j0s3ph
asked on
Active Directory/DNS Problem
I have two Windows 2003 Servers that are DC's. A couple times the last week I have had to restart my server because Active Directory is having problems on one of the DC's. DNS is being resolved in a forwarding manner because people can get to e-mail and the web; but they cannot get to the Domain over My Network Places. The event ID's I am getting are: 4000, 4004, and 4015 and all of them have a source of DNS. We get a couple 4004 and 4015's but most of them are event ID 4000's that happen before Active Directory is unreachable. Thanks for the help.
Here are the errors:
Event ID: 4015
Time: 3:45am
Source: DNS
Description: The DNS server has encountered a critical error from
the Active Directory. Check that the Active Directory is functioning
properly. The extended error debug information (which may be empty)
is "". The event data contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone .. This DNS server is configured to use
information obtained from Active Directory for this zone and is unable
to load the zone without it. Check that the Active Directory is
functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data
contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone _msdcs.ourdomain.local. This DNS server is configured to
use information obtained from Active Directory for this zone and is
unable to load the zone without it. Check that the Active Directory is
functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data
contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone .. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load
the zone without it. Check that the Active Directory is functioning
properly and repeat enumeration of the zone. The extended error debug
information (which may be empty) is "". The event data contains the
error.
Event ID: 4015
Time: 3:45am
Source: DNS
Description: The DNS server has encountered a critical error from
the Active Directory. Check that the Active Directory is functioning
properly. The extended error debug information (which may be empty)
is "". The event data contains the error.
Event ID: 4000
Time: 3:48am
Source: DNS
Description: The DNS server was unable to open Active Directory. This
DNS server is configured to obtain and use information from the
directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and reload the
zone. The event data is the error code.
Here are the errors:
Event ID: 4015
Time: 3:45am
Source: DNS
Description: The DNS server has encountered a critical error from
the Active Directory. Check that the Active Directory is functioning
properly. The extended error debug information (which may be empty)
is "". The event data contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone .. This DNS server is configured to use
information obtained from Active Directory for this zone and is unable
to load the zone without it. Check that the Active Directory is
functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data
contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone _msdcs.ourdomain.local. This DNS server is configured to
use information obtained from Active Directory for this zone and is
unable to load the zone without it. Check that the Active Directory is
functioning properly and repeat enumeration of the zone. The extended
error debug information (which may be empty) is "". The event data
contains the error.
Event ID: 4004
Time: 3:45am
Source: DNS
Description: The DNS server was unable to complete directory service
enumeration of zone .. This DNS server is configured to use information
obtained from Active Directory for this zone and is unable to load
the zone without it. Check that the Active Directory is functioning
properly and repeat enumeration of the zone. The extended error debug
information (which may be empty) is "". The event data contains the
error.
Event ID: 4015
Time: 3:45am
Source: DNS
Description: The DNS server has encountered a critical error from
the Active Directory. Check that the Active Directory is functioning
properly. The extended error debug information (which may be empty)
is "". The event data contains the error.
Event ID: 4000
Time: 3:48am
Source: DNS
Description: The DNS server was unable to open Active Directory. This
DNS server is configured to obtain and use information from the
directory for this zone and is unable to load the zone without it.
Check that the Active Directory is functioning properly and reload the
zone. The event data is the error code.
Please run dcdiag and post the results.
Check that you have DNS zones (forward and reverse) that match active directory.
Check that you can do forward and reverse nslookups from both your systems successfully.
nslookup
> server.domain.com should give you your servers ip
><server ip> should give you fully qualified server name.
if these are broken, AD is broken.
- Fred
Check that you can do forward and reverse nslookups from both your systems successfully.
nslookup
> server.domain.com should give you your servers ip
><server ip> should give you fully qualified server name.
if these are broken, AD is broken.
- Fred
ASKER
Here are the results of the DCDIAG.
The DCDIAG posted this:
Domain Controller Diagnosis
Performing initial setup:
[OURSERVER] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\OURSERV
Starting test: Connectivity
[OURSERVER] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you..
......................... OURSERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\OURSERV
Skipping all tests, because server OURSERVER is
not responding to directory service requests
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : OURDOMAIN
Starting test: CrossRefValidation
......................... OURDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... OURDOMAIN passed test CheckSDRefDom
Running enterprise tests on : OURDOMAIN.local
Starting test: Intersite
......................... OURDOMAIN.local passed test Intersite
Starting test: FsmoCheck
......................... OURDOMAIN.local passed test FsmoCheck
The DCDIAG posted this:
Domain Controller Diagnosis
Performing initial setup:
[OURSERVER] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\OURSERV
Starting test: Connectivity
[OURSERVER] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you..
