I'm having issues with the DNS server service - when set to automatic it
won't allow my DC to boot - hangs on Preparing Network Connections. If I set
it to Manual it boots up and I can login and then I start DNS manually after
login. I believe the problem started after a recent MS Update.
I'm toying with the idea of uninstalling DNS and reinstalling while it is
still a DC with Active Directory. Can I do that or no?
The domain controller I am working on in question does not hold any of the
FSMO roles or anything like that, so I'm hoping that removing DNS from the
server would be okay...I have brought up another DC at this site with DNS
installed, so at least now I have a backup DC handy if necessary...Any
thoughts?
Also - there are no errors in the Event Log pertaining to DNS Server or
anything when it hangs on Preparing Network Connections. Once I log in and
start the service, everything is as happy as can be, replication, name
resolution, etc.
Is there a chance that maybe the network card drivers need updating? The
server is an HP DL360G5 with two, GB ethernet ports, and I have them teamed.
I have 2 other identical servers at 2 other sites (both DCs, running same OS,
everything identical to this one), and they are having no issues at all.
"Saral6978" wrote:
> I'm having issues with the DNS server service - when set to automatic it
> won't allow my DC to boot - hangs on Preparing Network Connections. If I set
> it to Manual it boots up and I can login and then I start DNS manually after
> login. I believe the problem started after a recent MS Update.
>
> I'm toying with the idea of uninstalling DNS and reinstalling while it is
> still a DC with Active Directory. Can I do that or no?
>
>
Hello Saral6978,
Is this the only DC/DNS server? Well, during the startup the server will
try to connect to the domain DNS server. Unfortunally it can happen that
the DNS server service needs a long time to start so it can not find it's
own DNS server. I think that is the reason for the long time of preparing
netwrok connections. If you have an additional DC, i would make it also DNS
server use AD integrated zones and configure both of them for preferred DNS
as itself and secondary to the other. So it can reach always the secondary
if it's own is not started.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> I'm having issues with the DNS server service - when set to automatic
> it won't allow my DC to boot - hangs on Preparing Network Connections.
> If I set it to Manual it boots up and I can login and then I start DNS
> manually after login. I believe the problem started after a recent MS
> Update.
>
> I'm toying with the idea of uninstalling DNS and reinstalling while it
> is still a DC with Active Directory. Can I do that or no?
>
<Is this the only DC/DNS server?>
At this particular site it was...I orignally had it configured to use itself
and a remote DNS server at my main site for it's DNS server. It was a record
48hrs that it sat at Preparing Network Connections. It had done a reboot
about 5:00am on a Saturday and Monday morning it was still sitting at the
screen. DNS had been flaking out for the past 2 weeks after some updates had
applied, for example, my DNS zone would be empty and I had to manually
restart the DNS server service for it to populate but then it would still
boot up okay...then about 2 weeks later, it just got stuck on that part of
the reboot. I figured out the issue was the DNS Server because I went into
Safe mode and changed it to Manual, then no problem.
<If you have an additional DC, i would make it also DNS server use AD
integrated zones and configure both of them for preferred DNS as itself and
secondary to the other.>
The secondary DNS server that I just brought up, I did install DNS on it as
well, and it's zone is also AD-Integrated. I installed DNS first, then added
the DC role to it so it configured the AD-Integrated zone automatically.
This backup DC is fully operational, replicating with the other 4 DCs in my
domain (at 3 different sites). I configured its DNS with itself as the
primary, the above DC having issues is the secondary, and I added one of my
remote DNS servers as a third.
And like you suggested, I had added my newly promoted DC as the secondary
DNS server to the one having the problem starting up. I have not yet
attempted a reboot yet on the server having the issue, so perhaps this will
solve it, but the problem still exists that why now all of a sudden this
server can't find itself as a DNS server during the boot process when it was
working just fine a couple of weeks ago? That's why I'm wondering if I just
remove DNS from this server and reinstall it, it might fix whatever the
problem is...
Thanks for your reply,
Sara
"Meinolf Weber" wrote:
> Hello Saral6978,
>
> Is this the only DC/DNS server? Well, during the startup the server will
> try to connect to the domain DNS server. Unfortunally it can happen that
> the DNS server service needs a long time to start so it can not find it's
> own DNS server. I think that is the reason for the long time of preparing
> network connections. If you have an additional DC, i would make it also DNS
> server use AD integrated zones and configure both of them for preferred DNS
> as itself and secondary to the other. So it can reach always the secondary
> if it's own is not started.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I'm having issues with the DNS server service - when set to automatic
> > it won't allow my DC to boot - hangs on Preparing Network Connections.
> > If I set it to Manual it boots up and I can login and then I start DNS
> > manually after login. I believe the problem started after a recent MS
> > Update.
> >
> > I'm toying with the idea of uninstalling DNS and reinstalling while it
> > is still a DC with Active Directory. Can I do that or no?
> >
>
>
>
Hello Saral6978,
48 hours is really to long. I will crosspost to microsoft.public.windows.server.dns,
there are the DNS experts.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> <Is this the only DC/DNS server?>
>
> At this particular site it was...I orignally had it configured to use
> itself and a remote DNS server at my main site for it's DNS server.
> It was a record 48hrs that it sat at Preparing Network Connections. It
> had done a reboot about 5:00am on a Saturday and Monday morning it was
> still sitting at the screen. DNS had been flaking out for the past 2
> weeks after some updates had applied, for example, my DNS zone would
> be empty and I had to manually restart the DNS server service for it
> to populate but then it would still boot up okay...then about 2 weeks
> later, it just got stuck on that part of the reboot. I figured out
> the issue was the DNS Server because I went into Safe mode and changed
> it to Manual, then no problem.
>
> <If you have an additional DC, i would make it also DNS server use AD
> integrated zones and configure both of them for preferred DNS as
> itself and secondary to the other.>
>
> The secondary DNS server that I just brought up, I did install DNS on
> it as well, and it's zone is also AD-Integrated. I installed DNS
> first, then added the DC role to it so it configured the AD-Integrated
> zone automatically. This backup DC is fully operational, replicating
> with the other 4 DCs in my domain (at 3 different sites). I
> configured its DNS with itself as the primary, the above DC having
> issues is the secondary, and I added one of my remote DNS servers as a
> third.
>
> And like you suggested, I had added my newly promoted DC as the
> secondary DNS server to the one having the problem starting up. I
> have not yet attempted a reboot yet on the server having the issue, so
> perhaps this will solve it, but the problem still exists that why now
> all of a sudden this server can't find itself as a DNS server during
> the boot process when it was working just fine a couple of weeks ago?
> That's why I'm wondering if I just remove DNS from this server and
> reinstall it, it might fix whatever the problem is...
>
> Thanks for your reply,
>
> Sara
>
> "Meinolf Weber" wrote:
>
>> Hello Saral6978,
>>
>> Is this the only DC/DNS server? Well, during the startup the server
>> will try to connect to the domain DNS server. Unfortunally it can
>> happen that the DNS server service needs a long time to start so it
>> can not find it's own DNS server. I think that is the reason for the
>> long time of preparing network connections. If you have an additional
>> DC, i would make it also DNS server use AD integrated zones and
>> configure both of them for preferred DNS as itself and secondary to
>> the other. So it can reach always the secondary if it's own is not
>> started.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I'm having issues with the DNS server service - when set to
>>> automatic it won't allow my DC to boot - hangs on Preparing Network
>>> Connections. If I set it to Manual it boots up and I can login and
>>> then I start DNS manually after login. I believe the problem
>>> started after a recent MS Update.
