Server 2012 BPA errors - DNS - DHCP - NTP

I see 3 BPA errors in Server 2012. This is a small domain with only one server so it's a DC, DNS & DHCP. Are these errors fixable. Should I be concerned on a small domain like this?

Error 2 - Since it's a one server domain I didn't add a 2nd entry for DNS. One article I read advised against adding the loopback address so this is considered unfixable, right? ON the other hand, this article supports using the loopback. Either way the BPA doesn't seem to be satisfied since the loopback was listed as 1st DNS prior to working on these BPA errors.

Error 3 - I added a user in the Administrator's group for DNS update but it didn't seem to make any difference. It already was using a user in the Administrator's group.

Error 1 - I setup NTP servers as per this video. The servers were set to reliable and show up in the query so not sure why that doesn't show on BPA. I also tried the old Microsoft Fix-it.

Error 1 - The PDC emulator master Server-xxx.xxxx.local in this forest should be configured to correctly synchronize time from a valid time source      

Error 2 - DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry.      

Error 3 - DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server.      
LVL 30
Randy DownsOWNERAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas GrassiSystems AdministratorCommented:
for Error1

run this

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”,,,”

w32tm /config /reliable:yes

net start w32time

w32tm /query /configuration

Error 2

Add to your network adapter properties for TCP/IPv4 DNS Servers make secondary address

Error 3 make sure dynamic DNS update is enabled
Will SzymkowskiSenior Solution ArchitectCommented:
The first error (error 2) if there is only 1 DC in this environment then all you need to do is point DNS to itself. You will also need to configure forwarders in the DNS console on this server. This is where you add public DNS IP's. Typically you would use your ISP Public DNS IP's.

Second error message can be ignored.

Third error message is stating that you need to configure your PDC holder (this DC) with an external time source. This should be done. Below is a link to configure this properly.

Also another good read regarding External Time source

Randy DownsOWNERAuthor Commented:
Thomas, I already ran that procedure FOR ntp (Error 1) & the query works fine. Still hasn't satisfied BPA:
C:\Windows\system32>w32tm /config /reliable:yes
The command completed successfully.

C:\Windows\system32>net start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.

C:\Windows\system32>w32tm /query /configuration

Type: NTP (Local)
NtpServer:,,2.north-ame, (Local)

Error 2 is not resolved by adding loopback as secondary DNS.
error 3 Dynamic DNS is enabled in IPv4 DNS properties tab of DHCP
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Randy DownsOWNERAuthor Commented:
Will we are using on the router so I guess that would be a decent DNS forwarder. Should it be added as a conditional forwarder & stored in AD?

I setup a time source as per the Experts video but it didn't seem to matter. They were set as reliable & I can query & see them as shown above.
Thomas GrassiSystems AdministratorCommented:
Randy DownsOWNERAuthor Commented:
Thanks Thomas. the Powershell BPA cmdlets didn't run for me and but refreshing a role in the GUI did resolve 2 of my issues. I was trying to refresh from the local server pane and evidently that didn't work even after issues were resolved.

The only issue I see now is #2 & my guess is that it doesn't go away for a single server domain.

Error 2 - DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry.      
Thomas GrassiSystems AdministratorCommented:

found this for you on the Error 2


Randy DownsOWNERAuthor Commented:
I have ipV4 setup correctly. Is it advisable to use a static ip for ipV6 on such a small domain?

I added current ipV6 (it's DHCP), & ipV6 loopback for DNS but it still doesn't' satisfy BPA.

Should I just ignore the error?
Thomas GrassiSystems AdministratorCommented:

I just tested on my 2012 R2 DC server
BPA from powershell worked just fine

open powershell as administror on server

this will list all roles installed

Id  : Microsoft/windows/dhcpserver
Company: Microsoft Corporation
Name: Microsoft DHCP Server Configuration  Analysis Model
Version :
LastScantime : Never
LastScanTimeUTcoffset :
SubModels :
Parameters :
Modeltype : singlemachine
supportedconfiguration :

Then run

at modelid:  
enter microsoft/windows/dnsserver


modelid :  microsoft/windows/dnsserver
submodelid :
success : true
scantime : 7/6/2014 4:58:00 PM
scantimeutcoffset : -4:00:00
Detail : (SERV011, SERV011)

then run


long list
Thomas GrassiSystems AdministratorCommented:

according to the article I found above

They said safe to ignore

But if your like me I like to resolve any error or warning condition.
Thomas GrassiSystems AdministratorCommented:

After running BPA on my Windows Server 2012 R2 DC I got the exact same error

I have two DC's both Windows 2012 R2 Standard DC's
Both point to each other for DNS as the second DNS server in the list
Each points to itself for DNS

I cleared it by selecting exclude from results in the Server manger panel

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Randy DownsOWNERAuthor Commented:
The cmdlet you suggested works fine. The one in the BPA article you suggested did not (i.e., I get lots of warnings).

Get-BPAModel | Invoke-BPAModel
"WARNING: The EngineReport.xml & Result.xml files were not generated successfully..."

Yes I would like to resolve the DNS error but I don't see a solution with a single server.
Randy DownsOWNERAuthor Commented:
OK that works for me. I excluded it from my results too. If you can't get it to clear with 2 DCs there's no chance I am clearing it with one. Perhaps it works if you have DNS servers that don't reside on DCs.
Randy DownsOWNERAuthor Commented:
Thanks for all the help. It's too bad that one warning has to be hidden to make the BPA panel show as all green,
Thomas GrassiSystems AdministratorCommented:

yes it is

did you have any warnings in the bparesults for DNS?

I found a couple in mine rooting thru them now.
Randy DownsOWNERAuthor Commented:
No mine just comes back with success: true
Thomas GrassiSystems AdministratorCommented:

Glad to hear it is clear

glad to help too.

If you get a chance can you take a look at my issue

You responded to it earlier today.

Randy DownsOWNERAuthor Commented:
Will do Thomas
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.