Inter-forest DNS error

Posted on 2010-11-14
Last Modified: 2012-05-10

We have a forest with four single domain trees (A, B, C, D). One of the trees, site A, was created recently. Sites B, C and D existed already.

In trying to get site B to resolve the name of site A I manually set up a primary AD-integrated zone for it. After the fact I realised that the zone for site A had not replicated to site B because site A's DNS was not configured to do forest wide replication. Anyway when I realised this, I deleted the zone for it on site B's DNS server. Yes, big mistake.

Now site B's DNS is throwing out a lot of errors such as:

Event ID 4004
"The DNS server was unable to complete directory service enumeration of zone C.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error."

Event ID 4004
"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

Event ID 4521
"The DNS server encountered error 32 attempting to load zone A from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition."

In addition, in Active Directory Sites and Services on the DC in site B, if I try to force it to replicate now with site A it gives the error:
"The following error occurred during the attempt to synchronize naming context Configuration from domain controller (DC in Site A) to domain controller (DC in Site B):
The naming context is in the process of being removed or is not replicated from the specified server.

This operation will not continue."

I've no idea where to go with this. Have googled it but there are so many similar dns and AD issues..

Help! :o)

Question by:Eirejp
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Assisted Solution

balmasri earned 500 total points
ID: 34130607
I suppose that A, B, C & D are separte domains &  Site (A, B, C ,D ) are Active directory sites . right ?

If A , B , C D are child domains , then Recreate the DNS zone as AD integrated zones and domain wide zones. Create delegation for each zone.
Forest wide only for zone.
Restart Services :   DNS client , DHCP Clinet , Netlogon. DNS Server.

Author Comment

ID: 34130676
Yes, A,B,C & D are seperate domains each within their own tree but all within the same forest, and yes Site (A, B, C and D) are AD sites.

The forest root domain is C.

How do I recreate the zone? Should I delete the zone for A on server A (i.e. its own domain controlller)? All zones are already AD integrated zones, though like I said, the zone for A is not replicating on the site B domain controller.

Should I be doing this on zone B? Restarting the services and changing the DNS zones?


Accepted Solution

balmasri earned 500 total points
ID: 34130707
No just recreate the deleted zone.

There is no need to replicate the zones between domains.Create delegation ( conditional forwarding)  is enough.
Only the domain controllers zone ( should be forest wide.

Restarting these services will re-register the records of domain controllers to this zone. ( Host A , GC, LDAP, etc) so the _msdcs zone will be re-populated again.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 34161191
I have tried recreating but no joy.. When I try to replicate AD it gives an error about "RPC server is unavailable" and if I try to rebuild the application partition in DNS it gives me an error about credentials. I might try to manually delete the zone in the child domain and then recreate it and see if that resolves it. I can try this at the weekend.

I'm not sure if I can delete the dns zone on the only dns server in the domain though - will it impact Active Directory if I do?


Expert Comment

ID: 34182104
RPC server is not available is usually a DNS client configuration. Check the DNS settings .

Author Closing Comment

ID: 34204721
Still an issue.. think there is a corruption related to this zone in AD.. Will raise a new question about it with more information rather than continuing this.

Thanks for your help though!

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question