......................... OURSERVER failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\OURSERV
Skipping all tests, because server OURSERVER is
not responding to directory service requests
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : OURDOMAIN
Starting test: CrossRefValidation
......................... OURDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... OURDOMAIN passed test CheckSDRefDom
Running enterprise tests on : OURDOMAIN.local
Starting test: Intersite
......................... OURDOMAIN.local passed test Intersite
Starting test: FsmoCheck
......................... OURDOMAIN.local passed test FsmoCheck
ASKER
Here are the results for nslookup:
C:\Documents and Settings\myuser>nslookup
*** Can't find server name for address 192.168.1.2: Non-existent domain
Default Server: UnKnown
Address: 192.168.1.2
> ourserver.ourdomain.com
Server: UnKnown
Address: 192.168.1.2
Non-authoritative answer:
Name: ourserver.ourdomain.com
Address: 69.11.210.140
> 192.168.1.2
Server: UnKnown
Address: 192.168.1.2
*** UnKnown can't find 192.168.1.2: Non-existent domain
>
C:\Documents and Settings\myuser>nslookup
*** Can't find server name for address 192.168.1.2: Non-existent domain
Default Server: UnKnown
Address: 192.168.1.2
> ourserver.ourdomain.com
Server: UnKnown
Address: 192.168.1.2
Non-authoritative answer:
Name: ourserver.ourdomain.com
Address: 69.11.210.140
> 192.168.1.2
Server: UnKnown
Address: 192.168.1.2
*** UnKnown can't find 192.168.1.2: Non-existent domain
>
Your DC should be running Active Directory integrated DNS and it's NIC should only point at itself.
Your DHCP or clients should only point at your server(s) for DNS.
Your DNS server should be configured to use Root Hints rather than forwarding.
Once forward and reverse lookups work on all systems then you'll be in business.
AD rides on top of working DNS and requires it be configured correctly.
- Fred
Your DHCP or clients should only point at your server(s) for DNS.
Your DNS server should be configured to use Root Hints rather than forwarding.
Once forward and reverse lookups work on all systems then you'll be in business.
AD rides on top of working DNS and requires it be configured correctly.
- Fred
ASKER
I have to DC's that run DNS in the building. All machines including the two DC's have the DC's listed as the primary DNS and secondary DNS. So basically the two DC's have themselves as the primary DNS and the other as the secondary. Do you think this could be a problem?
From the nslookup error, you don't have a reverse lookup zone setup in DNS.
Fredimac has pointed you in the direction you need to go. For Ad to work, your DNS must be working 100%.
Good Luck!
Fredimac has pointed you in the direction you need to go. For Ad to work, your DNS must be working 100%.
Good Luck!
ASKER
How would I fix this? I think this is what is creating the problem.
I ran a dcdiag /test:dns
The results where:
Test: Basic (Basc)
Error: No DS RPC connectivity
The other problem that I am having is that I am getting
Source: NTDS Replciation
Category: DS RPC Client
Event ID: 2087
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
Our2ndServer
Failing DNS host name:
97a743ef-9a7c-4ad7-b108-c1
I ran a dcdiag /test:dns
The results where:
Test: Basic (Basc)
Error: No DS RPC connectivity
The other problem that I am having is that I am getting
Source: NTDS Replciation
Category: DS RPC Client
Event ID: 2087
Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
Our2ndServer
Failing DNS host name:
97a743ef-9a7c-4ad7-b108-c1
In the DNS manager:
Right click the DNS server name, select properties, advanced tab, make sure that 'load zone data from' is set to AD and registry.
Only do this step if there is no reverse lookup zone. From the nslookup error, it appears there isn't one.
Right click the Reverse DNS Zones, select create new zone, make sure the Store zone in AD is checked, replication scope is all dns servers in AD, network Id is....based on your IP setup which appears to be 192.168.1. You may need to add a PTR host for the server to the reverse zone.
Do this on the other DNS server as well.
On the server, nslookup it's name, then it's IP, both should come back without any non-existant domain or unknown error. Nslookup the other DNS server name and IP. Both should be without error.
If that works, do the same on a workstation.
If your DNS is still not working at this point, let us know.
Do not bother trouble shooting any other problems until your DNS is working.
