[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

DNS Event ID ( 4521 ) Cannot Locate a reverse DNS zone to delete

Posted on 2009-04-18
38
Medium Priority
?
3,491 Views
Last Modified: 2012-05-06
We are operating in an AD environment of Windows 2003 R2 servers in a single flat domain with three separate subnets. Each subnet has its own DC operating as its DNS server. Six years ago we had a subnet of 192.168.13.x, however it no longer exist. We continually see this error in our DNS event Viewer. We cannot locate the source of this record to delete it. Any ideas? Thanks

The description for Event ID ( 4521 ) in Source ( DNS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: 32, 13.168.192.in-addr.arpa.
0
Comment
Question by:DCITdept
  • 20
  • 15
  • 3
38 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24178389

It's a zone you're looking for rather than a record. The error message text would be:

The DNS server encountered error 32 attempting to load zone 13.168.192.in-addr.arpa. from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

You're certain the zone is gone? We might want to have a bit of a dig into AD to see if it's still there.

There are three places that need checking in a 2003 domain.

1. Domain Partition

a. Open AD Users and Computers
b. Select View and Advanced Features
c. Expand System
d. Expand MicrosoftDNS
e. Check for a folder called 13.168.192.in-addr.arpa.

2. DomainDNSZones Directory Partition

a. Open ADSIEdit.msc
b. Right click on ADSI Edit and select "Connect To.."
c. Name the connection DomainDNSZones.
d. Choose "Enter a distinguished name or naming context". Enter:

DC=DomainDNSZones,DC=yourdomain,DC=com

Where DC=yourdomain,DC=com represents an AD domain called yourdomain.com

e. Click OK to finish the connection
f. Expand DomainDNSZones
g. There may be another DC=DomainDNSZones folder beneath. Expand that.
h. Expand MicrosoftDNS
i. Check for a folder called 13.168.192.in-addr.arpa.

3. ForestDNSZones Directory Partition

a. Open ADSIEdit.msc
b. Right click on ADSI Edit and select "Connect To.."
c. Name the connection ForestDNSZones.
d. Choose "Enter a distinguished name or naming context". Enter:

DC=ForestDNSZones,DC=yourrootdomain,DC=com

Where DC=yourrootdomain,DC=com represents an AD forest root domain called yourrootdomain.com

e. Click OK to finish the connection
f. Expand ForestDNSZones
g. There may be another DC=ForestDNSZones folder beneath. Expand that.
h. Expand MicrosoftDNS
i. Check for a folder called 13.168.192.in-addr.arpa.

If you could let us know how you get on with that please?

Chris
0
 

Author Comment

by:DCITdept
ID: 24181473
Thanks
Did not locate anything under Domain Partion or DNS Zones

Under
DC=ForestDNSZones,DC=yourrootdomain,DC=com
dc=domain.com

I do not see the zone however I do see the old site entry
DC=_gc._tcp.sitename._sites   dnsNode  DC=_gc._tcp.Sitename._sites,DC=domain.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=domain,DC=com
0
 

Author Comment

by:DCITdept
ID: 24181997
event ID 4001

The DNS server was unable to open zone 13.168.192.in-addr.arpa in the Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:DCITdept
ID: 24205824
I did locate one entry under the ForestDNSZones, however the error continues
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24205929

How about if you add a new version of that zone (as AD Integrated), give it a little time to replicate then delete it again?

Chris
0
 

Author Comment

by:DCITdept
ID: 24205946
I will try
Thanks
0
 

Author Comment

by:DCITdept
ID: 24206030
When I went to create the reverse lookup zone 13.x on our main site DNS server I now see reverse lookup zone 13.x, however as expected it cannot be loaded. I can wait a couple of hours to see if it shows up in our other DNS servers (sites) then delete it.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24206082

Does it let you see the replication scope of the zone?

Chris
0
 

Author Comment

by:DCITdept
ID: 24206111
Yes it is set to "All DNS servers in the AD Forest domain.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24206117

I take it you still can't see it under there if you use ADSIEdit?

