



What do I do next??????

Let's fix FRS issues first and see if it fixes other.

HOW TO: Promote and Demote Domain Controllers in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;238369#6

Here we are more info on ur errors

Event ID: 13516
Source NtFrs  
Type Information  
Description The File Replication Service is no longer preventing the computer DESCARTES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.

Type "net share" to check for the SYSVOL share.  
Things to understand  
Comments Ionut Marin (Last update 12/29/2003):
Q315457 gives information on how to rebuild SYSVOL and its content in a Domain. This event also appears in the contents of this article.

Adrian Grigorof
This event is generated when a Windows 2000 domain controller boots or the FRS (File Replication Service) is restarted. This behavior is by design - the event is just informational. The events 13502, 13503, and 13501 are usually generated  before 13516

1stITMAN,

You just love to copy-paste from eventid.net as i can see from many posts, eh? :)

No offence, mate...

Well if they help why not?

thanks gentlemen.  this is good info and I will read over this and take the necessary steps tommorrow at work.

jon

Ok.  I demoted the testserver and it was successfull, or so it said it was but the event log on the DC Server does not indiacte it yet.

My sysvol seems to be ok.  It is being shared correctly.

I have had time server problems in the past.  We have one server and it acts as the authoritative server for the whole network.  I have the Server SNTP set to get its time from one of the listed time servers I could find on Microsofts web site.  

Lat thing, our server is in Mixed Mode and not Native Mode.  Would this be causing any problems????  I have done my homework and understand the difference.  I thought I would ask?????

Jon

>I have had time server problems in the past
So you fixed this problem earlier? And what exactly was the problem? If you mean that PDC emulator complains that it is upper server in hierarchy and should be configured to acguire time from external source - this is not a real problem. It should be a problem only if you *need* your domain time to be syncronized with external time for some reason which is not always nesessary.

>our server is in Mixed Mode and not Native Mode
This should not be a problem either. However, if you don't have any legacy OS on servers/workstations in your domain or in trusted domains, i don't see a reason for your AD to operate in mixed mode.

So you seem to fix FRS issues. You might want to check this by dcdiag again.

How about main issue, do events 4000, 4004 and 408 still appear?

Best,
4auHuk

4auHuk,

The time problem is that the Server does not get an answering from the remote SNTP server.

Would you recommend changing the server to Native mode?

No DNS errors since 2/27/04.  I have no 4000, 4004, 408, or 9999 errors in the event viewer.

Here are the latest dcdiag results.

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site\SERVER
      Starting test: Connectivity
         ......................... SERVER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site\SERVER
      Starting test: Replications
         ......................... SERVER passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER passed test NetLogons
      Starting test: Advertising
         ......................... SERVER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER passed test MachineAccount
      Starting test: Services
            SMTPSVC Service is stopped on [SERVER]
         ......................... SERVER failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... SERVER passed test frssysvol
      Starting test: kccevent
         ......................... SERVER passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x0000041B
            Time Generated: 03/10/2004   13:22:58
            Event String: The DHCP/BINL service has determined that it is
         ......................... SERVER failed test systemlog

   Running enterprise tests on : SBHS.local
      Starting test: Intersite
         ......................... SBHS.local passed test Intersite
      Starting test: FsmoCheck
         ......................... SBHS.local passed test FsmoCheck

What do you think?

Jon

>What do you think?
Looks good.

This part
>>Starting test: frssysvol
>>         There are errors after the SYSVOL has been shared.
>>         The SYSVOL can prevent the AD from starting.
>>         ......................... SERVER passed test frssysvol
may be because of old event log entries but you might want to check if there's any recent events related to FRS failures.

This part:
Starting test: systemlog
>>         An Error Event occured.  EventID: 0x0000041B
>>            Time Generated: 03/10/2004   13:22:58
>>            Event String: The DHCP/BINL service has determined that it is
>>         ......................... SERVER failed test systemlog
is because you have unautorized(not configured yet?) DHCP or RIS service. But this is not a problem.

>Would you recommend changing the server to Native mode?
This is up to your setup. If you have pure win2k environment, you can take advantage of advanced options available in native mode. You said that you understand differences between native and mixed mode, but extra reading newer hurts so i will refer you to this article on topic:

Mixed Mode vs. Native Mode:
http://www.win2000mag.com/Articles/Print.cfm?Action=Print&ArticleID=7156


4auHuk

Thanks :)

4auKuk,

Thank you for your time and patience.
Jon

Well done sorted at last..

Need help

I have 5 windows 2000 server out of which one of them is master domain controller which holds AD database, PDC, RID, Infrastructure Master and GC along with local DNS and rest of the servers are additional domain controller. Unfortunately my master domain controller was crashed due to severe power fluctuation and I did not have ERD and backup.

4 Additional domain controllers now service the network clients and working fine.

I tried to upgrade the OS on my domain controller but failed so had nothing but to newly installed the OS on the domain controller with same forest name DNS and AD information. Now I am facing the real problem it does not replicate with existing additional domain controller but additional domain controllers replicates each other except the new domain controller.

I demote one of the additional domain controllers successfully. Whenever I try to promote this demoted server with new master domain controller it gives me error regarding DNS. The error message is (The domain  “example.microst.com” cannot be connected. Ensure that the DNS domain name is typed correctly. This condition may be caused by DNS lookup problem). We have checked the DNS lookup by nslookup command and return the expected result.

The additional domain controller does not get access to the domain controller but domain controller can access all additional domain controllers but does not replicate with additional domain controller.

If have answer for the please let me know. I would be enormous held for me.  


Shahed Kamal
skamal@cegisbd.com

Plz post event log errors that correspond to the problems you are having..

Hi shahed,

Would you like to setup a new post and specify some points please??...;)

Dont worry I'll give you some pointers regardless!

Please see my posts in this section..I had a very similar problem though my backups where okay so I had something to start from....

Using the tools (nltest, netdiag, dcdiag etc etc) from Windows 2000 CD support folder (install them first) check for:

1). disjoint namespace....
http://support.microsoft.com/default.aspx?kbid=257623&product=win2000

2). Check the location of the sysvol folder on both the working DC's and your re-installed DC (NOT restored DC - note) - see my post at this site....
https://www.experts-exchange.com/questions/20951901/Event-ID-5721-Net-Logon-issue-for-restored-DC.html

3). Check the machine accounts on the DC's via article 260575 - How To: Use Netdom.exe to reset Machine Account Passwords of Windows 2000 Domain Controllers....
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q260575

- if you see the following...

"When I run netdiag it fails for the trust relationship test....

Trust relationship test.......failed
[Fatal] Secure channel to domain 'ourdomain' is broken.
[Error_No_Trust_SAM_Account]"

- hope this helps! - good luck...

supag33k