>>>
>>> I'm toying with the idea of uninstalling DNS and reinstalling while
>>> it is still a DC with Active Directory. Can I do that or no?
>>>
"Meinolf Weber" wrote in message
news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com...
>> <Is this the only DC/DNS server?>
>>
>> At this particular site it was...I orignally had it configured to use
>> itself and a remote DNS server at my main site for it's DNS server.
>> It was a record 48hrs that it sat at Preparing Network Connections. It
>> had done a reboot about 5:00am on a Saturday and Monday morning it was
>> still sitting at the screen. DNS had been flaking out for the past 2
>> weeks after some updates had applied, for example, my DNS zone would
>> be empty and I had to manually restart the DNS server service for it
>> to populate but then it would still boot up okay...then about 2 weeks
>> later, it just got stuck on that part of the reboot. I figured out
>> the issue was the DNS Server because I went into Safe mode and changed
>> it to Manual, then no problem.
>>
>> <If you have an additional DC, i would make it also DNS server use AD
>> integrated zones and configure both of them for preferred DNS as
>> itself and secondary to the other.>
>>
>> The secondary DNS server that I just brought up, I did install DNS on
>> it as well, and it's zone is also AD-Integrated. I installed DNS
>> first, then added the DC role to it so it configured the AD-Integrated
>> zone automatically. This backup DC is fully operational, replicating
>> with the other 4 DCs in my domain (at 3 different sites). I
>> configured its DNS with itself as the primary, the above DC having
>> issues is the secondary, and I added one of my remote DNS servers as a
>> third.
>>
>> And like you suggested, I had added my newly promoted DC as the
>> secondary DNS server to the one having the problem starting up. I
>> have not yet attempted a reboot yet on the server having the issue, so
>> perhaps this will solve it, but the problem still exists that why now
>> all of a sudden this server can't find itself as a DNS server during
>> the boot process when it was working just fine a couple of weeks ago?
>> That's why I'm wondering if I just remove DNS from this server and
>> reinstall it, it might fix whatever the problem is...
>>
>> Thanks for your reply,
>>
>> Sara
>>
Sara,
What operating system and service pack level are your DCs?
Do you have AD Sites configured properly?
What errors are on any of the DCs? If any exist, please post the EventID#
and Source names.
I'm trying to get a handle on your infrastructure. Not sure what was
installed or updated, but any of the updates would not cause this issue. So
I'll give you a generalization of what to look for with configuring your DCs
in a multi-site scenario and other recommendations.
In a multi-site config with Sites configured properly, always point DNS to
itself as first, and pick another DC in another site as second.
There is no such thing as a 'secondary' zone, unless of coure you are
speaking of the position as being the 'second' DNS address in ip properties.
If you have any DC with a tru "Secondary" zone of a zone that is AD
integrated, expect huge problems. If so, it will cause duplicate zones in
the AD database and that is not easily cleaned up.
If you have ever wanted to uninstall DNS on a DC, and decided to manually
delete an AD Integrated zone first prior to uninstallation, you have just
effectively deleted the whole zone out of AD. If you want to remove the DNS
service off a DC that has an AD integrated zone, simply go into Add/Remove,
Windows Components, and uncheck the box. Never delete the zone first.
If a server cannot 'find itself' for DNS, I would suggest to change it's
first entry to another DC in another Site with an operational DNS and let it
come up. Then put itself as second. Reboot after about an hour to make sure
it still comes up. If it comes up clean, then change it to itself as the
first entry, then the other one as the second entry. The reason why it can't
find itself is because AD is not up yet for whatever reason, such as
possibly an update, or an app change and needed to do something during the
restart, etc, therefore since AD is not up yet, and the zone is Ad
integrated, then DNS can't find it in the AD database simply because AD
services have not started yet.
Make sense?
So applying what i mentioned, can you backtrack on what was done and in what
order as to what was done to better understand what may have happened?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Enter into an artificial quantum singularity lined with fermions and
neutrino scatterings depicted by electrons smashing into protons and
neutrons like billiard balls moving at warp 9 exposing quarks, mesons and
baryons, the essentials of their existence, that are spinning off in half
scatters. You have now entered the Twilight Zone.
Ace - thank you so much for your reply, I really appreciate it.
3 of the DCs, which includes the one I'm having issues with, are running
Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.
I am getting one error in the DNS Server log, but I have to confirm if it's
being generated during the reboot when DNS is set to automatic, or if it's
being logged because I have DNS Server set to manual. In any case, it's
Event ID 4015: The DNS server has encountered a critical error from the
Active Directory. Check that the Active Directory is functioning properly.
The event data contains the error.
I have been looking into this error and possible causes. My AD does seem to
be functioning correctly though, as there are no other errors in my event
log, and shortly after 4015 is logged, another event says DNS has started and
there are no other errors. I'm not sure if that's when I manually turned it
on or not. I will be doing a reboot Monday and keep better track of when
these errors/alerts are happening.
AD sites and services is setup properly and replication is running
seamlessly. I do have DNS set to point to itself first on all my DCs, and
then I pick another DC in another site as second. When I meant "secondary",
I meant just the secondary DNS server, not a zone. I only have the one zone
with the one domain.
I would never have deleted the Zone from DNS - My plan was to go into
Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
what you said, I should be able to safely uninstall DNS from Windows
Components on the domain controller without hosing my current Active
Directory/AD Integrated Zone and affecting my other DCs? If I can do this,
it might be worth a shot to see if this would solve the problem.
But, before I do that, since I now have a 2nd DC at this particular site, I
will change my problem DC's 1st DNS server to the the 2nd DC of that site and
see if I can get it to start. Someone had also mentioned there are a few
Windows updates that are specifically security updates for DNS that can
affect services from starting (using UDP ports) and that you have to reserve
a port, because there is a port that DNS or AD might be using that it can't
because this port is in use. Problem is, I have no idea what ports to
attempt to reserve to see if that is truly the problem. DNS to my knowledge
only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
checked it.
Thanks, again!
Sara
"Ace Fekay [MVP Direcrtory Services]" wrote:
> "Meinolf Weber" wrote in message
> news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com...
> >> <Is this the only DC/DNS server?>
> >>
> >> At this particular site it was...I orignally had it configured to use
> >> itself and a remote DNS server at my main site for it's DNS server.
> >> It was a record 48hrs that it sat at Preparing Network Connections. It
> >> had done a reboot about 5:00am on a Saturday and Monday morning it was
> >> still sitting at the screen. DNS had been flaking out for the past 2
> >> weeks after some updates had applied, for example, my DNS zone would
> >> be empty and I had to manually restart the DNS server service for it
> >> to populate but then it would still boot up okay...then about 2 weeks
> >> later, it just got stuck on that part of the reboot. I figured out
> >> the issue was the DNS Server because I went into Safe mode and changed
> >> it to Manual, then no problem.
> >>
> >> <If you have an additional DC, i would make it also DNS server use AD
> >> integrated zones and configure both of them for preferred DNS as
> >> itself and secondary to the other.>
> >>
> >> The secondary DNS server that I just brought up, I did install DNS on
> >> it as well, and it's zone is also AD-Integrated. I installed DNS
> >> first, then added the DC role to it so it configured the AD-Integrated
> >> zone automatically. This backup DC is fully operational, replicating
> >> with the other 4 DCs in my domain (at 3 different sites). I
> >> configured its DNS with itself as the primary, the above DC having
> >> issues is the secondary, and I added one of my remote DNS servers as a
> >> third.
