Solved

DNS zone is missing. EVENT ID 4004, 4015, 4000

Posted on 2015-01-05
31
325 Views
Last Modified: 2015-01-20
Hello,

Came into the office this morning, and found that most of our staff could not connect to the internet. Checked our office DC (dns server) and the entire forward lookup zone is missing, no sub folders, nothing. Like it was never there. We have a wan connection to a data center and the DC (dns server) there is still intact, no issues. The event log shows that the problem started a few days ago, beginning with event ID 4015, 'The DNS Server has encountered a critical error from AD'. Then 4004 immediately after. Now all of the events show 4000.

We have one domain controller here at the office where the issue is occurring, and the other is at the data center. Both are PDC's. The data center DC is integrated.

I'm not really sure what to do. I see a lot of different 'fixes' for similar problems, but knowing how detrimental changes can be to a DNS zone, I'm hoping I can gain better knowledge here of what I should do. I was thinking of just creating a new DNS zone and to replicate from working DC at the data center, but I don't think it's as easy as that.

*Also, AD appears to be working fine. I can pull up users and objects as normal from the office DC, but the DNS zone is missing. I have made no network changes that I can think prior to the problem starting.

Please, any immediate feedback would be appreciated. Currently, most of our staff are unable to work.

Screen-Shot-01-05-15-at-10.58-AM.PNG
0
Comment
Question by:mangamonster
  • 15
  • 13
  • 2
  • +1
31 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531750
Both are PDC's.

that is not possible; either one has the FSMO roles and the other doesn't or they are split between the two
a role can only be held by one domain controller

The data center DC is integrated.

does that mean the office domain controller does not have integrated zones?
how was it configured?  secondary pulling from the data center?

why not have the office domain controller use integrated zones?
0
 

Author Comment

by:mangamonster
ID: 40531759
The office and data center are different networks, the office on 10.14.x.x and the data center on 10.15.x.x. Onc DC for each, and both are DNS servers. I can't recall how the office dns server was setup, but i'm assuming it was integrated. The wan is setup so that both servers replicate from one another.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531779
the fact they are on different IP networks is irrelevant; i would have expected that being geographically dispersed
it's almost as if the DNS zones on the second server were configured as secondary to pull from the datacenter
one way to verify is to go to the datacenter domain controller and see if the DNS zones have zone transfer enabled
0
 

Author Comment

by:mangamonster
ID: 40531786
Thanks for the quick follow up. No, the datacenter DC does not have zone transfer enabled.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531801
so i assume all systems in the office point to CRX for DNS?  what is CRX pointing to?
what does dcdiag show?
0
 

Author Comment

by:mangamonster
ID: 40531808
Yes, the default dns server for all machines at the office is CRX. CRX is pointed to itself. Secondary is the datacenter DNS. Should I allow Zone transfers on the datacenter DC and point it only to the name servers?
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531829
if there were no zone transfers from the other and crx was supposed to be integrated, should figure out what broke which is why i was suggesting looking at dcdiag output for any communication issues between the 2 servers
something happened with crx and need to determine root cause

another thing to check is, if you have administrative tools installed on another system, connect to dns from there or from the other domain controller and see if you see the same thing
0
 

Author Comment

by:mangamonster
ID: 40531849
Sorry about that. Meant to post it with my last msg.

C:\Documents and Settings\dzamora>dcdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CRX
      Starting test: Connectivity
         The host 8cf9f638-b495-4411-ae6b-d8a05871261a._msdcs.domainname.com cou
ld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (8cf9f638-b495-4411-ae6b-d8a05871261a._msdcs.domainname.com) couldn't
         be resolved, the server name (CRX.domainname.com) resolved to the IP
         address (10.14.0.2) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... CRX failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CRX
      Skipping all tests, because server CRX is
      not responding to directory service requests

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : domainname
      Starting test: CrossRefValidation
         ......................... domainname passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domainname passed test CheckSDRefDom

