Solved

DNS and Active Directory not talking correctly...

Posted on 2002-03-20
8
634 Views
Last Modified: 2007-11-27
Hi,
 Event viewer displays the message below (3 times, for different zones).

1. Can you help resolve the error?
2. How do I 'Check that the Active Directory is functioning properly'
3. How do I 'repeat enumeration' of the zone?

Event Type:     Error
Event Source:     DNS
Event Category:     None
Event ID:     4004
Date:          17/03/2002
Time:          10:28:59 AM
User:          N/A
Computer:     MASTER
Description:
The DNS server was unable to complete directory service enumeration of zone 16.172.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
Data:
0000: 2a 23 00 00               *#..    
0
Comment
Question by:gfergus
  • 5
  • 3
8 Comments
 

Author Comment

by:gfergus
ID: 6882114
Both the forward lookup and reverse lookup zones are 'Directory integrated' and 'Allow Dynamic Updates'

Both zone are running.

The set of error messages only appear once after a re-boot.

I have Norton Anti-virus Corporate Edition running with several client PCs. I installed Nortons after the complete install of W2K and Active Directory.

Everthing else is as a default installation as far as I can tell.

Greg
0
 

Author Comment

by:gfergus
ID: 6882121

Oh!, I had to edit the:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon - DependOnService"

I added 'DNS' so that the Netlogon service would not start until the DNS service started. (My PC is a bit slow)

Greg

0
 
LVL 5

Expert Comment

by:matt023
ID: 6883356
since you changed that registry key, when DNS tries to start, it couldn't query AD for the zone information - you said the zones are AD integrated.  The netlogon service has to start in order for AD to function properly.  Remove that key or change the zones to standard primary.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:gfergus
ID: 6883730
Thanks Matt,

I could try as you suggested but from past experience I would (1) regenerate previous errors or (2) lose functionality of the AD.

1. If I was to remove the 'Netlogon - DependOnService - DNS' registry entry, the previous error of "Netlogon unable to find DNS server' error would re-occur.

2. If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client logged on.

From my limited knowledge of W2K and from what I understand from your suggestion, is this correct?
(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon

If all of a,b & c are correct then there is a circular dependency error that would be very difficult to resolve.

Other ideas:
(A.1) Maybe I could delay the DNS by adding a 'DNS - DependOnService - Active Directory' registry entry. But I'm not sure what the name or process is called that starts the Active Directory service. This would create the circular dependency as mentioned above.

Can you help identify the service that starts the AD in the registry?

(A.2) I could try removing the 'Netlogon - DependOnService - DNS' registry entry and add the 'DNS - DependOnService - Active Directory' to see what happens...

Any other ideas?

Greg
0
 
LVL 5

Expert Comment

by:matt023
ID: 6883962
"(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon"

a - netlogon on a DC requires DNS because it has to register many DC related resource records in DNS and start AD appropriately.
b - DNS requires AD only if the zones are configured to be AD integrated (DNS data stores in AD instead of a file).
c - AD requires netlogon to start appropriately

"If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client
logged on."
-- you can have dynamic update enabled without having your DNS server using AD integrated zones - standard primary zone with dynamic updates.

When a DC boots up, it will try to register its A and PTR records to the DNS server(s) that is authoriative for the zone that its AD is a part of.  This process is being done by the DHCP client service on the DC (even if DC is using static IP, DHCP client service still needs to be enabled).
The NetLogon service will then try to register all other DC related resource records (RR) in DNS.  Once NetLogon can register DC's RR's and queries the DNS server for any information that it needs (ie: name and address of the DC's replication partners), AD will start and function properly.

AD is not a "one .exe service".  It is comprised of many different services to function.  There is no .exe file that starts AD.  Hence, to disable it, you'll need to boot up to the AD restore mode.

hope this helps.

 
0
 

Author Comment

by:gfergus
ID: 6885849
Thanks Matt,

I changed the DNS zones to Primary, re-booted and the error has gone.

1. Could you explain the apparent circular dependency as described below?

>(a) Netlogon requires DNS (because my PC is slow)
>(b) DNS requires AD
>(c) AD requires Netlogon
>
>If all of a,b & c are correct then there is a circular >dependency error that would be very difficult
>to resolve.

And

2. What is the advantage of having Active Directory integrated zones? (Maybe you need to have another DC running AD to use this feature?)

Thanks again
Greg
0
 
LVL 5

Accepted Solution

by:
matt023 earned 100 total points
ID: 6887602
actually, it looks circular, but it's not exactly so.  Like I had mentioned, if you use AD integrated zone for DNS, DNS will require a fuctioning AD in order to load zone information.  NetLogon needs DNS in order to register a DC's resource records.  However, if NetLogon cannot correctly register all the DC's resource record, AD on this particular DC will still start.  However, routines such as AD replication will not work correctly.  NetLogon will then try to register all the DC's resource record every 5 minutes until it's successful.  

Your DNS zone is now configured to be a primary zone, which means that the zone information is no longer stored in AD.  Therefore, it doesn't need AD to load the zone information.  It is now stored in a file ("zone file") - %systemroot%\system32\dns, you'll see a file with your_domain_name.dns.

The advantage of using AD integrated zone is for multi-master purpose.  2 or more DNS servers can be authoritative for a zone without having to configure the tradinal master/slave zones on the DNS servers involved.  All DNS servers authoritative for this particular zone can look at AD for zone information.  The will also provide a greater fault tolerance.  In the traditional setting (master/slave), only the DNS server that's holding the master copy of the zone can make changes to it.  The other DNS servers holding a slave copy of the zone file (they get it through zone transfer) can only read the information and not write.  If the DNS server that's holding the master copy of the zone is down, no update can be done to the zone.  Using AD integrated zone, multiple DNS servers authoritative for a zone can write zone information.  This way, if a DNS server is down, the zone still can be updated with the remaining DNS servers.

To help solve your problem, may be you can separate DNS into a different server.  This way your DC won't have to take on to much load if it can't handle.
0
 

Author Comment

by:gfergus
ID: 6888181
Thanks Matt

All clear now!

Greg
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question