Solved

Server 2012 - DNS issue - ID 4013

Posted on 2013-05-28
34
5,734 Views
Last Modified: 2013-09-06
2012 server, DNS error:

ID 4013
 
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

I believe from my research that this might be caused by this: it appears the old server name (left over from migration?) is called out in the DNS forward lookup and I think that is the issue.  Can I just delete all the references to the old server without issue?

Thank you
0
Comment
Question by:Joemt
  • 15
  • 9
  • 5
  • +2
34 Comments
 
LVL 24

Expert Comment

by:lionelmm
Comment Utility
Is that server still active? If not then you can because if you no longer have it working it will never reach it. Worst case you remove the DNS server role and then add it back. How many active servers do you have?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
If you have old DCs listed in AD/DNS you do need to get them salefy removed.

Try this for info
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Even with a dodgy server listed it should be able to replicate dns from another dc so its a bit odd its failing.
How many DCs do you have?
0
 

Author Comment

by:Joemt
Comment Utility
I apologize for the delay here .....client is a school...I have made arrangements to get access to the school to try the above. I should know next week.....I have visited this question to see if any other suggestions steadily. I will report back thank you.
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
any luck?
0
 

Author Comment

by:Joemt
Comment Utility
Have not been out to the site yet. I hope to have access to the server this week.
0
 

Author Comment

by:Joemt
Comment Utility
Ok I might have done something stupid.......Ther are two sections under the DNS

1. PSDsvr2012        and  2. psdsvr2012.potomac.local See pic.

The old server name "psdsvr" was listed under both....I deleted it from under #2 which splashing "psdsvr" under #1

please see the pics i need some help on getting this sorted out.

I'm on site right now
Properties.jpg
Old-current.jpg
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
In your FLZ potomac.local you need to create an A record for

psdsvr2012.potomac.local

That will fix the first image that does not show an IP address.

Do that _first_ do not touch the _msdcs situation until your Properties shows the correct IP for your 2012 DC/DNS.

Philip
0
 
LVL 23

Expert Comment

by:Erik Bjers
Comment Utility
When you changed the server name did you rebuild, build a new one, or just rename the old one after upgrading?

If you renamed the old one did you follow these steps
http://technet.microsoft.com/en-us/library/cc782761(v=ws.10).aspx
If not you may want to try that now as it will create the required entries for the new name.

From what I see the problem is you do not have a name server record for your new name, only an alias pointing to the old name which no longer exists.

eb
0
 

Author Comment

by:Joemt
Comment Utility
The old server (2003) was shut off and removed from the network after the migration to the new Dell server (2012). There is only one server.

 I'm sorry I did not do the initial installation so I am not sure what steps were or were not followed.

How do I create the name server record?  

Thank you
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
In the Potomac.Local Forward Lookup Zone right click and New A (AAAA) Record:

NewServerName
IP of new server

Apply and OK

Philip
0
 

Author Comment

by:Joemt
Comment Utility
Ok under Potomac/local (both PSDSRV2012 & PSDSRV2012.Potomac.local) When I try to create the "A" host - it tells me is already exist. I found the a host in the list.

See pic hope it sheds some light. PS I'm on site right now.
Potomac.local-properties.jpg
Ahost-record.jpg
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
That looks right and your properties are now showing the IP address for the server

Please post an IPCONFIG /ALL from the 2012 DC.

Philip
0
 

Author Comment

by:Joemt
Comment Utility
I did not add the A host...it was there. here is the ipconfig /all
ipconfig-all.jpg
nslookup.jpg
1
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
What are the IPs for the NIC DNS 0 and 1? The 66's?

DNS 0 for IPv4 on the NIC should be: 10.0.5.6

Nothing else.

The server is not even asking itself for internal resolution. It is going out to those 66 IPs. Ooops.

Philip
0
 

Author Comment

by:Joemt
Comment Utility
Ok I fixed the DNS on the Nic and the odd ::1.

nslookup still comes back with default server unknown.....but the ip called out is correct
New-ipconfig-all.jpg
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Look in the Reverse Lookup Zone for your Subnet. Is it there? If yes, then you need to add an A record for the DC's IP to fix that.

If not, create an AD integrated, Secure Updates Only, RLZ for your subnet.