> >>
> >> And like you suggested, I had added my newly promoted DC as the
> >> secondary DNS server to the one having the problem starting up. I
> >> have not yet attempted a reboot yet on the server having the issue, so
> >> perhaps this will solve it, but the problem still exists that why now
> >> all of a sudden this server can't find itself as a DNS server during
> >> the boot process when it was working just fine a couple of weeks ago?
> >> That's why I'm wondering if I just remove DNS from this server and
> >> reinstall it, it might fix whatever the problem is...
> >>
> >> Thanks for your reply,
> >>
> >> Sara
> >>
>
> Sara,
>
> What operating system and service pack level are your DCs?
> Do you have AD Sites configured properly?
> What errors are on any of the DCs? If any exist, please post the EventID#
> and Source names.
>
> I'm trying to get a handle on your infrastructure. Not sure what was
> installed or updated, but any of the updates would not cause this issue. So
> I'll give you a generalization of what to look for with configuring your DCs
> in a multi-site scenario and other recommendations.
>
> In a multi-site config with Sites configured properly, always point DNS to
> itself as first, and pick another DC in another site as second.
>
> There is no such thing as a 'secondary' zone, unless of coure you are
> speaking of the position as being the 'second' DNS address in ip properties.
>
> If you have any DC with a tru "Secondary" zone of a zone that is AD
> integrated, expect huge problems. If so, it will cause duplicate zones in
> the AD database and that is not easily cleaned up.
>
> If you have ever wanted to uninstall DNS on a DC, and decided to manually
> delete an AD Integrated zone first prior to uninstallation, you have just
> effectively deleted the whole zone out of AD. If you want to remove the DNS
> service off a DC that has an AD integrated zone, simply go into Add/Remove,
> Windows Components, and uncheck the box. Never delete the zone first.
>
> If a server cannot 'find itself' for DNS, I would suggest to change it's
> first entry to another DC in another Site with an operational DNS and let it
> come up. Then put itself as second. Reboot after about an hour to make sure
> it still comes up. If it comes up clean, then change it to itself as the
> first entry, then the other one as the second entry. The reason why it can't
> find itself is because AD is not up yet for whatever reason, such as
> possibly an update, or an app change and needed to do something during the
> restart, etc, therefore since AD is not up yet, and the zone is Ad
> integrated, then DNS can't find it in the AD database simply because AD
> services have not started yet.
>
> Make sense?
>
> So applying what i mentioned, can you backtrack on what was done and in what
> order as to what was done to better understand what may have happened?
>
>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Enter into an artificial quantum singularity lined with fermions and
> neutrino scatterings depicted by electrons smashing into protons and
> neutrons like billiard balls moving at warp 9 exposing quarks, mesons and
> baryons, the essentials of their existence, that are spinning off in half
> scatters. You have now entered the Twilight Zone.
>
>
>
>
Hello Saral6978,
For event id 4015 check out this article and the part with the (.) root zone
from Adrian Grigorof.
http://www.eventid.net/display.asp?e...ce=DNS&phase=1
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Ace - thank you so much for your reply, I really appreciate it.
>
> 3 of the DCs, which includes the one I'm having issues with, are
> running Windows 2003 R2, SP2, and the other 2 DCs are running Windows
> 2003, SP2.
>
> I am getting one error in the DNS Server log, but I have to confirm if
> it's being generated during the reboot when DNS is set to automatic,
> or if it's being logged because I have DNS Server set to manual. In
> any case, it's Event ID 4015: The DNS server has encountered a
> critical error from the Active Directory. Check that the Active
> Directory is functioning properly. The event data contains the error.
>
> I have been looking into this error and possible causes. My AD does
> seem to be functioning correctly though, as there are no other errors
> in my event log, and shortly after 4015 is logged, another event says
> DNS has started and there are no other errors. I'm not sure if that's
> when I manually turned it on or not. I will be doing a reboot Monday
> and keep better track of when these errors/alerts are happening.
>
> AD sites and services is setup properly and replication is running
> seamlessly. I do have DNS set to point to itself first on all my DCs,
> and then I pick another DC in another site as second. When I meant
> "secondary", I meant just the secondary DNS server, not a zone. I
> only have the one zone with the one domain.
>
> I would never have deleted the Zone from DNS - My plan was to go into
> Add/Remove programs and uncheck DNS from the DC and uninstall it. So,
> by what you said, I should be able to safely uninstall DNS from
> Windows Components on the domain controller without hosing my current
> Active Directory/AD Integrated Zone and affecting my other DCs? If I
> can do this, it might be worth a shot to see if this would solve the
> problem.
>
> But, before I do that, since I now have a 2nd DC at this particular
> site, I will change my problem DC's 1st DNS server to the the 2nd DC
> of that site and see if I can get it to start. Someone had also
> mentioned there are a few Windows updates that are specifically
> security updates for DNS that can affect services from starting (using
> UDP ports) and that you have to reserve a port, because there is a
> port that DNS or AD might be using that it can't because this port is
> in use. Problem is, I have no idea what ports to attempt to reserve
> to see if that is truly the problem. DNS to my knowledge only uses
> TCP and UDP ports 53. I'm not sure about AD though, I haven't checked
> it.
>
> Thanks, again!
>
> Sara
>
> "Ace Fekay [MVP Direcrtory Services]" wrote:
>
>> "Meinolf Weber" wrote in message
>> news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com...
>>
>>>> <Is this the only DC/DNS server?>
>>>>
>>>> At this particular site it was...I orignally had it configured to
>>>> use
>>>> itself and a remote DNS server at my main site for it's DNS server.
>>>> It was a record 48hrs that it sat at Preparing Network Connections.
>>>> It
>>>> had done a reboot about 5:00am on a Saturday and Monday morning it
>>>> was
>>>> still sitting at the screen. DNS had been flaking out for the past
>>>> 2
>>>> weeks after some updates had applied, for example, my DNS zone
>>>> would
>>>> be empty and I had to manually restart the DNS server service for
>>>> it
>>>> to populate but then it would still boot up okay...then about 2
>>>> weeks
>>>> later, it just got stuck on that part of the reboot. I figured out
>>>> the issue was the DNS Server because I went into Safe mode and
>>>> changed
>>>> it to Manual, then no problem.
>>>> <If you have an additional DC, i would make it also DNS server use
>>>> AD integrated zones and configure both of them for preferred DNS as
>>>> itself and secondary to the other.>
>>>>
>>>> The secondary DNS server that I just brought up, I did install DNS
>>>> on it as well, and it's zone is also AD-Integrated. I installed
>>>> DNS first, then added the DC role to it so it configured the
>>>> AD-Integrated zone automatically. This backup DC is fully
>>>> operational, replicating with the other 4 DCs in my domain (at 3
>>>> different sites). I configured its DNS with itself as the primary,
>>>> the above DC having issues is the secondary, and I added one of my
>>>> remote DNS servers as a third.
>>>>
>>>> And like you suggested, I had added my newly promoted DC as the
>>>> secondary DNS server to the one having the problem starting up. I
>>>> have not yet attempted a reboot yet on the server having the issue,
>>>> so perhaps this will solve it, but the problem still exists that
>>>> why now all of a sudden this server can't find itself as a DNS
>>>> server during the boot process when it was working just fine a
>>>> couple of weeks ago? That's why I'm wondering if I just remove DNS
>>>> from this server and reinstall it, it might fix whatever the
>>>> problem is...