   Running enterprise tests on : domainname.com
      Starting test: Intersite
         ......................... domainname.com passed test Intersite
      Starting test: FsmoCheck
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
         A Good Time Server could not be located.
         ......................... domainname.com failed test FsmoCheck
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531862
if you open AD users and computers from crx, is it connected to crx or the datacenter domain controller?
what does netdom query fsmo show from both servers?
is crx still a domain controller?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531875
Does this DC at your office hold the PDC role? What I would recommend is running the following commands...

repadmin /replsum
netdom query fsmo (make sure that all of the DC's with the corresponding FSMO roles are shown properly)
Dcdiag /v

Also on the other DC's that are working what do you see in the Name Servers Tab is DNS?

What is the exact error message you received on the DC that does not have DNS registered, and is the DNS service running?

Also based on your out-put for Dcdiag a PDC role holder cannot be contacted. If you cannot get the DC holding this role up in a timely manner I would suggest seizing the PDC and any other roles that server holds to a working DC. The longer you go with your PDC offline the more issues you are going to experience.

Will.
0
 

Author Comment

by:mangamonster
ID: 40531878
It's connected to CRX. CRX is still showing itself as a domain controller role in AD.

These are the query results from both servers:


Schema owner                datacenter.completerx.com

Domain role owner           datacenter.completerx.com

PDC role                    datacenter.completerx.com

RID pool manager            datacenter.completerx.com

Infrastructure owner        datacenter.completerx.com

The command completed successfully.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40531901
can you ping the datacenter domain controller from crx?
and (probably should have asked this before) what has changed?  when was it last working?
all the fsmo roles are on the datacenter server so that's ok
0
 
LVL 34

Accepted Solution

by:
Seth Simmons earned 500 total points
ID: 40531905
i would also be inclined to demote crx, change the dns server to point to the datacenter server then promote again
that could very well fix this instead of trying to figure out what happened - especially if you have people that can't work
0
 

Author Comment

by:mangamonster
ID: 40531927
Does this DC at your office hold the PDC role? What I would recommend is running the following commands...
PDC is datacenter, which appears to be working fine



repadmin /replsum
Replication Summary Start Time: 2015-01-05 12:22:10

Beginning data collection for replication summary, this may take awhile:
  ......


Source DC           largest delta  fails/total  %%  error


Destination DC    largest delta    fails/total  %%  error
Assertion

Experienced the following operational errors trying to retrieve replication info
rmation:
          58 - datacenter.domain.com




netdom query fsmo (make sure that all of the DC's with the corresponding FSMO roles are shown properly)
Schema owner                datacenter.domain.com

Domain role owner           datacenter.domain.com

PDC role                    datacenter.domain.com

RID pool manager            datacenter.domain.com

Infrastructure owner        datacenter.domain.com

The command completed successfully.




Dcdiag /v
Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine CRX, is a DC.
   * Connecting to directory service on server CRX.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CRX
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host 8cf9f638-b495-4411-ae6b-d8a05871261a._msdcs.domain.com cou
ld not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (8cf9f638-b495-4411-ae6b-d8a05871261a._msdcs.domain.com) couldn't
         be resolved, the server name (CRX.domain.com) resolved to the IP
         address (10.14.0.2) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... CRX failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CRX
      Skipping all tests, because server CRX is
      not responding to directory service requests
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Test omitted by user request: OutboundSecureChannels
      Test omitted by user request: VerifyReplicas
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : domain
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom

   Running enterprise tests on : domain.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         Skipping site COLO-SITE, this site is outside the scope provided by
         the command line arguments provided.
         ......................... domain.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\CRX.domain.com
         Locator Flags: 0xe00001bc
         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
         A Primary Domain Controller could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135
5
         A Good Time Server could not be located.
         KDC Name: \\CRX.domain.com
         Locator Flags: 0xe00001bc
         ......................... domain.com failed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS




Also on the other DC's that are working what do you see in the Name Servers Tab is DNS?
crx.domain.com
datacenter.domain.com


