[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1482
  • Last Modified:

SBS 2011 DNS Error

We are unable to access the Internet (although we could previously) on a SBS 2011 Server.
We are getting this error in our DNS log. And advice most welcome.
Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4004
Date:            14/10/2011
Time:            15:12:33
User:            N/A
Computer:      SERVER.xxxxxx.local Description:
The DNS server was unable to complete directory service enumeration of zone 16.168.192.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0000: 2a 23 00 00              

1 Solution
The address space .in-addr.arpa is for reverse DNS entries. So you can resolve an IP address to a DNS name, instead of the other way around you normally use DNS for. The address space is always written backwards, 192.168.16 in your case. You don't often need reverse DNS, so you could probably just ignore this error message. I'm relatively certain that it would not be causing your Internet access issues. Make sure the DNS server service is up and running and try pinging random websites (www.google.com, etc.) and if it can resolve the IP's for those sites, that is not your problem & you are chasing an irrelevant error.

To fix the error, just create the 16.168.192.in-addr.arpa zone in your DNS and let it populate things on it's own.

For more reverse DNS info check out http://en.wikipedia.org/wiki/Reverse_DNS_lookup
As per Microsoft: "The DNS Server service uses Active Directory to store DNS data, and it encountered a Lightweight Directory Access Protocol (LDAP) error while querying the directory. This error could be caused by either a time-out or a temporary interruption of service".

If the 4004 and 4015 events only appear at start up, you get these events because your zones are stored in AD and it seems you only have one Domain Controller. AD cannot start with DNS, and when DNS starts, because AD has not started, DNS cannot load the zones in AD. The error goes away if you have two or more DCs with DNS installed, or if you use standard primary zones.
You said you can't access the internet. Could you be more specific? Can you ping your gateway router? Can you ping anything outside your network by IP?, By name? Run ipconifg, is your gateway device set correctly?
Just trying to get more clear about whether or not this is DNS related.
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

cybis1Author Commented:
sorry - didn't explain this very wel..  We can't acess the internet with iIE v8 or 9, nor firefox. Iif we ping a DNS name in a command box, we get a reply. So the DNS is resolving the name within a command box.  It may be the DNS errors listed above  aren't related to the problem.

IIE8 was working fine before we did a whole load of windows updates on the server.  After the updates we can't use a browser.  So the we tried upgrading IE to version 9 and tring firefos - but both with no sucess.

DNS is definatly set to the IP address of the SBS 2011 server (itself) and not using  We have tried this with DNS forwarders and without.
Personally I prefer to use as the first DNS server on my DC's. That way it can still find DNS so that AD will run if an IP gets changed or something.

The DNS server itself should have the root hints enabled, which will point to proper DNS out on the Internet.

When pinging stuff from the command line, are you trying internal names, external names, or both? I'm assuming external or both & that they are resolving the correct IP's for the moment.

Assuming DNS is working fine from the command line, that shouldn't be a problem for web browsing. My first thought is a firewall blocking the web browser. IE could be messed up via some GPO's but not really Firefox, so I wouldn't look at GPO's for the moment.

Do you or your ISP use a proxy server or any sort?
Do you have a firewall installed or enabled on the server or at the edge of your network?

Microsoft took out telnet in Vista or Windows 7 (don't remember about server versions offhand) I think, but you should be able to install it, or use putty.

Try "telnet www.google.com 80" or get Putty & try and connect up to www.google.com port 80 using the telnet protocol. If either method connects at all (may not get any data, but as long as you don't get a can't connect error), it's probably not a firewall.
cybis1Author Commented:
Thanks.  This didn't solveit, but made me think about the firewall setup - which did  turn out to be the problem.  It was setup for it's future site, and the IP address is was trying to get out on, wasn't valid for our in house connection.

So thanks for making me think laterally.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now