>>>>
>>>> Thanks for your reply,
>>>>
>>>> Sara
>>>>
>> Sara,
>>
>> What operating system and service pack level are your DCs?
>> Do you have AD Sites configured properly?
>> What errors are on any of the DCs? If any exist, please post the
>> EventID#
>> and Source names.
>> I'm trying to get a handle on your infrastructure. Not sure what was
>> installed or updated, but any of the updates would not cause this
>> issue. So I'll give you a generalization of what to look for with
>> configuring your DCs in a multi-site scenario and other
>> recommendations.
>>
>> In a multi-site config with Sites configured properly, always point
>> DNS to itself as first, and pick another DC in another site as
>> second.
>>
>> There is no such thing as a 'secondary' zone, unless of coure you are
>> speaking of the position as being the 'second' DNS address in ip
>> properties.
>>
>> If you have any DC with a tru "Secondary" zone of a zone that is AD
>> integrated, expect huge problems. If so, it will cause duplicate
>> zones in the AD database and that is not easily cleaned up.
>>
>> If you have ever wanted to uninstall DNS on a DC, and decided to
>> manually delete an AD Integrated zone first prior to uninstallation,
>> you have just effectively deleted the whole zone out of AD. If you
>> want to remove the DNS service off a DC that has an AD integrated
>> zone, simply go into Add/Remove, Windows Components, and uncheck the
>> box. Never delete the zone first.
>>
>> If a server cannot 'find itself' for DNS, I would suggest to change
>> it's first entry to another DC in another Site with an operational
>> DNS and let it come up. Then put itself as second. Reboot after about
>> an hour to make sure it still comes up. If it comes up clean, then
>> change it to itself as the first entry, then the other one as the
>> second entry. The reason why it can't find itself is because AD is
>> not up yet for whatever reason, such as possibly an update, or an app
>> change and needed to do something during the restart, etc, therefore
>> since AD is not up yet, and the zone is Ad integrated, then DNS can't
>> find it in the AD database simply because AD services have not
>> started yet.
>>
>> Make sense?
>>
>> So applying what i mentioned, can you backtrack on what was done and
>> in what order as to what was done to better understand what may have
>> happened?
>>
>> --
>> Regards,
>> Ace
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
>> MVP Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>
>> Enter into an artificial quantum singularity lined with fermions and
>> neutrino scatterings depicted by electrons smashing into protons and
>> neutrons like billiard balls moving at warp 9 exposing quarks, mesons
>> and baryons, the essentials of their existence, that are spinning off
>> in half scatters. You have now entered the Twilight Zone.
>>
"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com...
> Ace - thank you so much for your reply, I really appreciate it.
>
> 3 of the DCs, which includes the one I'm having issues with, are running
> Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.
>
> I am getting one error in the DNS Server log, but I have to confirm if
> it's
> being generated during the reboot when DNS is set to automatic, or if it's
> being logged because I have DNS Server set to manual. In any case, it's
> Event ID 4015: The DNS server has encountered a critical error from the
> Active Directory. Check that the Active Directory is functioning properly.
> The event data contains the error.
>
> I have been looking into this error and possible causes. My AD does seem
> to
> be functioning correctly though, as there are no other errors in my event
> log, and shortly after 4015 is logged, another event says DNS has started
> and
> there are no other errors. I'm not sure if that's when I manually turned
> it
> on or not. I will be doing a reboot Monday and keep better track of when
> these errors/alerts are happening.
>
> AD sites and services is setup properly and replication is running
> seamlessly. I do have DNS set to point to itself first on all my DCs, and
> then I pick another DC in another site as second. When I meant
> "secondary",
> I meant just the secondary DNS server, not a zone. I only have the one
> zone
> with the one domain.
>
> I would never have deleted the Zone from DNS - My plan was to go into
> Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
> what you said, I should be able to safely uninstall DNS from Windows
> Components on the domain controller without hosing my current Active
> Directory/AD Integrated Zone and affecting my other DCs? If I can do
> this,
> it might be worth a shot to see if this would solve the problem.
>
> But, before I do that, since I now have a 2nd DC at this particular site,
> I
> will change my problem DC's 1st DNS server to the the 2nd DC of that site
> and
> see if I can get it to start. Someone had also mentioned there are a few
> Windows updates that are specifically security updates for DNS that can
> affect services from starting (using UDP ports) and that you have to
> reserve
> a port, because there is a port that DNS or AD might be using that it
> can't
> because this port is in use. Problem is, I have no idea what ports to
> attempt to reserve to see if that is truly the problem. DNS to my
> knowledge
> only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
> checked it.
>
> Thanks, again!
>
> Sara
Hi Sara,
Honestly I haven't heard of these problems until now. But a real important
point, is that you must keep the DNS service set to automatic at all times.
Otherwise leaving it to manual will cause issues at startup because AD can't
find itself if the first entry is pointed to itself unless the DNS service
is running. Otherwise, how is it supposed to query a non-running DNS
service?
As for uninstalling, yes, just uncheck the box. But I would leave the
service enabled and try it out.
The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes
this can cause problems with 3rd apps installed that need these ports as
well as the IPSec service. Otherwise, if you don't have anything else
installed, it shouldn't be a problem. The following is more info on the
security update and the ports being used. But I don't think this is the
cause of the problem.
---------------------------------
The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
netstat -ab, it will display the 2500 UDP ports that have been
reserved, but not necessarily in use. This is part of the memory
consumption. I've noticed the following (your mileage may vary):
dns.exe Before After
Mem usage 9758K 36,232K
Peak Mem 10,208K 36,584K
Paged Pool 71K 798K
NP Pool 17K 4,833K
Handles 238 5,217
Threads 20 20
MS08-037: Description of the security update for DNS in Windows Server 2003,
in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748
MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230
How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873
You experience issues with UDP-dependent network services after you install
DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188
Some Services May Fail to Start or May Not Work Properly After Installing
MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive...nd-951748.aspx
SBS Services failing after MS08-037 - KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx
--------------------------------------------
Ace
Thank you Meinolf - I did look at this link last Friday. I did look at the
(.) root zone part, but to me, they are suggesting I change my zone to type,
and I'm not sure I am comfortable doing that when I'm not having issues with
my other DCs and their DNS server service, etc...
"Meinolf Weber" wrote:
> Hello Saral6978,
>
> For event id 4015 check out this article and the part with the (.) root zone
> from Adrian Grigorof.
> http://www.eventid.net/display.asp?e...ce=DNS&phase=1
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Ace - thank you so much for your reply, I really appreciate it.
> >
> > 3 of the DCs, which includes the one I'm having issues with, are
> > running Windows 2003 R2, SP2, and the other 2 DCs are running Windows
> > 2003, SP2.
> >
> > I am getting one error in the DNS Server log, but I have to confirm if
> > it's being generated during the reboot when DNS is set to automatic,
> > or if it's being logged because I have DNS Server set to manual. In
> > any case, it's Event ID 4015: The DNS server has encountered a
> > critical error from the Active Directory. Check that the Active
> > Directory is functioning properly. The event data contains the error.
> >
> > I have been looking into this error and possible causes. My AD does
> > seem to be functioning correctly though, as there are no other errors
> > in my event log, and shortly after 4015 is logged, another event says
> > DNS has started and there are no other errors. I'm not sure if that's
> > when I manually turned it on or not. I will be doing a reboot Monday
> > and keep better track of when these errors/alerts are happening.
