EventID 4521 warning after SP2 upgrade

ken wrote:
> The error wasn't shown after i run the command
>
> But when i reboot the server, the error still appear again
>
> Does anyone meet it like me ??

The same is with me :-(

-- rpr. /Robert Premuz/

Hi
After reboot and I have warning again.

> ken wrote:
>> The error wasn't shown after i run the command
>>
>> But when i reboot the server, the error still appear again
>>
>> Does anyone meet it like me ??
>
> The same is with me :-(
>
> -- rpr. /Robert Premuz/
>

For me the dnscmd /config . /bootmethod makes the problem go away. If
I restart DNS, still no problem, but if I restart the server the
problem happens again. This only happens on domain controllers for my
domain at the top of my forest. All of my domain controllers in its
subdomains work fine. The other strange thing with the domain
controllers at the top of the forest is that I can't set any zone
replication to "All DNS servers" in the domain, however I can set the
replication to "All DNS servers" in the forest, or "All domain
controllers" in the domain. However with my subdomains setting to "All
DNS servers" in the domain works just fine. I don't know very much
about DNS on Win 2K3, could I have an issue with DomainDnsZones? My
ForestDnsZones has info for all my domain controllers, but my
DomainDnsZones only has info for one domain controller (there are four
domain controllers in its domain). Is this normal? My forest and all
domains are at 2003 functional level, and domain controllers are a mix
of 2003 and 2003 R2.

The switch from 2000 functional level to 2003 functional level was
fairly recent, and I had the 9002 error on one of my servers quite a
while before this. All the other servers worked fine until recently.

Does any of this sound familiar to anybody? Any insights would be
greatly apreciated.

Thanks,
Chris

I think my 4521/9002 error for the "," zone may be caused by my
DomainDnsZones partition being messed up. Since the only zone that
should currently be stored in it is for the root hints ".", I decided
to try to delete it with:

dnscmd server /deletedirectorypartition DomainDnsZones.domain.com

This failed from and to all servers :(

The error I received was:

Delete directory partition failed: DomainDnsZones.domain.com
status = 9005 (0x0000232d)

Command failed: RCODE_REFUSED 9005 (0000232d)

So I tried to recreate it without deleteing it:

dnscmd <server> /createbuiltindirectorypartitions /domain

This also failed:

Create built-in directory partitions failed
status = 9902 (0x000026ae)

Command failed: DNS_ERROR_DP_ALREADY_EXISTS 9902 (000026ae)

As expected the partition shows up in the partition list:

dnscmd /enumdirectorypartitions

Enumerated directory partition list:

Directory partition count = 5

DomainDnsZones.domain.com Enlisted Auto Domain
DomainDnsZones.sub1.domain.com Not-Enlisted
DomainDnsZones.sub2.domain.com Not-Enlisted
DomainDnsZones.sub3.domain.com Not-Enlisted
ForestDnsZones.domain.com Enlisted Auto Forest

So I tried out ntdsutil:

C:>ntdsutil
ntdsutil: domain management
domain management: connection
server connections: connect to server server1.domain.com
Binding to server1.domain.com ...
Connected to server1.domain.com using credentials of locally logged on
user.
server connections: quit
domain management: list nc replicas dc=domaindnszones,dc=domain,dc=com
The application directory partition
dc=domaindnszones,dc=domain,dc=com's Replicas are:
CN=NTDS Settings,CN=server1,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
CN=NTDS Settings,CN=server2,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
CN=NTDS Settings,CN=server3,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
CN=NTDS Settings,CN=server4,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
NOTE: Couldn't verify the instantiated/uninstantiated state of these
replicas.
domain management:

I assume that ntds couldn't verify the state because it is denied
access due to an issue with the directory partition (I don't get this
note with my other domains or with the ForestDnsZones).

I next tried adsiedit, but when I tried to connect to
DC=DomainDnsZones,DC=domain,DC=COM an any of the servers I received
the error:

"A referral was returned from the server"

Adsiedit lets me connect to the ForestDnsZones partition and the
DomainDnsZones partitions on my subdomains, just not this one at the
top of the structure.

