Solved

Root dns problem

Posted on 2009-05-05
6
736 Views
Last Modified: 2012-05-06
We're having a strange problem with DNS.  On the user side, it appears as a temporary inability to get anywhere on the web.  Even to an internal website.  IE/Firefox just hang up; a page refresh doesn't work; reloading the app often does, as does waiting 5-10 minutes and trying again.  

On the server side, I'm seeing event 4521 every 3 minutes, with the detail:
"The DNS server encountered error 9002 attempting to load zone . from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition."

This is a Windows 2003 Small Business Server, SP2.  Running our own DNS server internally, with the server pointed at itself (via it's own IP address, as recommended for 2003) and no secondary DNS server listed.  The DNS server is configured with forwarders (we use OpenDNS to limit non-work activities).  

I've already been to eventid.net and tried the various suggestions there.  I'm unable to create a '.' zone, an attempt to do that creates an error about zone creation.  There is no '.' zone already in evidence.  I've tried the sequence in KB articles M298148, M323380 regarding removing the '.' zone, with no results.  I've even gone through the suggestion in KB M294328 on how to reinstall a dynamic DNS Active Directory Zone to rebuild our DNS server entirely, with no change.

I know there was another server in this domain at some point; it had Exchange on it and when I took over I had to (carefully) remove evidence of it from the Active Directory, because the prior sysadmin just ripped it physically out without a graceful demotion and removal.  I'm guessing something similar happened to the dns, since the problem was recreated as soon as I got the DNS service rebuilt.

Oh, and just for kicks, I tried configuring the DNS server without forwarders, just to check; no luck, same errors and sporadic failures on the user side.  I have one user who is pointed at another, external, DNS server; he has none of the sporadic failures.

Any suggestions gratefully received; I'm really tearing my hair out on this one.
0
Comment
Question by:qcsboise
  • 2
  • 2
  • 2
6 Comments
 
LVL 5

Accepted Solution

by:
Member_2_4708244 earned 500 total points
ID: 24312437
Have you tried running dcdiag. Its part of the suppor tools for server 2003, so you will need to download and install that from microsoft (its free).

Then run dcdiag from the command line "dcdiag /fix /v >>c:\dcdiag.txt"

Then review the txt file for any errors and fix them as needed.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24314120
The inability to contact the intranet and/or internet is the client's inability to contact the server. It may be trying to find the old server that no longer exists. My first guess would be, what preferred DNS servers are being passed down to the clients. This is done through DHCP......

DHCP passes down the preferred DNS servers to the clients. So, one of two things could be happening. You may have a rogue DHCP server, (like a router or mass storage device), that is spitting out a bad internal DNS server address to the clients. If a rogue DHCP server is sending out the preferred servers as an outside server, you may not get domain services internally, but you should get external DNS to the internet. The second option is your Server as a DHCP server. Under the DHCP snaping>>scope options>> you may have listed as a preferred DNS server an old server that no longer exists. So, your client is trying to periodically contact that server that no longer exists and can't find it. The client may time out on its DNS query, you may find that the client can't contact any domain server or other client, and you will periodically loose the interent.

Other than that, you could check your DNS root. Under the DNS snapin, do you see any folders greyed out?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24314148
By the way, if you have a rogue DHCP server, you will want to prevent it from providing DHCP and let your server handle that task. Otherwise, your router or mass storage device that is providing DHCP will also provide DNS. The problem with that is, the rogue device will not hold the DNS SeRVice (SRV) records of the domain controller. So, that knocks down domain services.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:qcsboise
ID: 24333063
Dinga, that was great advice.  The dcdiag highlighted another error of which I'd been unaware, an 1801 error from the Knowledge Consistency Checker.  Armed with the 4521 AND the 1801 errors, along with proposed solutions courtesy of EventID.net, I was able to resolve the issue and stop the events.  Not completely sure it's done yet; we'll test further with the office tomorrow, but things look great right now.
0
 
LVL 5

Expert Comment

by:Member_2_4708244
ID: 24334023
Both those tools are invaluable resources for troubleshooting.

Let me know if its solved the browsing issue.
0
 

Author Comment

by:qcsboise
ID: 24424954
It didn't solve the browsing issue, but that appears related to server activity levels in addition to the dns issues.  It did completely solve the dns errors and for that I Thank You!.

-Matthew
0

Featured Post

The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question