Philip
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 27

Expert Comment

by:Steve
Comment Utility
don't bother. its just the loopback address that's the cause of the 'unknown' stuff.
you can create a reverse lookup zone for loopback but it's not worth the hassle.

just remove the ::1 (ipv6 loopback) and use the 10.0.5.6 address as this should already have a reverse dns record.

have you removed the old server's name/IP from the nameservers list?
0
 

Author Comment

by:Joemt
Comment Utility
Yes I removed the old server name from the Names list on all zones. I also ensured the ip address was resolved for the actual server name in the Names list that is valid.

I had to create a alias for the old server (in Potomac.local) for the workstations to remote update an AV program.  The other existing alias I see is to tie _msdcs.potomac.local to psdsrv2012 (server name).

A problem I see still: under Potomac.local there are a host records (workstation names) with duplicate ip addresses on different workstation names.

Is there a way to determine if the DNS setting are correct in the AD?
Dup-ip-addreses.jpg
Old-server-name-alias.jpg
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Verify in DHCP by comparing the lease.

Set Scavenging and enable on AD Zones in DNS (right click server name and Set Scavenging).

In DHCP right click on IPv4 and Properties. Under DNS Tab enable Name Protection. Under advanced set a username and password that will allow DHCP to update DNS when a client's IP is renewed or issued.

That should help keep the IPs and DNS A records straight.

Philip
0
 

Author Comment

by:Joemt
Comment Utility
I have 2 choices on the Scavenging - 1. Aging/scavenging for all zones  2. scavenging stale resource records.

The DHCP is provided by a sonic wall device.  (anything to do here).

AS for your third paragraph......does that still apply with the sonic wall providing DHCP and I'm assuming you meant at the server if it applied.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
With DHCP off the server you are totally reliant on the client pinging DNS with an updated IP.

DHCP belongs on the server as it is closely integrated with DNS as per my earlier post.

Set Ageing/Scavenging for all zones and include AD Integrated.

Philip
0
 

Author Comment

by:Joemt
Comment Utility
I will move the DHCP to the server.  I did set the scavenging.  This is server 2012 and I did not see a setting with in the scavenging specifically for the AD.  I will look into this further.  thank you for all your help.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
When you enable Scavenging there is a check mark below as shown here:
AD-integrated Zones Option
Put a tick in "Apply these settings to the existing AD-integrated zones".

Philip
0
 

Author Comment

by:Joemt
Comment Utility
I moved the DHCP server to the server (added the role and configured). I also set the scavenging settings (3 days).

Since all the DNS changes, The server cannot ping the workstations. The workstations can ping the server.  This is causing me grief because my AV console on the server cannot find the workstations. I use the console to push out AV upgrades.

Any idea what is causing the server to not be able to ping the workstation?
0
 
LVL 24

Expert Comment

by:lionelmm
Comment Utility
cannot ping using pc names or ip addresses?
0
 

Author Comment

by:Joemt
Comment Utility
I did not try names..............ip address no response.  I could stop by and try that tonight.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Reboot the machines so that they pick up the IPs from the server. They should then update DNS with the correct IP.

Philip
0
 

Author Comment

by:Joemt
Comment Utility
I can ping the printer. I can also ping the workstations IF I shut off the WS (XP Pro) firewall.
Turn on the WS firewall and no ping from server to WS.

Why would the workstation FW stop the domain server from pinging?
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Why would the workstation FW stop the domain server from pinging?

many firewall settings block ping traffic because it's generally bad in an insecure environment. if the firewall is on and configured to defaults you wont get a ping response.

if you're happy your internal network is secure enough you can disable the firewall completely on WS. alternatively, amend the firewall settings to allow Ping (ICMP) traffic.
0
 

Author Comment

by:Joemt
Comment Utility
Is this a server 2012 default setting?  I have always been able to ping workstations from the server as far as I can remember (will be checking after this).   To change 85 workstations so I can push an AV upgrade is not great.  I could ping those workstations prior to the changes to the DNS. That is why I thought there had to be something missing still.
0
 
LVL 27

Accepted Solution

by:
Steve earned 500 total points
Comment Utility
This is a separate question really, as we've already dealt with your original query.

In answer to your additional Q, the defaults for Client firewalls are quite basic and are only normally amended en-masse if your Group Policies add exceptions and settings to the clients.

SBS usually includes many GPOs like this by default, but the full version of server is pretty much a blank canvas.

In general, many companies feel the firewall can be disabled while on your company network as it is usually causes more problems than it resolves. This should be assessed on a case-by-case basis though.
0
 

Author Closing Comment

by:Joemt
Comment Utility
Thank you for all the help.    This is a great asset to It personnel.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now