DNS and Active Directory not talking correctly...

Posted on 2002-03-20
Last Modified: 2007-11-27
 Event viewer displays the message below (3 times, for different zones).

1. Can you help resolve the error?
2. How do I 'Check that the Active Directory is functioning properly'
3. How do I 'repeat enumeration' of the zone?

Event Type:     Error
Event Source:     DNS
Event Category:     None
Event ID:     4004
Date:          17/03/2002
Time:          10:28:59 AM
User:          N/A
Computer:     MASTER
The DNS server was unable to complete directory service enumeration of zone  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
0000: 2a 23 00 00               *#..    
Question by:gfergus
  • 5
  • 3

Author Comment

ID: 6882114
Both the forward lookup and reverse lookup zones are 'Directory integrated' and 'Allow Dynamic Updates'

Both zone are running.

The set of error messages only appear once after a re-boot.

I have Norton Anti-virus Corporate Edition running with several client PCs. I installed Nortons after the complete install of W2K and Active Directory.

Everthing else is as a default installation as far as I can tell.


Author Comment

ID: 6882121

Oh!, I had to edit the:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon - DependOnService"

I added 'DNS' so that the Netlogon service would not start until the DNS service started. (My PC is a bit slow)



Expert Comment

ID: 6883356
since you changed that registry key, when DNS tries to start, it couldn't query AD for the zone information - you said the zones are AD integrated.  The netlogon service has to start in order for AD to function properly.  Remove that key or change the zones to standard primary.

Author Comment

ID: 6883730
Thanks Matt,

I could try as you suggested but from past experience I would (1) regenerate previous errors or (2) lose functionality of the AD.

1. If I was to remove the 'Netlogon - DependOnService - DNS' registry entry, the previous error of "Netlogon unable to find DNS server' error would re-occur.

2. If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client logged on.

From my limited knowledge of W2K and from what I understand from your suggestion, is this correct?
(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon

If all of a,b & c are correct then there is a circular dependency error that would be very difficult to resolve.

Other ideas:
(A.1) Maybe I could delay the DNS by adding a 'DNS - DependOnService - Active Directory' registry entry. But I'm not sure what the name or process is called that starts the Active Directory service. This would create the circular dependency as mentioned above.

Can you help identify the service that starts the AD in the registry?

(A.2) I could try removing the 'Netlogon - DependOnService - DNS' registry entry and add the 'DNS - DependOnService - Active Directory' to see what happens...

Any other ideas?

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline


Expert Comment

ID: 6883962
"(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon"

a - netlogon on a DC requires DNS because it has to register many DC related resource records in DNS and start AD appropriately.
b - DNS requires AD only if the zones are configured to be AD integrated (DNS data stores in AD instead of a file).
c - AD requires netlogon to start appropriately

"If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client
logged on."
-- you can have dynamic update enabled without having your DNS server using AD integrated zones - standard primary zone with dynamic updates.

When a DC boots up, it will try to register its A and PTR records to the DNS server(s) that is authoriative for the zone that its AD is a part of.  This process is being done by the DHCP client service on the DC (even if DC is using static IP, DHCP client service still needs to be enabled).
The NetLogon service will then try to register all other DC related resource records (RR) in DNS.  Once NetLogon can register DC's RR's and queries the DNS server for any information that it needs (ie: name and address of the DC's replication partners), AD will start and function properly.

AD is not a "one .exe service".  It is comprised of many different services to function.  There is no .exe file that starts AD.  Hence, to disable it, you'll need to boot up to the AD restore mode.

hope this helps.


Author Comment

ID: 6885849
Thanks Matt,

I changed the DNS zones to Primary, re-booted and the error has gone.

1. Could you explain the apparent circular dependency as described below?

>(a) Netlogon requires DNS (because my PC is slow)
>(b) DNS requires AD
>(c) AD requires Netlogon
>If all of a,b & c are correct then there is a circular >dependency error that would be very difficult
>to resolve.


2. What is the advantage of having Active Directory integrated zones? (Maybe you need to have another DC running AD to use this feature?)

Thanks again

Accepted Solution

matt023 earned 100 total points
ID: 6887602
actually, it looks circular, but it's not exactly so.  Like I had mentioned, if you use AD integrated zone for DNS, DNS will require a fuctioning AD in order to load zone information.  NetLogon needs DNS in order to register a DC's resource records.  However, if NetLogon cannot correctly register all the DC's resource record, AD on this particular DC will still start.  However, routines such as AD replication will not work correctly.  NetLogon will then try to register all the DC's resource record every 5 minutes until it's successful.  

Your DNS zone is now configured to be a primary zone, which means that the zone information is no longer stored in AD.  Therefore, it doesn't need AD to load the zone information.  It is now stored in a file ("zone file") - %systemroot%\system32\dns, you'll see a file with your_domain_name.dns.

The advantage of using AD integrated zone is for multi-master purpose.  2 or more DNS servers can be authoritative for a zone without having to configure the tradinal master/slave zones on the DNS servers involved.  All DNS servers authoritative for this particular zone can look at AD for zone information.  The will also provide a greater fault tolerance.  In the traditional setting (master/slave), only the DNS server that's holding the master copy of the zone can make changes to it.  The other DNS servers holding a slave copy of the zone file (they get it through zone transfer) can only read the information and not write.  If the DNS server that's holding the master copy of the zone is down, no update can be done to the zone.  Using AD integrated zone, multiple DNS servers authoritative for a zone can write zone information.  This way, if a DNS server is down, the zone still can be updated with the remaining DNS servers.

To help solve your problem, may be you can separate DNS into a different server.  This way your DC won't have to take on to much load if it can't handle.

Author Comment

ID: 6888181
Thanks Matt

All clear now!


Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now