Server 2012 BPA errors - DNS - DHCP - NTP

Randy Downs
Randy Downs used Ask the Experts™
I see 3 BPA errors in Server 2012. This is a small domain with only one server so it's a DC, DNS & DHCP. Are these errors fixable. Should I be concerned on a small domain like this?

Error 2 - Since it's a one server domain I didn't add a 2nd entry for DNS. One article I read advised against adding the loopback address so this is considered unfixable, right? ON the other hand, this article supports using the loopback. Either way the BPA doesn't seem to be satisfied since the loopback was listed as 1st DNS prior to working on these BPA errors.

Error 3 - I added a user in the Administrator's group for DNS update but it didn't seem to make any difference. It already was using a user in the Administrator's group.

Error 1 - I setup NTP servers as per this video. The servers were set to reliable and show up in the query so not sure why that doesn't show on BPA. I also tried the old Microsoft Fix-it.

Error 1 - The PDC emulator master Server-xxx.xxxx.local in this forest should be configured to correctly synchronize time from a valid time source      

Error 2 - DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry.      

Error 3 - DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.      
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Thomas GrassiSystems Administrator
for Error1

run this

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”,,,”

w32tm /config /reliable:yes

net start w32time

w32tm /query /configuration

Error 2

Add to your network adapter properties for TCP/IPv4 DNS Servers make secondary address

Error 3 make sure dynamic DNS update is enabled
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
The first error (error 2) if there is only 1 DC in this environment then all you need to do is point DNS to itself. You will also need to configure forwarders in the DNS console on this server. This is where you add public DNS IP's. Typically you would use your ISP Public DNS IP's.

Second error message can be ignored.

Third error message is stating that you need to configure your PDC holder (this DC) with an external time source. This should be done. Below is a link to configure this properly.

Also another good read regarding External Time source



Thomas, I already ran that procedure FOR ntp (Error 1) & the query works fine. Still hasn't satisfied BPA:
C:\Windows\system32>w32tm /config /reliable:yes
The command completed successfully.

C:\Windows\system32>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.

C:\Windows\system32>w32tm /query /configuration

Type: NTP (Local)
NtpServer:,,2.north-ame, (Local)

Error 2 is not resolved by adding loopback as secondary DNS.
error 3 Dynamic DNS is enabled in IPv4 DNS properties tab of DHCP
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.


Will we are using on the router so I guess that would be a decent DNS forwarder. Should it be added as a conditional forwarder & stored in AD?

I setup a time source as per the Experts video but it didn't seem to matter. They were set as reliable & I can query & see them as shown above.
Thomas GrassiSystems Administrator


Thanks Thomas. the Powershell BPA cmdlets didn't run for me and but refreshing a role in the GUI did resolve 2 of my issues. I was trying to refresh from the local server pane and evidently that didn't work even after issues were resolved.

The only issue I see now is #2 & my guess is that it doesn't go away for a single server domain.

Error 2 - DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry.      
Thomas GrassiSystems Administrator

found this for you on the Error 2




I have ipV4 setup correctly. Is it advisable to use a static ip for ipV6 on such a small domain?

I added current ipV6 (it's DHCP), & ipV6 loopback for DNS but it still doesn't' satisfy BPA.

Should I just ignore the error?
Thomas GrassiSystems Administrator

I just tested on my 2012 R2 DC server
BPA from powershell worked just fine

open powershell as administror on server

this will list all roles installed

Id  : Microsoft/windows/dhcpserver
Company: Microsoft Corporation
Name: Microsoft DHCP Server Configuration  Analysis Model
Version :
LastScantime : Never
LastScanTimeUTcoffset :
SubModels :
Parameters :
Modeltype : singlemachine
supportedconfiguration :

Then run

at modelid:  
enter microsoft/windows/dnsserver


modelid :  microsoft/windows/dnsserver
submodelid :
success : true
scantime : 7/6/2014 4:58:00 PM
scantimeutcoffset : -4:00:00
Detail : (SERV011, SERV011)

then run


long list
Thomas GrassiSystems Administrator

according to the article I found above

They said safe to ignore

But if your like me I like to resolve any error or warning condition.
Systems Administrator

After running BPA on my Windows Server 2012 R2 DC I got the exact same error

I have two DC's both Windows 2012 R2 Standard DC's
Both point to each other for DNS as the second DNS server in the list
Each points to itself for DNS

I cleared it by selecting exclude from results in the Server manger panel


The cmdlet you suggested works fine. The one in the BPA article you suggested did not (i.e., I get lots of warnings).

Get-BPAModel | Invoke-BPAModel
"WARNING: The EngineReport.xml & Result.xml files were not generated successfully..."

Yes I would like to resolve the DNS error but I don't see a solution with a single server.


OK that works for me. I excluded it from my results too. If you can't get it to clear with 2 DCs there's no chance I am clearing it with one. Perhaps it works if you have DNS servers that don't reside on DCs.


Thanks for all the help. It's too bad that one warning has to be hidden to make the BPA panel show as all green,
Thomas GrassiSystems Administrator


yes it is

did you have any warnings in the bparesults for DNS?

I found a couple in mine rooting thru them now.


No mine just comes back with success: true
Thomas GrassiSystems Administrator


Glad to hear it is clear

glad to help too.

If you get a chance can you take a look at my issue

You responded to it earlier today.



Will do Thomas

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial