Solved

DNS server was unable to open Active Directory - Event ID 4000

Posted on 2014-10-03
5
10,594 Views
Last Modified: 2016-10-15
Server 20012 R2  - Single DC in Windows Domain

This morning after an after-hours server reboot (power outage - the single domain DC is on a very good UPS and the restart appears to have been flawless) our DNS Server service would not start. A network admin removed, then re-installed the DNS Role.

Now DNS queries by domain PCs and over WiFI VLAN are able to resolve DNS queries using the domain DNS. Everyone can log-on to the domain now, and everyone has Internet access. PIng to FQDN of the server (DC) results in the correct LAN IP.

Event Viewer still shows - DNS Server, Event ID 4000, connect to Active Directory

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          10/3/2014 9:34:42 AM
Event ID:      4000
Task Category: None
Level:         Error
Keywords:      (65536)
User:          SYSTEM
Computer:      Server1.ourdomain.local

Description:
The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" />
    <EventID>4000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000010000</Keywords>
    <TimeCreated SystemTime="2014-10-03T14:34:42.443059900Z" />
    <EventRecordID>9619</EventRecordID>
    <Correlation />
    <Execution ProcessID="2888" ThreadID="7808" />
    <Channel>DNS Server</Channel>
    <Computer>Server1.ourdomain.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="DNS_EVENT_DS_OPEN_FAILED">
    <Binary>2D230000</Binary>
  </EventData>
</Event>


Event Viewer logs for Active Directory list many Event ID 1202 instances


Log Name:      Active Directory Web Services
Source:        ADWS
Date:          10/3/2014 9:22:49 AM
Event ID:      1202
Task Category: ADWS Instance Events
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server1.ourdomainsa.local
Description:
This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
 
 Directory instance: NTDS
 Directory instance LDAP port: 389
 Directory instance SSL port: 636
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ADWS" />
    <EventID Qualifiers="49152">1202</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T14:22:49.000000000Z" />
    <EventRecordID>1498</EventRecordID>
    <Channel>Active Directory Web Services</Channel>
    <Computer>Server1.ourdomain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>NTDS</Data>
    <Data>389</Data>
    <Data>636</Data>
  </EventData>
</Event>



Attempting to open the DNS Role from the Server Manager console results in the error message:

"The server SERVER1 could not be contacted.
The error was:
Access was denied.

Would you like to add it anyway?"

Clicking "Yes" results in the following error:

"The server SERVER1.ourdomain.local could not be contacted.
The error was:
Access was denied.

Would you like to add is anyway?"

Then the DNS Manager will open, but the DNS servers listed have red error signs over them and all that is available form the context menus of each is to stop and start the service.

RESULTING PROBLEMS ON LAN: Users connection to the file server using FQDN ( \\server1\ ) are now queried for user name/password authentication and all credentials FAIL - even the default domain admin's.

Save results if users connect to the file server by IP ( \\192.168.xxx.xxx\ ) they are asked for domain credentials and are told they do not have permission to access.

Connection to the NAS by FQDN results in a connection, but requests domain credentials all FAIL.

Obviously this is due to the DNS Server service and Active Directory not communicating at all.

Anyone been through this or know the solution to the Event ID 4000 ?

No one on the network can connect to any share on the server or the NAS.
The DNS Server cannot connect to AD. We can not access the DNS Server form the DC it is hosted on.
 
Anyone? Anyone?

Thanks,
-MP
0
Comment
Question by:mojopojo
  • 4
5 Comments
 
LVL 3

Author Comment

by:mojopojo
ID: 40359734
Update: Apparently the DC is also having issues with its own FSMO roles. THe event viewer now shows the following issue while trying to access the Global Catalog:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          10/3/2014 10:22:26 AM
Event ID:      1126
Task Category: Global Catalog
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      Server1.ourdomain.local

Description:
Active Directory Domain Services was unable to establish a connection with the global catalog.
 
Additional Data
Error value:
8430 The directory service encountered an internal failure.
Internal ID:
320134b
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
    <EventID Qualifiers="49152">1126</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>18</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-03T15:22:26.734101100Z" />
    <EventRecordID>1023</EventRecordID>
    <Correlation />
    <Execution ProcessID="856" ThreadID="560" />
    <Channel>Directory Service</Channel>
    <Computer>Server1.ourdomain.local</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>320134b</Data>
    <Data>8430</Data>
    <Data>The directory service encountered an internal failure.</Data>
  </EventData>
</Event>

Curiouser and curiouser...