Chris
0
 

Author Comment

by:DCITdept
ID: 24206224
ForestDNSZones {dc.domain.com}
  DC=ForestDNSZones,DC=domainanme,DC=com
     CN=MicrosoftDNS
Not under here however earlier I did locate it under

ForestDNSZones {dc.domain.com}
  DC=ForestDNSZones,DC=domainanme,DC=com
     CN=MicrosoftDNS_CNF:21be4f4-a920-4298-b633-6e251f5a48bd

However it is not showing up there now, and two of my remote office DNS Zones are not showing up as well

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24206300

This one:

     CN=MicrosoftDNS_CNF:21be4f4-a920-4298-b633-6e251f5a48bd

Is a conflicting object and can be deleted, it may well be causing the problem. It certainly won't be helping out.

Are your other zones still loaded in the DNS console? If they are, change the replication scope to all DNS Servers in the AD Domain to move it out of the Forest Scope before deleting anything.

Chris
0
 

Author Comment

by:DCITdept
ID: 24206755
Ok I will

There is another such entry similar to the one you are referring to as a conflciting object

I'm in the process of making the changes you suggested. Yes all the zones are loaded in the DNS console

A couple of reverse zones I receive an error "The No Refresh Interval was not set. The process cannot access the file because it is being used by another process
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24206802

Okay, anything with CNF if it is fair game for deletion. Of course some care should be taken to ensure there's a backup first, we're deleting things from the directory after all.

Chris
0
 

Author Comment

by:DCITdept
ID: 24206894
Ok now I'm seeing the zones under MicrosoftDNS under DomainDNSZones, however I see multiple entries for each zone with one appearing as normal and the others as containing CNF within it
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24212589

That's quite unpleasant. Shall we see if it does the same for the domain partition? Delete the CNF objects, then perhaps change the DNS scope of those zones to "All Domain Controllers in the AD Domain".

You're only making the replication scope change on a single DC aren't you?

Are there any other reported problems with the domain either in Event Log or through DCDiag / NetDiag?

Chris
0
 

Author Comment

by:DCITdept
ID: 24215485
I believe the extra entries with CNF in it were self inflicted as I made modifications on multiple DNS servers. I have deleted the CNF entries now all active DNS zones are viewable. I also cleared out the DNS event logs and just received an event 4521 DNS atempting to load zone 13.168.192 in-addr.arpa
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24215895

lol that worked well then :)

Perhaps run:

dnscmd /EnumZones

Just to see if it appears in the list?

You may also consider searching the registry for the zone. While it should be picking up which zones to load from AD it's possible that it has a configuration entry defined there.

Chris
0
 

Author Comment

by:DCITdept
ID: 24215964
       Zone count = 7

 Zone name                      Type       Storage         Properties

 .                              Cache      AD-Domain
 10.168.192.in-addr.arpa        Primary    AD-Domain       Secure Rev Aging
 12.168.192.in-addr.arpa        Primary    AD-Domain       Secure Rev Aging
 13.168.192.in-addr.arpa        Primary    AD-Forest       Secure Rev Down
 14.168.192.in-addr.arpa        Primary    AD-Domain       Secure Rev
 15.168.192.in-addr.arpa        Primary    AD-Domain       Secure Rev Aging
 danos.com                      Primary    AD-Domain       Secure Aging

Command completed successfully.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24216021

But it's not showing up in ForestDNSZones when you browse that is it?

Just to confirm, you only have a single domain here? So there's no separate forest root domain?

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24216052

Maybe we can try...

DNSCMD /ZoneChangeDirectoryPartition 13.168.192.in-addr.arpa /legacy

That attempts to move it into the version you see under AD Users and Computers (the easiest to get to).

Chris
0
 

Author Comment

by:DCITdept
ID: 24216086
Yes were a re operating a single domain

ForestDNSZones {dc.domain.com}
  DC=ForestDNSZones,DC=domainanme,DC=com
     CN=LostAndFound
     CN=MicrosoftDNS
             DC=Domain.com
     CN=NTDS Quotas

             
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24216101

Only one DC? And is the DC ADSI is using for its connection the same as the DC reporting the error? Wondering if they have different opinions on the contents of ForestDNSZones.

