windows 2008r2 DNS failure

Posted on 2011-10-31
Last Modified: 2012-05-12
Our FSMO domain controller suddnely lost connectivity to the DNS server (it is the DNS server). no reason

teh only error message is this:

"Event Type:      Error
Event Source:      DNS
Event Category:      None
Event ID:      4000
Date:            10/31/2011
Time:            5:43:38 PM
User:            N/A
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

For more information, see Help and Support Center at
0000: 0000232d "

Every time we try to connect we get "you do not have permissions to connect."

Click on the DNS icon and the DNS server comes up with the red sign with minus in it.
Click on action in the mmc is all greyed out. clicking on the server name gives only the DNS event viewer logs

The error message  is:

"The dns server was unable to open Active directory the dns server is contfigured to obtain..."  Event ID: 4000

The weird part is that an old Domain controller showed up in the DNS zone.

Not sure what to do next to bring it back online.

I could restore, but the problem will persist...

Using dnscmd I get error_access_denied 5 0x5

I have tried

dnscmd.exe /Config /RpcAuthLevel 0

to not avail.

Any advice would be helpful!

Question by:05fdml
    LVL 10

    Expert Comment

    Are you rinnung IPv6 on that server?  although some may disagree, if you're not using IPv6, disable,  it can cause these types of DNS problems.  mostly because the Ipv6 address of your domain controller is normally set for DHCP,

    Author Comment

    yes, it was running. Thanks for the tip!

    the question is how to bring the DNS server back.
    LVL 15

    Expert Comment

    Suddenly lost connection?  Was there any events preceding that?
    What other events in the logs?
    Was this after a reboot?

    Are there any other events in any of the event logs (warnings or errors?)
    Is the DNS Server service running?

    -- In bizarre situations as this, I usually start by running a CHKDSK /F C: and rebooting, just to make sure there are no underlying disk errors causing the problem.
    LVL 10

    Expert Comment

    jr has a good point.  You can also try unregistering an re-rgistering the DNS suffix in the NIC porerties and running ipconfig /flushdns and ipconfig /registerdns
    LVL 15

    Accepted Solution

    When a Domain Controller cannot find the DNS server, it is not lost due to a standard host record. It is the _MSCDS that are causing it problems.

    Like any other object on a network (such as a username) - it gets a GUID, and it refers to that GUID behind the scenes.  Well, domain controllers use the CNAME to discover its environment:

    da5f3e67-48f9-4b5b-857b-d0d61dce205c._msdcs.exampledomain.local is a CNAME that points to

    When a DC1 complains it cannot find DC2, and you can ping DC2 from DC1, it is because of the _MSCDS info.

    SO, what is happening, is that your DC cannot find its DNS info, even when using both hands...

    I would try changing the IP address of your dns server so that it looks to a different server first for its dns, and remove itself from any DNS lookups.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Introduction As businesses grow they expand within their original location and often spill over into nearby buildings when space becomes constrained or open up a branch office in another, distant area. If these new offices are outside of the …
    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now