Solved

DNS error 4521

Posted on 2014-04-14
6
1,049 Views
Last Modified: 2014-04-16
I've been getting constant errors on 3 out of my 4 DNS servers in house.  

Error 4521-
"The DNS server encountered error 32 attempting to load zone 60.168.192.in-addr.arpa from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition. "

This started when we decommission one of our sites.  We didn't properly decom the DC / DNS server at that site so I ran ntdsutil and followed MS site regarding cleaning up the metadata of a fail demoted DC however I'm not sure how to stop these constant 4521 dns errors.  

Any suggestions where I can find and remove the entry that is constantly trying to load a zone that does not exist anymore?
0
Comment
Question by:jo80ge121
6 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39999079
I suspect that zone is the one from the site that was decommissioned?

It might still be loaded from AD/registry...

You could run following command to remove it from AD/registry and delete it (if not deleted already)...

"dnscmd /config <zonename> /bootmethod [0|1|2|3]"

0 is no source, the standard is 3 (AD/registry) ... 2 is registry and 1 is bind/local DNS directory...
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39999822
Did you load the DNS GUI on each of these servers and make sure to remove that Reverse Lookup Zone?  The zone you're referring to is a Reverse Lookup Zone and needs to be removed manually since you didn't remove the site properly.
0
 

Author Comment

by:jo80ge121
ID: 40000111
spravtek: yes it was the zone from the site that decom.  I will try what you suggested.

BradBouchard: all reverse lookup zones from each DNS has been manually removed.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 40002122
If the above suggestions don't work, you can use ADSI Edit to find and delete the zone from Active Directory:

1.

Run adsiedit.msc at an elevated command prompt on one of your DCs/DNS servers.

2.

Right-click ADSI Edit in the left pane and select Connect to...

3.

In the Connection Settings window, select the radio button labeled Select or type a Distinguished Name or Naming Context.

4.

Since the zone in question is a reverse lookup zone, we'll start by looking in the ForestDnsZones partition. If your AD domain is named domain.com, you'll type DC=ForestDnsZones,DC=domain,DC=com in the input field to connect to that partition. You can optionally type something in the Name field (like ForestDnsZones) to identify the connection, but this isn't required. Click OK to connect to the partition.

5.

In the left pane, expand ForestDNSZones\DC=ForestDnsZones,DC=domain,DC=com\CN=MicrosoftDNS. You should see folders for each DNS zone that's stored in the ForestDnsZones partition (each zone configured to replicate to every DC running DNS in the forest).

6.

If you see the offending zone, delete it. (You'll want to force replication to the other DCs at this point.) If not, go back to step 2, but connect to the DomainDnsZones partition this time.
0
 

Author Comment

by:jo80ge121
ID: 40004650
DrDave242: thank you.  It was exactly what I was hoping for since I've heard other talk about ADSIEDIT being the tool to fix it.  Just going to wait a day to make sure i don't see anymore errors.
0
 

Author Comment

by:jo80ge121
ID: 40005359
DrDave242: no need to wait a day.  For the past month I've been seeing error 4521 almost every couple of minutes now not a peep from the event logger since I applied your suggestion.  I'm confident this solved it.  Thanks again.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question