Chris
0
 

Author Comment

by:DCITdept
ID: 24216105
Command failed:  ERROR_SHARING_VIOLATION     32  (00000020)

C:\Documents and Settings\Administrator.Domain>
0
 

Author Comment

by:DCITdept
ID: 24216157
We have two DCs in our main site, sorry if I did not mention, however only one is a DNS server
We also have one DC in each remote site onnected vis MPLS
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24216349

If nothing else is in the ForestDNSZones Partition we could wipe the partition out and recreate it. How do you feel about that? It's another where I'd recommend taking a backup first, and you should be made aware that MS don't support it, even if I've never had a problem doing it.

Chris
0
 

Author Comment

by:DCITdept
ID: 24217108
This is what I get on the other DC when running DNSCMD /ZoneChangeDirectoryPartition 13.168.192.in-addr.arpa /legacy

Command failed:  RPC_S_SERVER_UNAVAILABLE     1722  (000006ba)
0
 

Author Comment

by:DCITdept
ID: 24217121
I'm ok with giving it a shot. How would I back it up?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 24217518

System State backup of one of your Domain Controllers.

Once done, we would do this:

Start, Run, ntdsutil
Domain Management
Connections
Connect to Server <AnyActiveDCName>
Quit
Select Operation Target
List Naming Contexts

 - Note the full DN of ForestDNSZones. Should be DC=ForestDNSZones,DC=danos,DC=com

Quit
Delete NC DC=ForestDNSZones,DC=danos,DC=com
Quit
Quit

Give it some time to replicate that change. If you have more than one site, 90 minutes is probably good. Then run:

DNSCMD <DNSServer> /CreateBuiltInDirectoryPartitions /Forest

Which should give us a brand new copy, minus the zone that was previously stored in there.

Chris
0
 

Author Comment

by:DCITdept
ID: 24218012
Working on backup of DC SS then I will proceed with the rest. I will revert back with results.
Thank you
0
 

Author Comment

by:DCITdept
ID: 24219181
Done with the following message

Note: Please do not create another partition with the same name until the servers which hold this partition have had an opportunity to remove it. This will occur when knowledge of the deletion of this partition has replicated throughout the forest, and the servers which held the partition have removed all the objects within that partition. Complete removal of the partition can be verified by consulting the Directory event log on each server.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24222568

Cool, that's a reasonable message :)

How's it doing with it today?

Chris
0
 

Author Comment

by:DCITdept
ID: 24223223
Just checked and I'm not seeign any DNS errors. Looks like that may have fixed.
THANK YOU
0
 

Author Closing Comment

by:DCITdept
ID: 31571820
Thank you for your assistance and determination to fight through this issue with us
0
 

Expert Comment

by:chance-gp
ID: 33211049
The _mscds.domain.local zone and the main office reverse zone loaded overnight . The new reverse zone that I created and the domain.local zone are not loading.

I keep getting these errors:

Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4521
Date:            2010/07/15
Time:            10:15:25 AM
User:            N/A
Computer:      DC2
Description:
The DNS server encountered error 9605 attempting to load zone 10.168.192.in-addr.arpa from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4521
Date:            2010/07/15
Time:            10:12:25 AM
User:            N/A
Computer:      DC2
Description:
The DNS server encountered error 9605 attempting to load zone domain.local from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When I try to modify the these zones at DC1 (Primary DC), I get this error:

The no refresh interval was not set.
The process cannot access the file because it is being used by another process.


How do I fix these errors?

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33211077

Please raise a separate question. You stand far more chance getting a reasonable level of input there than tagging onto the bottom of this.

Chris
0
 

Expert Comment

by:chance-gp
ID: 33211098
Ok - Will do that.
Thanks
0
 

Expert Comment

by:chance-gp
ID: 33211108
My bad, I have not posted this in my question, Sorry about that!!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question