Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


DNS and Active Directory not talking correctly...

Posted on 2002-03-20
Medium Priority
Last Modified: 2007-11-27
 Event viewer displays the message below (3 times, for different zones).

1. Can you help resolve the error?
2. How do I 'Check that the Active Directory is functioning properly'
3. How do I 'repeat enumeration' of the zone?

Event Type:     Error
Event Source:     DNS
Event Category:     None
Event ID:     4004
Date:          17/03/2002
Time:          10:28:59 AM
User:          N/A
Computer:     MASTER
The DNS server was unable to complete directory service enumeration of zone 16.172.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
0000: 2a 23 00 00               *#..    
Question by:gfergus
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Author Comment

ID: 6882114
Both the forward lookup and reverse lookup zones are 'Directory integrated' and 'Allow Dynamic Updates'

Both zone are running.

The set of error messages only appear once after a re-boot.

I have Norton Anti-virus Corporate Edition running with several client PCs. I installed Nortons after the complete install of W2K and Active Directory.

Everthing else is as a default installation as far as I can tell.


Author Comment

ID: 6882121

Oh!, I had to edit the:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon - DependOnService"

I added 'DNS' so that the Netlogon service would not start until the DNS service started. (My PC is a bit slow)



Expert Comment

ID: 6883356
since you changed that registry key, when DNS tries to start, it couldn't query AD for the zone information - you said the zones are AD integrated.  The netlogon service has to start in order for AD to function properly.  Remove that key or change the zones to standard primary.
Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.


Author Comment

ID: 6883730
Thanks Matt,

I could try as you suggested but from past experience I would (1) regenerate previous errors or (2) lose functionality of the AD.

1. If I was to remove the 'Netlogon - DependOnService - DNS' registry entry, the previous error of "Netlogon unable to find DNS server' error would re-occur.

2. If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client logged on.

From my limited knowledge of W2K and from what I understand from your suggestion, is this correct?
(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon

If all of a,b & c are correct then there is a circular dependency error that would be very difficult to resolve.

Other ideas:
(A.1) Maybe I could delay the DNS by adding a 'DNS - DependOnService - Active Directory' registry entry. But I'm not sure what the name or process is called that starts the Active Directory service. This would create the circular dependency as mentioned above.

Can you help identify the service that starts the AD in the registry?

(A.2) I could try removing the 'Netlogon - DependOnService - DNS' registry entry and add the 'DNS - DependOnService - Active Directory' to see what happens...

Any other ideas?


Expert Comment

ID: 6883962
"(a) Netlogon requires DNS (because my PC is slow)
(b) DNS requires AD
(c) AD requires Netlogon"

a - netlogon on a DC requires DNS because it has to register many DC related resource records in DNS and start AD appropriately.
b - DNS requires AD only if the zones are configured to be AD integrated (DNS data stores in AD instead of a file).
c - AD requires netlogon to start appropriately

"If I changed the zones to standard primary I would lose the automatic update to DNS when a DHCP client
logged on."
-- you can have dynamic update enabled without having your DNS server using AD integrated zones - standard primary zone with dynamic updates.

When a DC boots up, it will try to register its A and PTR records to the DNS server(s) that is authoriative for the zone that its AD is a part of.  This process is being done by the DHCP client service on the DC (even if DC is using static IP, DHCP client service still needs to be enabled).
The NetLogon service will then try to register all other DC related resource records (RR) in DNS.  Once NetLogon can register DC's RR's and queries the DNS server for any information that it needs (ie: name and address of the DC's replication partners), AD will start and function properly.

AD is not a "one .exe service".  It is comprised of many different services to function.  There is no .exe file that starts AD.  Hence, to disable it, you'll need to boot up to the AD restore mode.

hope this helps.


Author Comment

ID: 6885849
Thanks Matt,

I changed the DNS zones to Primary, re-booted and the error has gone.

1. Could you explain the apparent circular dependency as described below?

>(a) Netlogon requires DNS (because my PC is slow)
>(b) DNS requires AD
>(c) AD requires Netlogon
>If all of a,b & c are correct then there is a circular >dependency error that would be very difficult
>to resolve.


2. What is the advantage of having Active Directory integrated zones? (Maybe you need to have another DC running AD to use this feature?)

Thanks again

Accepted Solution

matt023 earned 300 total points
ID: 6887602
actually, it looks circular, but it's not exactly so.  Like I had mentioned, if you use AD integrated zone for DNS, DNS will require a fuctioning AD in order to load zone information.  NetLogon needs DNS in order to register a DC's resource records.  However, if NetLogon cannot correctly register all the DC's resource record, AD on this particular DC will still start.  However, routines such as AD replication will not work correctly.  NetLogon will then try to register all the DC's resource record every 5 minutes until it's successful.  

Your DNS zone is now configured to be a primary zone, which means that the zone information is no longer stored in AD.  Therefore, it doesn't need AD to load the zone information.  It is now stored in a file ("zone file") - %systemroot%\system32\dns, you'll see a file with your_domain_name.dns.

The advantage of using AD integrated zone is for multi-master purpose.  2 or more DNS servers can be authoritative for a zone without having to configure the tradinal master/slave zones on the DNS servers involved.  All DNS servers authoritative for this particular zone can look at AD for zone information.  The will also provide a greater fault tolerance.  In the traditional setting (master/slave), only the DNS server that's holding the master copy of the zone can make changes to it.  The other DNS servers holding a slave copy of the zone file (they get it through zone transfer) can only read the information and not write.  If the DNS server that's holding the master copy of the zone is down, no update can be done to the zone.  Using AD integrated zone, multiple DNS servers authoritative for a zone can write zone information.  This way, if a DNS server is down, the zone still can be updated with the remaining DNS servers.

To help solve your problem, may be you can separate DNS into a different server.  This way your DC won't have to take on to much load if it can't handle.

Author Comment

ID: 6888181
Thanks Matt

All clear now!


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question