DNS issue on AD domain

Posted on 2008-11-18
Medium Priority
Last Modified: 2013-12-24
Hello, I have an active directory set up that is extremly simple... Or so I thought.  The AD serves approximatley 60 or so workstations and 8 or so member servers.  

There is only one DC, the DC is running DNS.  

Every so often I get errors on workstations that won't process GPO's because, well:

>Group Policy Infrastructure failed due to the error listed below.
>The specified domain either does not exist or could not be contacted.
>Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. >Consequently, status information for the other components is not available

When I sit at my DC/DNS server and run dcdiag everything comes up green.  

When I run netdiag /q I get DNS failure:  
[WARNING] The DNS entries for this DC are not registered correctly on DNS server ''. Please wait for 30 minutes for DNS server replication.

When I run a netdiag /fix I get:
[FIX] re-register DC DNS entry 'mydomainname.com.' on the DNS server '' succeed.
FIX PASS - netdiag re-registered missing DNS entriesfor this DC successfully on server ''.
[FATAL No DNS servers have the DNS records for this DC registered.

I wonder what I am missing.  It says it fixes but then is still broken?

I have to assume that the errors I get on workstations and servers such as:

-Windows cannot determine the user or computer name. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.


-Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

I dont get these errors on every workstation/server on my domain, in fact most have no issues at all.  There is also nothing common amongst the devices getting these issues, some are servers, some are workstations, some are on one subnet, some are on another, different OS's different hardware.  

I am at a loss and do not know enough about DNS to fix this on my own.  

Also on my DNS MMC I get DNS errors such as this:

Source:DNS Event ID 3000 - The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.

Source:DNS Event ID 4015 - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

Source:DNS  Event ID 4004 - The DNS server was unable to complete directory service enumeration of zone ..  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

I get 4004 errors for each zone it cannot load.

Can anyone assist?
Question by:MarlinTechSupport
  • 5
  • 3
LVL 18

Expert Comment

ID: 22986542
Firstly, WHY do you have only one DC?  With 8 member servers, you're OBVIOUSLY not short on hardware..   Mark my words, you'll regret that one day if you don't do something about it..

Ok, now on to your problem..   Please post the output of an ipconfig /all


Author Comment

ID: 22987426
I agree, we had two DC's, I will be assigning a second DC soon, but there are issues that need to be worked out first.  I am told by the powers that be to not run DCPROMO on another server until I figure alot of this out.  It should be noted that before I decommissioned the second DC (back when there were two) I transfered all FSMO roles, made it the GC server and demoted it to a member server, then took it off the domain.  The decomissioned server was the primary DC at the time but DNS was always not quite right even then.  

ipconfig /all output:
Host Name: tmc-itadmin-2
primary dns suffix: themarlinco.com
node type: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: NO
DNS Suffix search list: themarlinco.com

Ethernet adapter network bridge

connection specific DNS suffix: No Value
Description: MAC Bridge Miniport
Physical Address: My Mac Address for bridge
DHCP Enabled: No
IP Address:
Subnet Mask:
Default Gateway:
DNS Servers:
Primary WINS Server:
Secondary WINS Server:
LVL 18

Expert Comment

ID: 22988122
Your problem (or at least part of it) is right there.

Remove ALL the entries for DNS servers except   This assumes that used to be the old DC that was taken offline.  The two public IP's that are in there should NEVER be listed on your servers (as configured DNS servers, anyway).  Bad bad bad!!!

If you want to use your ISP's DNS to do lookups, then configure it as a forwarder in your DNS server, NEVER in the DNS settings on the NIC.  Why?  Because your server will try to register all it's AD records (as well as do lookups) with those DNS servers.   Since those records obviously don't exist there, bad things...

So remove all that stuff, and then run a dcdiag /test:dns and post the results.

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22988856
10.50 is the backup DNS server actually.  The backup DNS server does not have the DNS service running right now for a few reasons.  

I do not know where the publc addresses came from, I'll have the network engineer look into that and report what happens after the changes are made.

I have inherited this system, learning as I go along, and really dont know where/why alot of things are the way they are.  My only saving grace is that the design is relativly small.  

LVL 18

Expert Comment

ID: 22989184
So, let me get this straight..  You have a backup DNS server, but no backup AD controller?!?


Either way, if it's not running, remove it.  You can put it back later if and when it gets running again.  For now, we need to fix the DNS issues you are having.  Also remove those two 68.x.x.x addresses.  Then please post the output from   dcdiag /test:dns       so that we can proceed.


Author Comment

ID: 22995192
lol I know, like I said, at one time we had 2 DC's and 2 DNS servers.  

I dont know the reasons for being told to stick with one DC and 1 DNS for now.  

Either way removed the 68.x's and the backup dns that is not running right now.  

Per interface results:

    Adapter : Network Bridge (Network Bridge) 2

        Netcard queries test . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    1 NetBt transport currently configured.

DNS test . . . . . . . . . . . . . : Failed
    [WARNING] The DNS entries for this DC are not registered correctly on DNS server ''. Please wait for 30 minutes for DNS server replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.

The command completed successfully

Author Comment

ID: 23003538
I am extremly confused...  

How can my DC have trouble registering itself with the DNS server it's running!?

Accepted Solution

MarlinTechSupport earned 0 total points
ID: 23010374
Figured out the issue... This was an old server, the hosts file had some entries that pointed the domain namespace to a server that no longer existed.  I should have tried resolving the namespace via ping sooner.  I cleared the file and let DNS do it's thing.  Works now.

That one was annoying!

Thanks for your help.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Stellar Phoenix SQL Database Repair software easily fixes the suspect mode issue of SQL Server database. It is a simple process to bring the database from suspect mode to normal mode. Check out the video and fix the SQL database suspect mode problem.

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question