• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 654
  • Last Modified:

DNS and Active Directory not talking correctly...

 Event viewer displays the message below (3 times, for different zones).

1. Can you help resolve the error?
2. How do I 'Check that the Active Directory is functioning properly'
3. How do I 'repeat enumeration' of the zone?

Event Type:     Error
Event Source:     DNS
Event Category:     None
Event ID:     4004
Date:          17/03/2002
Time:          10:28:59 AM
User:          N/A
Computer:     MASTER
The DNS server was unable to complete directory service enumeration of zone 16.172.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
0000: 2a 23 00 00               *#..    
  • 5
  • 3
1 Solution
gfergusAuthor Commented:
Both the forward lookup and reverse lookup zones are 'Directory integrated' and 'Allow Dynamic Updates'

Both zone are running.

The set of error messages only appear once after a re-boot.

I have Norton Anti-virus Corporate Edition running with several client PCs. I installed Nortons after the complete install of W2K and Active Directory.

Everthing else is as a default installation as far as I can tell.

gfergusAuthor Commented:

Oh!, I had to edit the:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon - DependOnService"

I added 'DNS' so that the Netlogon service would not start until the DNS service started. (My PC is a bit slow)


since you changed that registry key, when DNS tries to start, it couldn't query AD for the zone information - you said the zones are AD integrated.  The netlogon service has to start in order for AD to function properly.  Remove that key or change the zones to standard primary.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

gfergusAuthor Commented:
Thanks Matt,

I could try as you suggested but from past experience I would (1) regenerate previous errors or (2) lose functionality of the AD.

1. If I was to remove the 'Netlogon - DependOnService - DNS' registry entry, the previous error of "Netlogon unable to find DNS server' error would re-occur.

2. If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client logged on.

From my limited knowledge of W2K and from what I understand from your suggestion, is this correct?
(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon

If all of a,b & c are correct then there is a circular dependency error that would be very difficult to resolve.

Other ideas:
(A.1) Maybe I could delay the DNS by adding a 'DNS - DependOnService - Active Directory' registry entry. But I'm not sure what the name or process is called that starts the Active Directory service. This would create the circular dependency as mentioned above.

Can you help identify the service that starts the AD in the registry?

(A.2) I could try removing the 'Netlogon - DependOnService - DNS' registry entry and add the 'DNS - DependOnService - Active Directory' to see what happens...

Any other ideas?

"(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon"

a - netlogon on a DC requires DNS because it has to register many DC related resource records in DNS and start AD appropriately.
b - DNS requires AD only if the zones are configured to be AD integrated (DNS data stores in AD instead of a file).
c - AD requires netlogon to start appropriately

"If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client
logged on."
-- you can have dynamic update enabled without having your DNS server using AD integrated zones - standard primary zone with dynamic updates.

When a DC boots up, it will try to register its A and PTR records to the DNS server(s) that is authoriative for the zone that its AD is a part of.  This process is being done by the DHCP client service on the DC (even if DC is using static IP, DHCP client service still needs to be enabled).
The NetLogon service will then try to register all other DC related resource records (RR) in DNS.  Once NetLogon can register DC's RR's and queries the DNS server for any information that it needs (ie: name and address of the DC's replication partners), AD will start and function properly.

AD is not a "one .exe service".  It is comprised of many different services to function.  There is no .exe file that starts AD.  Hence, to disable it, you'll need to boot up to the AD restore mode.

hope this helps.

gfergusAuthor Commented:
Thanks Matt,

I changed the DNS zones to Primary, re-booted and the error has gone.

1. Could you explain the apparent circular dependency as described below?

>(a) Netlogon requires DNS (because my PC is slow)
>(b) DNS requires AD
>(c) AD requires Netlogon
>If all of a,b & c are correct then there is a circular >dependency error that would be very difficult
>to resolve.


2. What is the advantage of having Active Directory integrated zones? (Maybe you need to have another DC running AD to use this feature?)

Thanks again
actually, it looks circular, but it's not exactly so.  Like I had mentioned, if you use AD integrated zone for DNS, DNS will require a fuctioning AD in order to load zone information.  NetLogon needs DNS in order to register a DC's resource records.  However, if NetLogon cannot correctly register all the DC's resource record, AD on this particular DC will still start.  However, routines such as AD replication will not work correctly.  NetLogon will then try to register all the DC's resource record every 5 minutes until it's successful.  

Your DNS zone is now configured to be a primary zone, which means that the zone information is no longer stored in AD.  Therefore, it doesn't need AD to load the zone information.  It is now stored in a file ("zone file") - %systemroot%\system32\dns, you'll see a file with your_domain_name.dns.

The advantage of using AD integrated zone is for multi-master purpose.  2 or more DNS servers can be authoritative for a zone without having to configure the tradinal master/slave zones on the DNS servers involved.  All DNS servers authoritative for this particular zone can look at AD for zone information.  The will also provide a greater fault tolerance.  In the traditional setting (master/slave), only the DNS server that's holding the master copy of the zone can make changes to it.  The other DNS servers holding a slave copy of the zone file (they get it through zone transfer) can only read the information and not write.  If the DNS server that's holding the master copy of the zone is down, no update can be done to the zone.  Using AD integrated zone, multiple DNS servers authoritative for a zone can write zone information.  This way, if a DNS server is down, the zone still can be updated with the remaining DNS servers.

To help solve your problem, may be you can separate DNS into a different server.  This way your DC won't have to take on to much load if it can't handle.
gfergusAuthor Commented:
Thanks Matt

All clear now!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now