> >
> > AD sites and services is setup properly and replication is running
> > seamlessly. I do have DNS set to point to itself first on all my DCs,
> > and then I pick another DC in another site as second. When I meant
> > "secondary", I meant just the secondary DNS server, not a zone. I
> > only have the one zone with the one domain.
> >
> > I would never have deleted the Zone from DNS - My plan was to go into
> > Add/Remove programs and uncheck DNS from the DC and uninstall it. So,
> > by what you said, I should be able to safely uninstall DNS from
> > Windows Components on the domain controller without hosing my current
> > Active Directory/AD Integrated Zone and affecting my other DCs? If I
> > can do this, it might be worth a shot to see if this would solve the
> > problem.
> >
> > But, before I do that, since I now have a 2nd DC at this particular
> > site, I will change my problem DC's 1st DNS server to the the 2nd DC
> > of that site and see if I can get it to start. Someone had also
> > mentioned there are a few Windows updates that are specifically
> > security updates for DNS that can affect services from starting (using
> > UDP ports) and that you have to reserve a port, because there is a
> > port that DNS or AD might be using that it can't because this port is
> > in use. Problem is, I have no idea what ports to attempt to reserve
> > to see if that is truly the problem. DNS to my knowledge only uses
> > TCP and UDP ports 53. I'm not sure about AD though, I haven't checked
> > it.
> >
> > Thanks, again!
> >
> > Sara
> >
> > "Ace Fekay [MVP Direcrtory Services]" wrote:
> >
> >> "Meinolf Weber" wrote in message
> >> news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com...
> >>
> >>>> <Is this the only DC/DNS server?>
> >>>>
> >>>> At this particular site it was...I orignally had it configured to
> >>>> use
> >>>> itself and a remote DNS server at my main site for it's DNS server.
> >>>> It was a record 48hrs that it sat at Preparing Network Connections.
> >>>> It
> >>>> had done a reboot about 5:00am on a Saturday and Monday morning it
> >>>> was
> >>>> still sitting at the screen. DNS had been flaking out for the past
> >>>> 2
> >>>> weeks after some updates had applied, for example, my DNS zone
> >>>> would
> >>>> be empty and I had to manually restart the DNS server service for
> >>>> it
> >>>> to populate but then it would still boot up okay...then about 2
> >>>> weeks
> >>>> later, it just got stuck on that part of the reboot. I figured out
> >>>> the issue was the DNS Server because I went into Safe mode and
> >>>> changed
> >>>> it to Manual, then no problem.
> >>>> <If you have an additional DC, i would make it also DNS server use
> >>>> AD integrated zones and configure both of them for preferred DNS as
> >>>> itself and secondary to the other.>
> >>>>
> >>>> The secondary DNS server that I just brought up, I did install DNS
> >>>> on it as well, and it's zone is also AD-Integrated. I installed
> >>>> DNS first, then added the DC role to it so it configured the
> >>>> AD-Integrated zone automatically. This backup DC is fully
> >>>> operational, replicating with the other 4 DCs in my domain (at 3
> >>>> different sites). I configured its DNS with itself as the primary,
> >>>> the above DC having issues is the secondary, and I added one of my
> >>>> remote DNS servers as a third.
> >>>>
> >>>> And like you suggested, I had added my newly promoted DC as the
> >>>> secondary DNS server to the one having the problem starting up. I
> >>>> have not yet attempted a reboot yet on the server having the issue,
> >>>> so perhaps this will solve it, but the problem still exists that
> >>>> why now all of a sudden this server can't find itself as a DNS
> >>>> server during the boot process when it was working just fine a
> >>>> couple of weeks ago? That's why I'm wondering if I just remove DNS
> >>>> from this server and reinstall it, it might fix whatever the
> >>>> problem is...
> >>>>
> >>>> Thanks for your reply,
> >>>>
> >>>> Sara
> >>>>
> >> Sara,
> >>
> >> What operating system and service pack level are your DCs?
> >> Do you have AD Sites configured properly?
> >> What errors are on any of the DCs? If any exist, please post the
> >> EventID#
> >> and Source names.
> >> I'm trying to get a handle on your infrastructure. Not sure what was
> >> installed or updated, but any of the updates would not cause this
> >> issue. So I'll give you a generalization of what to look for with
> >> configuring your DCs in a multi-site scenario and other
> >> recommendations.
> >>
> >> In a multi-site config with Sites configured properly, always point
> >> DNS to itself as first, and pick another DC in another site as
> >> second.
> >>
> >> There is no such thing as a 'secondary' zone, unless of coure you are
> >> speaking of the position as being the 'second' DNS address in ip
> >> properties.
> >>
> >> If you have any DC with a tru "Secondary" zone of a zone that is AD
> >> integrated, expect huge problems. If so, it will cause duplicate
> >> zones in the AD database and that is not easily cleaned up.
> >>
> >> If you have ever wanted to uninstall DNS on a DC, and decided to
> >> manually delete an AD Integrated zone first prior to uninstallation,
> >> you have just effectively deleted the whole zone out of AD. If you
> >> want to remove the DNS service off a DC that has an AD integrated
> >> zone, simply go into Add/Remove, Windows Components, and uncheck the
> >> box. Never delete the zone first.
> >>
> >> If a server cannot 'find itself' for DNS, I would suggest to change
> >> it's first entry to another DC in another Site with an operational
> >> DNS and let it come up. Then put itself as second. Reboot after about
> >> an hour to make sure it still comes up. If it comes up clean, then
> >> change it to itself as the first entry, then the other one as the
> >> second entry. The reason why it can't find itself is because AD is
> >> not up yet for whatever reason, such as possibly an update, or an app
> >> change and needed to do something during the restart, etc, therefore
> >> since AD is not up yet, and the zone is Ad integrated, then DNS can't
> >> find it in the AD database simply because AD services have not
> >> started yet.
> >>
> >> Make sense?
> >>
> >> So applying what i mentioned, can you backtrack on what was done and
> >> in what order as to what was done to better understand what may have
> >> happened?
> >>
> >> --
> >> Regards,
> >> Ace
> >> This posting is provided "AS-IS" with no warranties or guarantees and
> >> confers no rights.
> >>
> >> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> >> MVP Microsoft MVP - Directory Services
> >> Microsoft Certified Trainer
> >> For urgent issues, you may want to contact Microsoft PSS directly.
> >> Please check http://support.microsoft.com for regional support phone
> >> numbers.
> >>
> >> Enter into an artificial quantum singularity lined with fermions and
> >> neutrino scatterings depicted by electrons smashing into protons and
> >> neutrons like billiard balls moving at warp 9 exposing quarks, mesons
> >> and baryons, the essentials of their existence, that are spinning off
> >> in half scatters. You have now entered the Twilight Zone.
> >>
>
>
>
Ace -
Yes, I realize that DNS should be set to automatic, believe me, I want to
switch it back. Unfortunately, the server won't boot up if it is set to
automatic. Currently, it is still set to manual, and if I happen to reboot
the server, I then log in and start DNS Server right away manually. It's not
that I have DNS stopped altogether or anything.
<<The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this
can cause problems with 3rd apps installed that need these ports as well as
the IPSec service.>>
I don't have much running on this DC, but I do have 3rd party tools, like a
SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which
communicate with AD. I've looked at all the documentation that you noted
below about the ports last week. Thursday night I did remove 3 updates that
I suspected might be causing the issue and when I removed them my server
booted normally with DNS Server on automatic. I then applied the 3 updates
one at a time and after I installed KB945553 (which is a DNS security
update), my server got stuck again on Preparing Network Connections. I then
booted into Safe Mode, switched DNS back to manual, then booted back into the
regular OS and uninstalled only that update and switched DNS back to Auto,
but unfortunately, the server still got stuck on reboot. I removed those
other 2 updates again, and it still wouldn't boot. So, I'm not sure why it
booted okay the first time after I removed all 3 updates (only difference was
that I didn't remove them in the same order that I did the first time).
