DNS problems

I just saw this error message in my logs. Is it anything I need to worry about, and if so, how do I fix it?


The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
LVL 4
JoeteckAsked:
Who is Participating?
 
DrDave242Commented:
You may want to point them at each other for preferred DNS rather than using 127.0.0.1.  That way, whenever one DC reboots (provided you don't reboot both of them at the same time, which would be a bad idea for a variety of reasons), it'll find a running DNS server when it comes back up instead of having to wait on its own DNS service.
0
 
Michael KnightCommented:
in addition to the 4013 event are you also receiving an event ID 2088?

How many DC's are in this forest?
0
 
Stelian StanNetwork AdministratorCommented:
This could be normal, when you boot the DC, AD & DNS tries to start at the same time, one failing to load its services generates such warning event. For more info: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/712f0956-2730-46b1-bb11-333746be7580/
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Michael KnightCommented:
right that's why i asked about 2088 as well, it just sounds to me like AD and DNS are starting up in a race condition, they eventually synch and if your clients can log on and DNS is functioning properly you can ignore. You could always try and tweak the startup but they eventually and quickly resync. If you can stop and restart DNS successfully at any given time then I'd let it go.
0
 
Darius GhassemCommented:
That could be a normal and ignored error.

Can you open AD Users and Computers?

Run dcdiag to check health of the server
0
 
JoeteckAuthor Commented:
Thanks for these replies! I was getting discouraged from my last question that no one could answer!

No 2088, all 4 are 4013.  I have two DC's. Both are GCS, both have their DNS set to 127.0.0.1, The first server I promoted, I consider my primary since it replicates to my second DNS server. I will show my DCdiag output in my next response. For some reason they take extremely long to come up. Hopefully you guys can help me with that as well..
0
 
JoeteckAuthor Commented:
Ok, what about the long login time, how is that fixed?
0
 
DrDave242Commented:
Is it long login time or long boot time?  You previously said they "take extremely long to come up."  Does the delay happen before or after you enter a username and password?
0
 
JoeteckAuthor Commented:
These are new servers.. Smokin fast. I built them myself. I guess if I shut both down, it will take a long time to come up since there is no DNS server's online yet for authentication. But I changed the IP address on both machines at that seemed to do the trick. Bouncing off of each other. I guess you never should shut both down at the same time. This is a new domain and is not active yet. But we will be moving to it shortly. Just want to be 100% sure that everything is functioning correcting before I move to it.
0
 
Darius GhassemCommented:
You should not use 127.0.0.1 instead use the full ip address
0
 
Michael KnightCommented:
"...The first server I promoted, I consider my primary since it replicates to my second DNS server..."

Whoever has the FSMO's IS the primary, and all member servers AD or not should have it as primary by IP.  So all things being equal he should come up first if everything went down. As stated before, 127.0.0.1 though always localhost, isn't the way to go.
For a sanity check demote the noob controller(s), get rid of DNS off of them. If your DHCP (AD or otherwise) is configured correctly then your clients will hit the domain no problem (if not hard config it and figure that issue out later). Then you can promote the other servers (hardcoding their DNS if necessary) to get the domain healthy. Then the PDC should only rely on itself for DNS, which if there's a race condition you can deal with from the service level and take the other servers out of the mix.
After everyone's happy, start enabling DNS on the member servers which should inherit PDC's config. Regardless, all member servers should have a static IP and hard config'd DNS to primary, it's just better.
0
 
Michael KnightCommented:
Sorry I should have been more clear. Find out first who's holding FSMO's...THEN demote the others.
0
 
JoeteckAuthor Commented:
@michaelaknight

Lets be logical here... If I started a new domain from scratch, wouldnt the first domain controller be the operations manager?

I have two domain controllers with DNS servers on each... Is this correct?
0
 
DrDave242Commented:
Yep, that's good.  Two DCs, both GCs, and both DNS servers - nothing wrong with that configuration at all.
0
 
JoeteckAuthor Commented:
You guys are very helpful...

Another error message..

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
0
 
DrDave242Commented:
If you're not using smart cards, that can be ignored.  I see it quite frequently, and it doesn't affect anything else.
0
 
JoeteckAuthor Commented:
Thank you very much... My servers are doing much better... Never knew why MS would automatically make the DNS entries 127.0.0.1, by default.. Maybe if you only had one...

Great work guys! Thanks again!

So, what I have now for my DNS server entries is:

Primary DNS: <IP address of the second DNS server>
Secondary DNS: 127.0.0.1

This way I could shut down both and start them up individually!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.