Right click the DNS server name, select properties, advanced tab, make sure that 'load zone data from' is set to AD and registry.
Only do this step if there is no reverse lookup zone. From the nslookup error, it appears there isn't one.
Right click the Reverse DNS Zones, select create new zone, make sure the Store zone in AD is checked, replication scope is all dns servers in AD, network Id is....based on your IP setup which appears to be 192.168.1. You may need to add a PTR host for the server to the reverse zone.
Do this on the other DNS server as well.
On the server, nslookup it's name, then it's IP, both should come back without any non-existant domain or unknown error. Nslookup the other DNS server name and IP. Both should be without error.
If that works, do the same on a workstation.
If your DNS is still not working at this point, let us know.
Do not bother trouble shooting any other problems until your DNS is working.
ASKER
I setup the revers lookup zones on both DC's.
Here is the result of nslookup:
C:\nslookup
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\jwestbrook>nslook
*** Can't find server name for address 192.168.1.2: Non-existent domain
Default Server: UnKnown
Address: 192.168.1.2
> dc2
Server: UnKnown
Address: 192.168.1.2
Name: dc2.domain.local
Address: 192.168.1.6
This is the same result on both DC's.
Here is the result of nslookup:
C:\nslookup
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\jwestbrook>nslook
*** Can't find server name for address 192.168.1.2: Non-existent domain
Default Server: UnKnown
Address: 192.168.1.2
> dc2
Server: UnKnown
Address: 192.168.1.2
Name: dc2.domain.local
Address: 192.168.1.6
This is the same result on both DC's.
and when you do an ns lookup on 192.168.1.6?
The first part is a clue: the DNS server doesn't know it's own name / domain.
nslookup should always put out the fully-qualified hostname.
This procedure is specific to DNS with dcdiag:
http://www.eventid.net/display.asp?eventid=2087&source=NTDS+Replication
- Fred
The first part is a clue: the DNS server doesn't know it's own name / domain.
nslookup should always put out the fully-qualified hostname.
This procedure is specific to DNS with dcdiag:
http://www.eventid.net/display.asp?eventid=2087&source=NTDS+Replication
- Fred
ASKER
Here is the dcdiag /test:dns results after the change (still same as first):
C:\WINDOWS\ServicePackFile
Domain Controller Diagnosis
Performing initial setup:
[dc] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC
Starting test: Connectivity
[DC] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you..
......................... DC failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : TAPI3Directory
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : DOMAIN
Running enterprise tests on : DOMAIN.local
Starting test: DNS
Test results for domain controllers:
DC: DC.DOMAIN.local
Domain: DOMAIN.local
TEST: Basic (Basc)
Error: No DS RPC connectivity
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: DOMAIN.local
dc PASS FAIL PASS PASS PASS PASS n/a
......................... DOMAIN.local failed test DNS
C:\WINDOWS\ServicePackFile
Domain Controller Diagnosis
Performing initial setup:
[dc] Directory Binding Error -2146892976:
The system detected a possible attempt to compromise security. Please ensure
that you can contact the server that authenticated you.
This may limit some of the tests that can be performed.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DC
Starting test: Connectivity
[DC] DsBindWithSpnEx() failed with error -2146892976,
The system detected a possible attempt to compromise security. Please
ensure that you can contact the server that authenticated you..
......................... DC failed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DC
DNS Tests are running and not hung. Please wait a few minutes...
Running partition tests on : TAPI3Directory
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : DOMAIN
Running enterprise tests on : DOMAIN.local
Starting test: DNS
Test results for domain controllers:
DC: DC.DOMAIN.local
Domain: DOMAIN.local
TEST: Basic (Basc)
Error: No DS RPC connectivity
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: DOMAIN.local
dc PASS FAIL PASS PASS PASS PASS n/a
......................... DOMAIN.local failed test DNS
You are not able to connect to the directory, that is why the bind error..Please run Netdiag.exe and post the results.
USE the LDP utility to see what errors u get, refer to:
http://support.microsoft.com/default.aspx?scid=kb;en-us;255602
http://support.microsoft.com/default.aspx?scid=kb;en-us;255602
You should run the dcdiag and the netdiag on the problem DC. For proper troubleshooting and isolating the problem refer to the above link and first make sure that your RPC connectivity is OK.
Did this happen just becuase of Reboots or did u try to do something else?
Did this happen just becuase of Reboots or did u try to do something else?