Well, in any case, I'm going to do a reboot this morning to see what happens
with using a different DNS server as the primary and of course, resetting my
service back to Automatic before the reboot.
Sara
"Ace Fekay [MVP Direcrtory Services]" wrote:
> "Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
> news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com...
> > Ace - thank you so much for your reply, I really appreciate it.
> >
> > 3 of the DCs, which includes the one I'm having issues with, are running
> > Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.
> >
> > I am getting one error in the DNS Server log, but I have to confirm if
> > it's
> > being generated during the reboot when DNS is set to automatic, or if it's
> > being logged because I have DNS Server set to manual. In any case, it's
> > Event ID 4015: The DNS server has encountered a critical error from the
> > Active Directory. Check that the Active Directory is functioning properly.
> > The event data contains the error.
> >
> > I have been looking into this error and possible causes. My AD does seem
> > to
> > be functioning correctly though, as there are no other errors in my event
> > log, and shortly after 4015 is logged, another event says DNS has started
> > and
> > there are no other errors. I'm not sure if that's when I manually turned
> > it
> > on or not. I will be doing a reboot Monday and keep better track of when
> > these errors/alerts are happening.
> >
> > AD sites and services is setup properly and replication is running
> > seamlessly. I do have DNS set to point to itself first on all my DCs, and
> > then I pick another DC in another site as second. When I meant
> > "secondary",
> > I meant just the secondary DNS server, not a zone. I only have the one
> > zone
> > with the one domain.
> >
> > I would never have deleted the Zone from DNS - My plan was to go into
> > Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
> > what you said, I should be able to safely uninstall DNS from Windows
> > Components on the domain controller without hosing my current Active
> > Directory/AD Integrated Zone and affecting my other DCs? If I can do
> > this,
> > it might be worth a shot to see if this would solve the problem.
> >
> > But, before I do that, since I now have a 2nd DC at this particular site,
> > I
> > will change my problem DC's 1st DNS server to the the 2nd DC of that site
> > and
> > see if I can get it to start. Someone had also mentioned there are a few
> > Windows updates that are specifically security updates for DNS that can
> > affect services from starting (using UDP ports) and that you have to
> > reserve
> > a port, because there is a port that DNS or AD might be using that it
> > can't
> > because this port is in use. Problem is, I have no idea what ports to
> > attempt to reserve to see if that is truly the problem. DNS to my
> > knowledge
> > only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
> > checked it.
> >
> > Thanks, again!
> >
> > Sara
>
>
> Hi Sara,
>
> Honestly I haven't heard of these problems until now. But a real important
> point, is that you must keep the DNS service set to automatic at all times.
> Otherwise leaving it to manual will cause issues at startup because AD can't
> find itself if the first entry is pointed to itself unless the DNS service
> is running. Otherwise, how is it supposed to query a non-running DNS
> service?
>
> As for uninstalling, yes, just uncheck the box. But I would leave the
> service enabled and try it out.
>
> The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
> are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes
> this can cause problems with 3rd apps installed that need these ports as
> well as the IPSec service. Otherwise, if you don't have anything else
> installed, it shouldn't be a problem. The following is more info on the
> security update and the ports being used. But I don't think this is the
> cause of the problem.
>
> ---------------------------------
> The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
> netstat -ab, it will display the 2500 UDP ports that have been
> reserved, but not necessarily in use. This is part of the memory
> consumption. I've noticed the following (your mileage may vary):
>
> dns.exe Before After
> Mem usage 9758K 36,232K
> Peak Mem 10,208K 36,584K
> Paged Pool 71K 798K
> NP Pool 17K 4,833K
> Handles 238 5,217
> Threads 20 20
>
> MS08-037: Description of the security update for DNS in Windows Server 2003,
> in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
> http://support.microsoft.com/?id=951748
>
> MS08-037: Vulnerabilities in DNS could allow spoofing
> http://support.microsoft.com/default.aspx/kb/953230
>
> How to reserve a range of ephemeral ports on a computer that is running
> Windows Server 2003 or Windows 2000 Server
> http://support.microsoft.com/kb/812873
>
> You experience issues with UDP-dependent network services after you install
> DNS Server service security update 953230 (MS08-037)
> http://support.microsoft.com/default.aspx/kb/956188
>
> Some Services May Fail to Start or May Not Work Properly After Installing
> MS08-037 (951746 and 951748)
> http://blogs.technet.com/sbs/archive...nd-951748.aspx
>
> SBS Services failing after MS08-037 - KB951746 and 951748
> http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx
> --------------------------------------------
>
> Ace
>
>
Well, this is kind of interesting...here is what I did. I installed all need
critical updates, including all the DNS security updates I hadn't yet
applied, and the ones I removed, added my other DC as the Secondary DNS
server on the NIC, changed the DNS Server service to automatic and rebooted.
My server rebooted very quickly and successfully! I then remove that
secondary DNS server and put in one from my remote site, and then rebooted
the server and it still worked!
So, I'm thinking that by installing ALL the necessary windows updates that
it might have fixed my problem...I really don't know. I know longer have the
4015 error, and no other errors pertaining to DNS or active directory.
Everything is running as it should.
I don't know what to say about this...very strange.
Thanks Ace and Meinolf for your responses to my questions! They were much
appreciated!
Sara
"Saral6978" wrote:
> Ace -
>
> Yes, I realize that DNS should be set to automatic, believe me, I want to
> switch it back. Unfortunately, the server won't boot up if it is set to
> automatic. Currently, it is still set to manual, and if I happen to reboot
> the server, I then log in and start DNS Server right away manually. It's not
> that I have DNS stopped altogether or anything.
>
>
> <<The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
> are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this
> can cause problems with 3rd apps installed that need these ports as well as
> the IPSec service.>>
>
> I don't have much running on this DC, but I do have 3rd party tools, like a
> SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which
> communicate with AD. I've looked at all the documentation that you noted
> below about the ports last week. Thursday night I did remove 3 updates that
> I suspected might be causing the issue and when I removed them my server
> booted normally with DNS Server on automatic. I then applied the 3 updates
> one at a time and after I installed KB945553 (which is a DNS security
> update), my server got stuck again on Preparing Network Connections. I then
> booted into Safe Mode, switched DNS back to manual, then booted back into the
> regular OS and uninstalled only that update and switched DNS back to Auto,
> but unfortunately, the server still got stuck on reboot. I removed those
> other 2 updates again, and it still wouldn't boot. So, I'm not sure why it
> booted okay the first time after I removed all 3 updates (only difference was
> that I didn't remove them in the same order that I did the first time).
>
> Well, in any case, I'm going to do a reboot this morning to see what happens
> with using a different DNS server as the primary and of course, resetting my
> service back to Automatic before the reboot.
>
> Sara
>
> "Ace Fekay [MVP Direcrtory Services]" wrote:
>
> > "Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
> > news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com...
> > > Ace - thank you so much for your reply, I really appreciate it.
> > >
> > > 3 of the DCs, which includes the one I'm having issues with, are running
> > > Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.
