Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DNS problems

Posted on 2012-09-12
17
Medium Priority
?
869 Views
Last Modified: 2012-09-21
I just saw this error message in my logs. Is it anything I need to worry about, and if so, how do I fix it?


The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
0
Comment
Question by:Joeteck
  • 6
  • 4
  • 4
  • +2
17 Comments
 
LVL 9

Expert Comment

by:Michael Knight
ID: 38391588
in addition to the 4013 event are you also receiving an event ID 2088?

How many DC's are in this forest?
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38391595
This could be normal, when you boot the DC, AD & DNS tries to start at the same time, one failing to load its services generates such warning event. For more info: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/712f0956-2730-46b1-bb11-333746be7580/
0
 
LVL 9

Expert Comment

by:Michael Knight
ID: 38391625
right that's why i asked about 2088 as well, it just sounds to me like AD and DNS are starting up in a race condition, they eventually synch and if your clients can log on and DNS is functioning properly you can ignore. You could always try and tweak the startup but they eventually and quickly resync. If you can stop and restart DNS successfully at any given time then I'd let it go.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 38391631
That could be a normal and ignored error.

Can you open AD Users and Computers?

Run dcdiag to check health of the server
0
 
LVL 4

Author Comment

by:Joeteck
ID: 38391752
Thanks for these replies! I was getting discouraged from my last question that no one could answer!

No 2088, all 4 are 4013.  I have two DC's. Both are GCS, both have their DNS set to 127.0.0.1, The first server I promoted, I consider my primary since it replicates to my second DNS server. I will show my DCdiag output in my next response. For some reason they take extremely long to come up. Hopefully you guys can help me with that as well..
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1000 total points
ID: 38391821
You may want to point them at each other for preferred DNS rather than using 127.0.0.1.  That way, whenever one DC reboots (provided you don't reboot both of them at the same time, which would be a bad idea for a variety of reasons), it'll find a running DNS server when it comes back up instead of having to wait on its own DNS service.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 38391851
Ok, what about the long login time, how is that fixed?
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38391858
Is it long login time or long boot time?  You previously said they "take extremely long to come up."  Does the delay happen before or after you enter a username and password?
0
 
LVL 4

Author Comment

by:Joeteck
ID: 38391891
These are new servers.. Smokin fast. I built them myself. I guess if I shut both down, it will take a long time to come up since there is no DNS server's online yet for authentication. But I changed the IP address on both machines at that seemed to do the trick. Bouncing off of each other. I guess you never should shut both down at the same time. This is a new domain and is not active yet. But we will be moving to it shortly. Just want to be 100% sure that everything is functioning correcting before I move to it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 38392860
You should not use 127.0.0.1 instead use the full ip address
0
 
LVL 9

Assisted Solution

by:Michael Knight
Michael Knight earned 1000 total points
ID: 38393771
"...The first server I promoted, I consider my primary since it replicates to my second DNS server..."

Whoever has the FSMO's IS the primary, and all member servers AD or not should have it as primary by IP.  So all things being equal he should come up first if everything went down. As stated before, 127.0.0.1 though always localhost, isn't the way to go.
For a sanity check demote the noob controller(s), get rid of DNS off of them. If your DHCP (AD or otherwise) is configured correctly then your clients will hit the domain no problem (if not hard config it and figure that issue out later). Then you can promote the other servers (hardcoding their DNS if necessary) to get the domain healthy. Then the PDC should only rely on itself for DNS, which if there's a race condition you can deal with from the service level and take the other servers out of the mix.
After everyone's happy, start enabling DNS on the member servers which should inherit PDC's config. Regardless, all member servers should have a static IP and hard config'd DNS to primary, it's just better.
0
 
LVL 9

Expert Comment

by:Michael Knight
ID: 38393778
Sorry I should have been more clear. Find out first who's holding FSMO's...THEN demote the others.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 38419157
@michaelaknight

Lets be logical here... If I started a new domain from scratch, wouldnt the first domain controller be the operations manager?

I have two domain controllers with DNS servers on each... Is this correct?
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38419206
Yep, that's good.  Two DCs, both GCs, and both DNS servers - nothing wrong with that configuration at all.
0
 
LVL 4

Author Comment

by:Joeteck
ID: 38419431
You guys are very helpful...

Another error message..

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 38419444
If you're not using smart cards, that can be ignored.  I see it quite frequently, and it doesn't affect anything else.
0
 
LVL 4

Author Closing Comment

by:Joeteck
ID: 38422297
Thank you very much... My servers are doing much better... Never knew why MS would automatically make the DNS entries 127.0.0.1, by default.. Maybe if you only had one...

Great work guys! Thanks again!

So, what I have now for my DNS server entries is:

Primary DNS: <IP address of the second DNS server>
Secondary DNS: 127.0.0.1

This way I could shut down both and start them up individually!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question