Anyone have a reason or resolution for this?
0
 
LVL 3

Author Comment

by:mojopojo
ID: 40359817
DCDIAG run results not exactly what I expected...

 C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Connectivity
         The host 112a3627-3c08-4777-828e-4cd58bff6a1e._msdcs.ourdomain.local
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SERVER1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER1
      Skipping all tests, because server SERVER1 is not responding to directory
      service requests.


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ourdomain
      Starting test: CheckSDRefDom
         ......................... ourdomain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ourdomain passed test CrossRefValidation

   Running enterprise tests on : ourdomain.local
      Starting test: LocatorCheck
         ......................... ourdomain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... ourdomain.local passed test Intersite

C:\>
0
 
LVL 3

Author Comment

by:mojopojo
ID: 40359851
After running DCDIAG /FIX then /TEST:DNS results are clearly show LDAP issue...


C:\>dcdiag /test:NDS
Test not found. Please re-enter a valid test name.

C:\>
C:\>dcdiag /test:DNS

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = Server1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Connectivity
         The host 112a3627-3c08-4777-828e-4cd58bff6a1e._msdcs.ourdomain.local
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         Got error while checking LDAP and RPC connectivity. Please check your
         firewall settings.
         ......................... SERVER1 failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\SERVER1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... SERVER1 failed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : ourdomain

   Running enterprise tests on : ourdomain.local
      Starting test: DNS
         Test results for domain controllers:

            DC: Server1.ourdomain.local
            Domain: ourdomain.local


               TEST: Basic (Basc)
                  Error: No LDAP connectivity
                  Warning: adapter
                  [00000010] Broadcom NetXtreme Gigabit Ethernet has invalid
                  DNS server: 127.0.0.1 (SERVER1)
                  Error: all DNS servers are invalid
                  No host records (A or AAAA) were found for this DC
                  Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 192.168.70.101 (SERVER1)
               1 test failure on this DNS server
               Name resolution is not functional. _ldap._tcp.ourdomain.local. fa
iled on the DNS server 192.168.70.101

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: ourdomain.local
               Server1                      PASS FAIL n/a  n/a  n/a  n/a  n/a

         ......................... ourdomain.local failed test DNS
0
 
LVL 3

Accepted Solution

by:
mojopojo earned 0 total points
ID: 40366615
Solved by the following process:

1.      Checked current fsmo role owner with command “netdom query fsmo”
2.      Checked number of dc’s in domain with command “netdom query dc”
3.      Checked the currently logged on user with command “set u”
4.      Checked the current logon server with command “set l”
5.      Checked hostname with command “hostname”
6.      Checked if the netlogon and sysvol is shared or not using command "net share" and found it to be shared
7.      Opened "dsa.msc" snap in was able to open
8.      Ran command "dcdiag /q" and did not find any error
9.      We corrected the provider and binding order using following steps “ncpa.cplselecetd nic cardclicked advance option on menu baradvanced settingsprovider order placed active NIC card at top in provider order we moved all Microsoft services at top”
10.      We were getting event id 4000 hence we changed the dns pointing to itself
11.      We were getting error target principal name is incorrect while replicating hence we ran command net stop kdcklist purgenet stop kdc klist purge netdom resetpwd /s:server1 /ud: EMSUR-USA\administrator /pd:* net start kdc
12.      We reregistered GUID’s using following steps“start configrenamed netlogon.dns to .oldrenamed netlogon.dnb to .oldnet stop dns & net stop netlogon & ipconfig /flushdns & net start dns & net start netlogon & ipconfig /registerdns”
13.      We checked the duplicate spn’s using command “setspn-x”  did not find any
14.      We ran command “dsquery * forestroot -gc -attr distinguishedName -scope subtree -limit 0 -filter "(|(cn=*\0ACNF:*)(ou=*\0ACNF:*))" " did not find any conflicting objects
15.      You had only one dc in domain so we went do dnsmgmt.msc and made the dns zones as standard primary
16.      We experienced the issue with global catalog so we referred article http://support2.microsoft.com/kb/910204 and created following keys HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Delay Advertisement (sec)==30 HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Partition Occupancy==0
17.      Checked the replication summary using command “repadmin /replsum”
18.      Pushed the replication using command “repadmin /syncall /AdePq”
19.      Pulled the replication suing command “repadmin /syncall”
20.      Found it to be working fine
21.      Tried to open dsa.msc snap was able to open
2
 

Expert Comment

by:Adam Sutton
ID: 41845089
Thank you.  That solution worked for us also.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now