> > >
> > > I am getting one error in the DNS Server log, but I have to confirm if
> > > it's
> > > being generated during the reboot when DNS is set to automatic, or if it's
> > > being logged because I have DNS Server set to manual. In any case, it's
> > > Event ID 4015: The DNS server has encountered a critical error from the
> > > Active Directory. Check that the Active Directory is functioning properly.
> > > The event data contains the error.
> > >
> > > I have been looking into this error and possible causes. My AD does seem
> > > to
> > > be functioning correctly though, as there are no other errors in my event
> > > log, and shortly after 4015 is logged, another event says DNS has started
> > > and
> > > there are no other errors. I'm not sure if that's when I manually turned
> > > it
> > > on or not. I will be doing a reboot Monday and keep better track of when
> > > these errors/alerts are happening.
> > >
> > > AD sites and services is setup properly and replication is running
> > > seamlessly. I do have DNS set to point to itself first on all my DCs, and
> > > then I pick another DC in another site as second. When I meant
> > > "secondary",
> > > I meant just the secondary DNS server, not a zone. I only have the one
> > > zone
> > > with the one domain.
> > >
> > > I would never have deleted the Zone from DNS - My plan was to go into
> > > Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
> > > what you said, I should be able to safely uninstall DNS from Windows
> > > Components on the domain controller without hosing my current Active
> > > Directory/AD Integrated Zone and affecting my other DCs? If I can do
> > > this,
> > > it might be worth a shot to see if this would solve the problem.
> > >
> > > But, before I do that, since I now have a 2nd DC at this particular site,
> > > I
> > > will change my problem DC's 1st DNS server to the the 2nd DC of that site
> > > and
> > > see if I can get it to start. Someone had also mentioned there are a few
> > > Windows updates that are specifically security updates for DNS that can
> > > affect services from starting (using UDP ports) and that you have to
> > > reserve
> > > a port, because there is a port that DNS or AD might be using that it
> > > can't
> > > because this port is in use. Problem is, I have no idea what ports to
> > > attempt to reserve to see if that is truly the problem. DNS to my
> > > knowledge
> > > only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
> > > checked it.
> > >
> > > Thanks, again!
> > >
> > > Sara
> >
> >
> > Hi Sara,
> >
> > Honestly I haven't heard of these problems until now. But a real important
> > point, is that you must keep the DNS service set to automatic at all times.
> > Otherwise leaving it to manual will cause issues at startup because AD can't
> > find itself if the first entry is pointed to itself unless the DNS service
> > is running. Otherwise, how is it supposed to query a non-running DNS
> > service?
> >
> > As for uninstalling, yes, just uncheck the box. But I would leave the
> > service enabled and try it out.
> >
> > The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
> > are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes
> > this can cause problems with 3rd apps installed that need these ports as
> > well as the IPSec service. Otherwise, if you don't have anything else
> > installed, it shouldn't be a problem. The following is more info on the
> > security update and the ports being used. But I don't think this is the
> > cause of the problem.
> >
> > ---------------------------------
> > The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
> > netstat -ab, it will display the 2500 UDP ports that have been
> > reserved, but not necessarily in use. This is part of the memory
> > consumption. I've noticed the following (your mileage may vary):
> >
> > dns.exe Before After
> > Mem usage 9758K 36,232K
> > Peak Mem 10,208K 36,584K
> > Paged Pool 71K 798K
> > NP Pool 17K 4,833K
> > Handles 238 5,217
> > Threads 20 20
> >
> > MS08-037: Description of the security update for DNS in Windows Server 2003,
> > in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
> > http://support.microsoft.com/?id=951748
> >
> > MS08-037: Vulnerabilities in DNS could allow spoofing
> > http://support.microsoft.com/default.aspx/kb/953230
> >
> > How to reserve a range of ephemeral ports on a computer that is running
> > Windows Server 2003 or Windows 2000 Server
> > http://support.microsoft.com/kb/812873
> >
> > You experience issues with UDP-dependent network services after you install
> > DNS Server service security update 953230 (MS08-037)
> > http://support.microsoft.com/default.aspx/kb/956188
> >
> > Some Services May Fail to Start or May Not Work Properly After Installing
> > MS08-037 (951746 and 951748)
> > http://blogs.technet.com/sbs/archive...nd-951748.aspx
> >
> > SBS Services failing after MS08-037 - KB951746 and 951748
> > http://msmvps.com/blogs/thenakedmvp/...nd-951748.aspx
> > --------------------------------------------
> >
> > Ace
> >
> >
Hello Saral6978,
Nice to hear that you fixed it.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Well, this is kind of interesting...here is what I did. I installed
> all need critical updates, including all the DNS security updates I
> hadn't yet applied, and the ones I removed, added my other DC as the
> Secondary DNS server on the NIC, changed the DNS Server service to
> automatic and rebooted. My server rebooted very quickly and
> successfully! I then remove that secondary DNS server and put in one
> from my remote site, and then rebooted the server and it still worked!
>
> So, I'm thinking that by installing ALL the necessary windows updates
> that it might have fixed my problem...I really don't know. I know
> longer have the 4015 error, and no other errors pertaining to DNS or
> active directory. Everything is running as it should.
>
> I don't know what to say about this...very strange.
>
> Thanks Ace and Meinolf for your responses to my questions! They were
> much appreciated!
>
> Sara
> "Saral6978" wrote:
>> Ace -
>>
>> Yes, I realize that DNS should be set to automatic, believe me, I
>> want to switch it back. Unfortunately, the server won't boot up if
>> it is set to automatic. Currently, it is still set to manual, and if
>> I happen to reboot the server, I then log in and start DNS Server
>> right away manually. It's not that I have DNS stopped altogether or
>> anything.
>>
>> <<The security update reserves 2500 UDP ephemeral ports. The
>> ephemeral ports are the response ports anywhere between UDP 1025 and
>> UDP 2500. Sometimes this can cause problems with 3rd apps installed
>> that need these ports as well as the IPSec service.>>
>>
>> I don't have much running on this DC, but I do have 3rd party tools,
>> like a SurfControl Agent, a SpecOpsPasswordPolicy agent running, both
>> which communicate with AD. I've looked at all the documentation that
>> you noted below about the ports last week. Thursday night I did
>> remove 3 updates that I suspected might be causing the issue and when
>> I removed them my server booted normally with DNS Server on
>> automatic. I then applied the 3 updates one at a time and after I
>> installed KB945553 (which is a DNS security update), my server got
>> stuck again on Preparing Network Connections. I then booted into
>> Safe Mode, switched DNS back to manual, then booted back into the
>> regular OS and uninstalled only that update and switched DNS back to
>> Auto, but unfortunately, the server still got stuck on reboot. I
>> removed those other 2 updates again, and it still wouldn't boot. So,
>> I'm not sure why it booted okay the first time after I removed all 3
>> updates (only difference was that I didn't remove them in the same
>> order that I did the first time).
>>
>> Well, in any case, I'm going to do a reboot this morning to see what
>> happens with using a different DNS server as the primary and of
>> course, resetting my service back to Automatic before the reboot.
>>
>> Sara
>>
>> "Ace Fekay [MVP Direcrtory Services]" wrote:
>>
>>> "Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
>>> news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com...
>>>
>>>> Ace - thank you so much for your reply, I really appreciate it.
>>>>
>>>> 3 of the DCs, which includes the one I'm having issues with, are
>>>> running Windows 2003 R2, SP2, and the other 2 DCs are running
>>>> Windows 2003, SP2.
