Server DNS Dependancies

Posted on 2014-02-07
Last Modified: 2014-02-24
My company recently deployed a domain controller/DFS/DNS server to what will be our second location added to the our domain. We had to reboot our primary domain controller today and it caused our second location to lose DNS services. The error in server manager reads

"The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

Obviously having the successful networking operation of our company be contingent upon the status of one machine is not acceptable. The network settings on the non-primary domain controller (we'll call it DC2) point to it's own local IP address for Preferred, and then to for Alternate. It's my understanding that is a 'loopback' IP that would also be pointing to the server. Do these settings imply that DC2's successful DNS resolution is dependent on the primary DC?

Truth be told I'm not a networking guru, I don't understand how our primary domain controller resolves DNS requests as it only points to itself for DNS in network settings, but if you could give me a few sentences that explain the means by which my server pointing to itself for name resolution is somehow finding the IPs it needs and how I can make DC2 not dependent on the primary DC I would greatly appreciate it. We will soon have DC3 and DC4 and I can't have 4 sites go down at the same time.
Question by:botsadmins
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 37

Expert Comment

ID: 39842833
Your primary DC should point to itself for preferred DNS entry (Not loop back address) and should point to second DNS server in same site \ remote site if do not have another DC in same site as alternate DNS entry

Like wise your remote DC point to itself for preferred DNS entry (Not loop back address) and should point to primary DNS server in main site as alternate DNS entry in order to work properly

LVL 37

Expert Comment

ID: 39842923
In case of DNS on domain controllers, it is AD integrated DNS zones, and should never get down even if primary server gone down.
For any query DNS receives 1st check with own zone data, cache and if record not found then it will start searching conditional forwarders, default forwarders (for internet queries)

In reality all Domain controllers DNS is keep replicating DNS changes with each other

Once you make change as suggested above, you can check DNS servers will never crash even if primary server gone down


Author Comment

ID: 39843021
The non primary domain controller does point to itself and only itself for DNS settings, the only difference between your suggestions and our configuration is that my DCs only point to themselves and not to each other. This is why I'm so confused as to why my DNS resolution would fail at another site precisely when rebooting the primary controller when the other sites DC isn't even pointing to the primary for DNS.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 37

Expert Comment

ID: 39843058
have you added alternate DNS entries on both servers

The DNS crash is just co-incidence, The reason behind it must be some thing else
Can you please check both dns servers for error event id 4015 ?

Can you please post output of below commands here for further troubleshooting
dcdiag /q
repadmin /showrepl
dcdiag /test:dns

Please run command on both DCs


Author Comment

ID: 39843190
My non-primary DC controller is getting 5ish minute separated 4015 errors but they come in batches, like I'll get it 3 or 4 times in close to 5 minute intervals, and then it will be fine for a little while, and then I'll get another run of 3 to 4 4015s

Author Comment

ID: 39843230

the repadmin /showrepl command on DC2 yields the following error reports (several of them) "The RPG server is unavailable" and showing the last success being several hours ago but after we had finished rebooting everything.

the dcdiag /q command shows error 1256 "The remote system is not available"

the dcdiag /test:dns passed connectivity, failed test DNS, says "warning: no DNS RPC connectivity (error or non MIcrosoft DNS server is running) but at the end says "passed test DNS"
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39843830
You need to check both DCs thoroughly for above errors
1st of all download Portqueryui tool from MS and check if AD ports are opened as appropriate, if its not opened, you need to start from here.
If already opened, then proceed with below steps

Check Host (A) records and PTR records for all domain controllers if exists
Check CNAME records for DCs under zone if exists
Check if SRV records are exists in DNS on both domain controllers
Check NS records for both DCs are present in both domain controllers in both zones
Also point primary DNS server on both DCs to itself and have alternate entry pointing to each other on both DCs and then restart netlogon service and DNS service on both domain controllers
Then check event ID 1394 exists in directory services event logs on both Domain controllers
Check the DFS Replication log in Event Viewer for Event ID 4602 (or File Replication Service event ID 13516), which indicates SYSVOL has been initialized.
Type net share in command prompt on both DCs and check if netlogon and Sysvol is shared
Go to Ad sites and services and trigger replication manually and check if it works
If required delete old connection objects from AD sites and services and create manual connection objects
Also check if any stale DC object is present in AD sites and services, in domain system volume under domain directory partition \ system \ dfs OR FRS container in adsiedit.msc, that need to be removed


Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
role based administration in SCCM 2012 - desktop only managers 6 64
ntp server 15 83
Need more granular date groupings 4 45
Script for automatic service restart 6 43
The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question