The DNS server was unable to open Active Directory windows 2008r2

[petergriffin]

Sponsored Links

Hi, I have a windows 2008r2 enviornment that has 4 domain controllers. Two are onsite here and 2 are about 4 miles away. This has worked with no issue for the past year. Last week I started noticing some oddities with the 2 that are offsite. If i try to open dns on either of them I get 'access is denied.' If I open active directory domains and trusts i get 'you cannot modify domain or trust information because a primary domain controller emulator cannot be contacted.' I ran nslookup on all 4 dc's forward and reverse and they all resolve each other. If i open active directory sites and services the ntds settings arent not equivalent across the 4 dc's. Each DC is a global catalog. This domain is used by a very heavily used web app for user authentication.

I have verified that traffic is in fact passing from the two dc's that are on site to the other 2 dc's that are offsite using our firewall software...all ports are open that need to be, no drops, and nothing has changed AT ALL on the server end..

Here are some events from one of the two servers that arent working:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 7/21/2011 10:55:24 AM
Event ID: 4000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: CHHCPPRDADS003.cphprtlprd.com
Description:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Server-Service" Guid="{71A551F5-C893-4849-886B-B5EC8502641E}" EventSourceName="DNS" />
<EventID Qualifiers="49152">4000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-07-21T14:55:24.000000000Z" />
<EventRecordID>30381</EventRecordID>
<Correlation />

[EINSTEIN_007]

You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration. You can try what is mentioned in this link here.