>>>>
>>>> I am getting one error in the DNS Server log, but I have to confirm
>>>> if
>>>> it's
>>>> being generated during the reboot when DNS is set to automatic, or
>>>> if it's
>>>> being logged because I have DNS Server set to manual. In any case,
>>>> it's
>>>> Event ID 4015: The DNS server has encountered a critical error
>>>> from the
>>>> Active Directory. Check that the Active Directory is functioning
>>>> properly.
>>>> The event data contains the error.
>>>> I have been looking into this error and possible causes. My AD
>>>> does seem
>>>> to
>>>> be functioning correctly though, as there are no other errors in my
>>>> event
>>>> log, and shortly after 4015 is logged, another event says DNS has
>>>> started
>>>> and
>>>> there are no other errors. I'm not sure if that's when I manually
>>>> turned
>>>> it
>>>> on or not. I will be doing a reboot Monday and keep better track
>>>> of when
>>>> these errors/alerts are happening.
>>>> AD sites and services is setup properly and replication is running
>>>> seamlessly. I do have DNS set to point to itself first on all my
>>>> DCs, and
>>>> then I pick another DC in another site as second. When I meant
>>>> "secondary",
>>>> I meant just the secondary DNS server, not a zone. I only have the
>>>> one
>>>> zone
>>>> with the one domain.
>>>> I would never have deleted the Zone from DNS - My plan was to go
>>>> into
>>>> Add/Remove programs and uncheck DNS from the DC and uninstall it.
>>>> So, by
>>>> what you said, I should be able to safely uninstall DNS from
>>>> Windows
>>>> Components on the domain controller without hosing my current
>>>> Active
>>>> Directory/AD Integrated Zone and affecting my other DCs? If I can
>>>> do
>>>> this,
>>>> it might be worth a shot to see if this would solve the problem.
>>>> But, before I do that, since I now have a 2nd DC at this particular
>>>> site,
>>>> I
>>>> will change my problem DC's 1st DNS server to the the 2nd DC of
>>>> that site
>>>> and
>>>> see if I can get it to start. Someone had also mentioned there are
>>>> a few
>>>> Windows updates that are specifically security updates for DNS that
>>>> can
>>>> affect services from starting (using UDP ports) and that you have
>>>> to
>>>> reserve
>>>> a port, because there is a port that DNS or AD might be using that
>>>> it
>>>> can't
>>>> because this port is in use. Problem is, I have no idea what ports
>>>> to
>>>> attempt to reserve to see if that is truly the problem. DNS to my
>>>> knowledge
>>>> only uses TCP and UDP ports 53. I'm not sure about AD though, I
>>>> haven't
>>>> checked it.
>>>> Thanks, again!
>>>>
>>>> Sara
>>>>
>>> Hi Sara,
>>>
>>> Honestly I haven't heard of these problems until now. But a real
>>> important point, is that you must keep the DNS service set to
>>> automatic at all times. Otherwise leaving it to manual will cause
>>> issues at startup because AD can't find itself if the first entry is
>>> pointed to itself unless the DNS service is running. Otherwise, how
>>> is it supposed to query a non-running DNS service?
>>>
>>> As for uninstalling, yes, just uncheck the box. But I would leave
>>> the service enabled and try it out.
>>>
>>> The security update reserves 2500 UDP ephemeral ports. The ephemeral
>>> ports are the response ports anywhere between UDP 1025 and UDP 2500.
>>> Sometimes this can cause problems with 3rd apps installed that need
>>> these ports as well as the IPSec service. Otherwise, if you don't
>>> have anything else installed, it shouldn't be a problem. The
>>> following is more info on the security update and the ports being
>>> used. But I don't think this is the cause of the problem.
>>>
>>> ---------------------------------
>>> The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
>>> netstat -ab, it will display the 2500 UDP ports that have been
>>> reserved, but not necessarily in use. This is part of the memory
>>> consumption. I've noticed the following (your mileage may vary):
>>> dns.exe Before After
>>> Mem usage 9758K 36,232K
>>> Peak Mem 10,208K 36,584K
>>> Paged Pool 71K 798K
>>> NP Pool 17K 4,833K
>>> Handles 238 5,217
>>> Threads 20 20
>>> MS08-037: Description of the security update for DNS in Windows
>>> Server 2003, in Windows XP, and in Windows 2000 Server (client
>>> side): July 8, 2008: http://support.microsoft.com/?id=951748
>>>
>>> MS08-037: Vulnerabilities in DNS could allow spoofing
>>> http://support.microsoft.com/default.aspx/kb/953230
>>>
>>> How to reserve a range of ephemeral ports on a computer that is
>>> running Windows Server 2003 or Windows 2000 Server
>>> http://support.microsoft.com/kb/812873
>>>
>>> You experience issues with UDP-dependent network services after you
>>> install DNS Server service security update 953230 (MS08-037)
>>> http://support.microsoft.com/default.aspx/kb/956188
>>>
>>> Some Services May Fail to Start or May Not Work Properly After
>>> Installing
>>>
>>> MS08-037 (951746 and 951748)
>>>
>>> http://blogs.technet.com/sbs/archive...ervices-may-fa
>>> il-to-start-or-may-not-work-properly-after-installing-ms08-037-95174
>>> 6-and-951748.aspx
>>>
>>> SBS Services failing after MS08-037 - KB951746 and 951748
>>>
>>> http://msmvps.com/blogs/thenakedmvp/.../sbs-services-
>>> failing-after-ms08-037-kb951746-and-951748.aspx
>>>
>>> --------------------------------------------
>>>
>>> Ace
>>>
"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:1316F612-CBA7-4165-AFDB-7C9B24FF54EE@microsoft.com...
> Thank you Meinolf - I did look at this link last Friday. I did look at
> the
> (.) root zone part, but to me, they are suggesting I change my zone to
> type,
> and I'm not sure I am comfortable doing that when I'm not having issues
> with
> my other DCs and their DNS server service, etc...
There is no harm with this procedure. None whatsoever. Believe me, done it a
thousand times, and I can say that because of numerous testing and as a
trainer in a classroom scenario, as well as in production environments.
Ace
"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:0AF107B4-B142-4A5F-9B61-BDC06E44BF4C@microsoft.com...
> Well, this is kind of interesting...here is what I did. I installed all
> need
> critical updates, including all the DNS security updates I hadn't yet
> applied, and the ones I removed, added my other DC as the Secondary DNS
> server on the NIC, changed the DNS Server service to automatic and
> rebooted.
> My server rebooted very quickly and successfully! I then remove that
> secondary DNS server and put in one from my remote site, and then rebooted
> the server and it still worked!
>
> So, I'm thinking that by installing ALL the necessary windows updates that
> it might have fixed my problem...I really don't know. I know longer have
> the
> 4015 error, and no other errors pertaining to DNS or active directory.
> Everything is running as it should.
>
> I don't know what to say about this...very strange.
>
> Thanks Ace and Meinolf for your responses to my questions! They were much
> appreciated!
>
> Sara
Same here, nice to hear it's taken care of. For the security updates to
cause this would indicate one of those apps are trying to use a UDP
emepheral port in the reserved range and is causing a conflict. I'm willing
to bet that if those apps were moved off the DC (usually we recommend no
apps on a DC and let a DC be a DC), that it will work. There are known
issues with 3rd party apps that do not recognize the port reservation still
picks a random port in that range causing a conflict.
For the time being if you want to leave the 3rd party apps on it, that is
fine. If you ever do move them off, be sure to install those updates.
Ace
Posting Permissions
Reply With Quote
Bookmarks