AD stops working after updates

Posted on 2009-04-27
Medium Priority
Last Modified: 2012-05-06
Our Main DC will sometimes not load AD after it restarts from automatic updates. DNS is also offline when this happens.

I can fix it by going to ADUC, actions->connect to another domain controller. Selecting DC2. Then redo the process but select DC1 the second time.  The fix is easy, but I need to figure out why this is happening to prevent it.  The first time it happened I thought it was a fluke, but it has happened twice in the past 2 or 3 months.

Our setup
Main office
DC1 (AD, DNS, DHCP, GC) (one crashing)
DC2 (AD, Exchange 2007)

Branch offices (2 connected through VPN)
DC3 and DC 4 (AD, DNS, DHCP GC)


Question by:fsjavan32
  • 3
  • 2
LVL 57

Expert Comment

by:Mike Kline
ID: 24242439
What errors are you seeing in your event logs and how do you have DNS setup on that DC (is it pointing to itself for DNS or another box for primary DNS)
LVL 18

Accepted Solution

Americom earned 1000 total points
ID: 24242579
Was your DC1 actually "crashing" or just some loading issue during reboot? If it just slow reboot due to AD loads before DNS services loaded, you may just set the DNS to point to another DNS other than itself, afterall, you have another DC2 which you can also make it a DNS as well and have DC1 to point to DC2 and vice versa. You may want to make your DC2 also a GC in case your DC1 is not available and your DC2 would be able to serve your Exchange better than your DC3.

Author Comment

ID: 24242684
DNS is pointing to itself.
There are a lot of entries in the event log when this happens. I will just post the Event ID for now to prevent pages of text. First entry listed under the log is the first in chronological order. Of course these errors repeat until fixed I only listed the first instance of it.

Event ID 1053

Directory Service
Event ID 2087 (can not resolve DNS host name....)
Event ID 1126 (connection to GC)
Event ID 2092 Warning (FSMO role)

DNS Server
Event ID 4013 Warning (unable to open AD)

Event ID 5781 Warning (Dynamic reg of DNS records failed)
Event ID  40960 Warning (Security System, authentication error..)
Event ID 1059 (DHCP failed to see directory server)

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.


Author Comment

ID: 24242769

It could be loading issues with DNS loading after AD. If I pointed it to DC2 shouldnt the same issue happen if DC1 restarted before DC2?
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1000 total points
ID: 24242776
Follow the config that Americom talked about and  stagger the reboots, may be dealing with a race condition here.
You will hear people say "you always have to point the DC to itself for primary DNS".  That is not true.
There was a great discussion over at activedir.org last November about this.  
Search for the thread 'DNS settings on domain controllers with MS DNS"  I'd post the link but right now activedir is changing ISPs and right now the page is erroring out for me.
I also agree with making them all GCs (but that is not causing this issue).   See first bullet point on the blog below about making all DCs GCs

Author Comment

ID: 24242915
Thanks guys, Only time will tell if this resolves the problem.  I am confident the information you provided will fix it though.  I assumed DNS would load before AD database. Not bashing MS, but it seems like a load priority should be set on bootup for services that need to start in a particular order.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question