ASKER
I forgot to restart my DNS service after the changes. Now, on both DC's all the fields are a FQDN. Do I think my Reverse Lookup is in good shape.
I am still getting the message in in dcdiag /test:dns that says:
TEST: Basic (Basc)
Error: No DS RPC connectivity
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
I wonder what is wrong with my DS RPC connectivity???
I am still getting the message in in dcdiag /test:dns that says:
TEST: Basic (Basc)
Error: No DS RPC connectivity
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
I wonder what is wrong with my DS RPC connectivity???
ASKER
I will try what you said and test the RPC. I will post the results.
One more question...was the problem DC ever working properly? Is this a new DC?
ASKER
I don't recall changing anything on the DNS/AD side for two months now. As of the last week, AD would work fine, then after 3 days or so it would be unavailable on the network. After a restart it would be working fine. I don't recall any changes to cause this, but obviously I did something.
ASKER
I have run a couple Microsoft recommended utilities and the problem is that there is "No DNS RPC connectivity" on either DC. Anyone know how to change this setting to where there is connectivity?
I assume the DNS server configured on your DC is itself as I indicated before.
When you created your zones, they're active directory integrated, yes?
This is in the 2003 SP1 release notes. BTW, SP1 is considered an upgrade by MS, not just a patch:
http://66.102.7.104/search?q=cache:UT8WELrcnyYJ:download.microsoft.com/download/4/5/0/450b0a3f-585e-44a2-a303-b5dc27a69451/BookOfSP1Doc.doc+%22No+DNS+RPC%22+connectivity&hl=en
Warning: No DNS RPC connectivity (error or non Microsoft DNS server is running)
Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server.
There are some suggestions here regarding changing the zone to Primary, then back to AD integrated
http://www.msusenet.com/archive/topic.php/t-1869583257.html
When you created your zones, they're active directory integrated, yes?
This is in the 2003 SP1 release notes. BTW, SP1 is considered an upgrade by MS, not just a patch:
http://66.102.7.104/search?q=cache:UT8WELrcnyYJ:download.microsoft.com/download/4/5/0/450b0a3f-585e-44a2-a303-b5dc27a69451/BookOfSP1Doc.doc+%22No+DNS+RPC%22+connectivity&hl=en
Warning: No DNS RPC connectivity (error or non Microsoft DNS server is running)
Disregard this warning if the DNS server is a BIND or other non-Microsoft DNS server.
There are some suggestions here regarding changing the zone to Primary, then back to AD integrated
http://www.msusenet.com/archive/topic.php/t-1869583257.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I haven't replied the last week, just got back from vacation. I came back and the server was down again. I will follow the directions of the last 3 posts and let you know the results. Thanks.
ASKER
Fredimac, the the AD/DNS is integrated. I think the integration is messed up, but I haven't figured out how to tell. I will try your two last directions and post the result.
ASKER
-MFK. The DC did work properly at one time (to answer your question) and it is not new.
-My problem is my DS RPC. I tried the steps to make sure that the RPC services where at the states specified in the Microsoft Article you sent.
-In the the "Directory Service" event log I got an Event ID: 2088 Source: NTDS Replication; it states that the CNAME resolution failed for both DC's!
-Also in the "System" event log I am getting lots of Event ID: 2019 Source: Srv. It says "The server was unable to allocate from the sytem nonpaged pool beause the pool was empty."
The Event ID 2019 is listed over 100 times in the System event log. It seems like maybe these errors (including the DNS errors I posted before) are all caused by each other. I didn't get to try the NETDIAG tool, do you know a link I could go to download the tools? I am starting to get stuck on this problem. I don't know how to fix the DS RPC! Thanks.
-My problem is my DS RPC. I tried the steps to make sure that the RPC services where at the states specified in the Microsoft Article you sent.
-In the the "Directory Service" event log I got an Event ID: 2088 Source: NTDS Replication; it states that the CNAME resolution failed for both DC's!
-Also in the "System" event log I am getting lots of Event ID: 2019 Source: Srv. It says "The server was unable to allocate from the sytem nonpaged pool beause the pool was empty."
The Event ID 2019 is listed over 100 times in the System event log. It seems like maybe these errors (including the DNS errors I posted before) are all caused by each other. I didn't get to try the NETDIAG tool, do you know a link I could go to download the tools? I am starting to get stuck on this problem. I don't know how to fix the DS RPC! Thanks.
ASKER
The EventID of 2019 is a memory leak. We are running poolmon with Microsoft to solve the issue.