What is the exact error message you received on the DC that does not have DNS registered, and is the DNS service running?
Services are running
Here are the event IDs and errors:
4015 - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
4004 - The DNS server was unable to complete directory service enumeration of zone ..  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
4000 - The DNS server was unable to complete directory service enumeration of zone 0.16.172.in-addr.arpa.  This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it.  Check that the Active Directory is functioning properly and repeat enumeration of the zone. The extended error debug information (which may be empty) is "". The event data contains the error.
0
 

Author Comment

by:mangamonster
ID: 40531944
can you ping the datacenter domain controller from crx?
Yes, I can ping the IP fine

and (probably should have asked this before) what has changed?  when was it last working?
Nothing has changed that I can recall. I rebooted CRX a week or two ago because I noticed it was not updating dns entries. It seemed to do the trick, until this past friday when the problems began.
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40531982
As i have stated in my first post, if the PDC is down for more then a few hours you are going to start to run into issues. Your best bet would be to transfer/seize the fsmo roles to another DC using ntdsutil and pointing your users to a remote DC until you have rebuilt a DC at the site.

Will.
0
 

Author Comment

by:mangamonster
ID: 40532079
The PDC isn't down. It's the datacenter server and it's running fine. The server that is having issues is crx. Both servers are global catalog.

Seth, do you still think demoting and promoting CRX should do the trick?  If so, is there anything I should consider before doing this? Since both are global catalog servers, I shouldn't have to do anything other than simply demoting/promoting?
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532090
does crx have any other roles besides AD/DNS?
0
 

Author Comment

by:mangamonster
ID: 40532112
DHCP and that's it. I exported the IP pool list just in case I need to recreate it...
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532123
dhcp would be fine since it isn't AD dependent at that level
should be fine demoting and promoting again
0
 

Author Comment

by:mangamonster
ID: 40532126
Thanks, Seth. Here goes nothin! :)
0
 

Author Comment

by:mangamonster
ID: 40532354
Seth, I was going to remove the CRX metadata before promoting again. Is this needed? I am at the very end of the ntdsutil remove server command, but noticed that the dialogue mentions the server should be off line. A little confused.

Screen-Shot-01-05-15-at-03.41-PM.PNG
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532358
did you do dcpromo first on crx?
0
 

Author Comment

by:mangamonster
ID: 40532361
Yup, I sure did. It's a standard server now.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532370
then there is no need to do metadata cleanup; that is only for manually removing a dead server
run dcpromo again (make sure it points to the datacenter server for DNS) and make it a domain controller
0
 

Author Comment

by:mangamonster
ID: 40532462
Hmm, so I'm at the last part of the DCPROMO wizard and then I get this error when trying to promote it:

---------------------------
Error Joining Domain
---------------------------
The operation failed because:



The attempt to join this computer to the domain.com domain failed.



"The specified user already exists."
---------------------------
OK  
---------------------------


Is it because CRX is still being seen as a DC? Should I clean up metadata to resolve this?
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532574
did you remove the computer from the domain also?
0
 

Author Comment

by:mangamonster
ID: 40532581
once I completed dcpromo it was no longer on the domain.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40532695
when you run dcpromo, it is supposed to be a member server; didn't it say that in the last step?
on the datacenter server, do metadata cleanup for crx and delete the computer account

Clean up server metadata
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

that apparently seems to be the issue

Installing Active Directory Domain Services Fails with Error "The specified user already exists."
http://support2.microsoft.com/kb/2000622/en-us
0
 
LVL 3

Expert Comment

by:v_2abhis2
ID: 40534554
Hi,

Could you please upload the DCPROMOUI.log and DCPROMO.log file from the following Location c:\windows\debug, Logs are the first place to check for issues on the server.




Note: If you have issues with DNS fix DNS Don't demote Promote domain controller(s)

Thanks
V_2abhis2
0
 

Author Closing Comment

by:mangamonster
ID: 40560763
Thanks, Seth! That did the trick in spades. Everything is back in order. -Dave
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now