AD stops working after updates

Posted on 2009-04-27
Last Modified: 2012-05-06
Our Main DC will sometimes not load AD after it restarts from automatic updates. DNS is also offline when this happens.

I can fix it by going to ADUC, actions->connect to another domain controller. Selecting DC2. Then redo the process but select DC1 the second time.  The fix is easy, but I need to figure out why this is happening to prevent it.  The first time it happened I thought it was a fluke, but it has happened twice in the past 2 or 3 months.

Our setup
Main office
DC1 (AD, DNS, DHCP, GC) (one crashing)
DC2 (AD, Exchange 2007)

Branch offices (2 connected through VPN)
DC3 and DC 4 (AD, DNS, DHCP GC)


Question by:fsjavan32
    LVL 57

    Expert Comment

    by:Mike Kline
    What errors are you seeing in your event logs and how do you have DNS setup on that DC (is it pointing to itself for DNS or another box for primary DNS)
    LVL 18

    Accepted Solution

    Was your DC1 actually "crashing" or just some loading issue during reboot? If it just slow reboot due to AD loads before DNS services loaded, you may just set the DNS to point to another DNS other than itself, afterall, you have another DC2 which you can also make it a DNS as well and have DC1 to point to DC2 and vice versa. You may want to make your DC2 also a GC in case your DC1 is not available and your DC2 would be able to serve your Exchange better than your DC3.
    LVL 1

    Author Comment

    DNS is pointing to itself.
    There are a lot of entries in the event log when this happens. I will just post the Event ID for now to prevent pages of text. First entry listed under the log is the first in chronological order. Of course these errors repeat until fixed I only listed the first instance of it.

    Event ID 1053

    Directory Service
    Event ID 2087 (can not resolve DNS host name....)
    Event ID 1126 (connection to GC)
    Event ID 2092 Warning (FSMO role)

    DNS Server
    Event ID 4013 Warning (unable to open AD)

    Event ID 5781 Warning (Dynamic reg of DNS records failed)
    Event ID  40960 Warning (Security System, authentication error..)
    Event ID 1059 (DHCP failed to see directory server)

    LVL 1

    Author Comment


    It could be loading issues with DNS loading after AD. If I pointed it to DC2 shouldnt the same issue happen if DC1 restarted before DC2?
    LVL 57

    Assisted Solution

    by:Mike Kline
    Follow the config that Americom talked about and  stagger the reboots, may be dealing with a race condition here.
    You will hear people say "you always have to point the DC to itself for primary DNS".  That is not true.
    There was a great discussion over at last November about this.  
    Search for the thread 'DNS settings on domain controllers with MS DNS"  I'd post the link but right now activedir is changing ISPs and right now the page is erroring out for me.
    I also agree with making them all GCs (but that is not causing this issue).   See first bullet point on the blog below about making all DCs GCs
    LVL 1

    Author Comment

    Thanks guys, Only time will tell if this resolves the problem.  I am confident the information you provided will fix it though.  I assumed DNS would load before AD database. Not bashing MS, but it seems like a load priority should be set on bootup for services that need to start in a particular order.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now