I don't know very much about how any of this works. Would it be safe
to do a "DELETE NC" from ntdsutil? Would this even work (since dnscmd
couldn't delete it). I think that the root hints are the only thing
that should be in it, so I assume that it should be safe to try. All
of the other DNS zones in the AD appear to be replicated either to
"All domain controllers in the domain" or "all DNS servers in the
forest". Are there any other tools out there that could help? As
always and suggestions as to how I should proceed would be greatly
appreciated.

Thanks,
Chris

On May 19, 12:57 am, cburgess...@gmail.com wrote:
> For me thednscmd/config . /bootmethodmakes the problem go away. If
> I restart DNS, still no problem, but if I restart the server the
> problem happens again. This only happens on domain controllers for my
> domain at the top of my forest. All of my domain controllers in its
> subdomains work fine. The other strange thing with the domain
> controllers at the top of the forest is that I can't set any zone
> replication to "All DNS servers" in the domain, however I can set the
> replication to "All DNS servers" in the forest, or "All domain
> controllers" in the domain. However with my subdomains setting to "All
> DNS servers" in the domain works just fine. I don't know very much
> about DNS on Win 2K3, could I have an issue with DomainDnsZones? My
> ForestDnsZones has info for all my domain controllers, but my
> DomainDnsZones only has info for one domain controller (there are four
> domain controllers in its domain). Is this normal? My forest and all
> domains are at 2003 functional level, and domain controllers are a mix
> of 2003 and 2003 R2.
>
> The switch from 2000 functional level to 2003 functional level was
> fairly recent, and I had the9002error on one of my servers quite a
> while before this. All the other servers worked fine until recently.
>
> Does any of this sound familiar to anybody? Any insights would be
> greatly apreciated.
>
> Thanks,
> Chris

It works!!!

I have a solution to my "." zone loading issue.

I first verified that none of my DNS zones were being stored in the
DomainDnsZones partition (other that "." trying to go there). I did
this with "dnscmd /enumzones" for each server. I used the "ntdsutil"
"list NC replicas" command to find out where the partition was
replicating to. I then removed all the replicas of the DomainDnsZones
partition from each of the servers that it was replicating to and
waited for domain replication to get things in sync.

I next ran "delete NC dc=domainsdnszone,dc=domain,dc=com" and got back
the following message:

The operation was successful. The partition has been marked for
removal from the enterprise. It will be removed over time in the
background.
Note: Please do not create another partition with the same name until
the servers which hold this partition have had an opportunity to
remove it. This will occur when knowledge of the deletion of this
partition has replicated throughout the forest, and the servers which
held the partition have removed all the objects within that partition.
Complete removal of the partition can be verified by consulting the
Directory event log on each server.

After waiting a bit, and verifying that the DomainDnsZones partition
was gone from all the servers, I ran "dnscmd /
CreateBuiltinDirectoryPartitions /Domain", and I had success. I could
see the DomainDnsZones zone getting populated with information, and I
could now view the DomainDnsZones partition with adsiedit.

After this was replicated to all the servers, I ran "dnscmd /Config . /
BootMethod 3", and now had a functioning DomainDnsZones stored "."
root hint zone. I verified the entries with adsiedit, and all looks
good.

Hope this can help some others out there with this issue.

- Chris

On May 19, 2:03 pm, cburgess...@gmail.com wrote:
> I think my 4521/9002error for the "," zone may be caused by my
> DomainDnsZones partition being messed up. Since the only zone that
> should currently be stored in it is for the root hints ".", I decided
> to try to delete it with:
>
> dnscmdserver /deletedirectorypartition DomainDnsZones.domain.com
>
> This failed from and to all servers :(
>
> The error I received was:
>
> Delete directory partition failed: DomainDnsZones.domain.com
> status = 9005 (0x0000232d)
>
> Command failed: RCODE_REFUSED 9005 (0000232d)
>
> So I tried to recreate it without deleteing it:
>
> dnscmd<server> /createbuiltindirectorypartitions /domain
>
> This also failed:
>
> Create built-in directory partitions failed
> status = 9902 (0x000026ae)
>
> Command failed: DNS_ERROR_DP_ALREADY_EXISTS 9902 (000026ae)
>
> As expected the partition shows up in the partition list:
>
> dnscmd/enumdirectorypartitions
>
> Enumerated directory partition list:
>
> Directory partition count = 5
>
> DomainDnsZones.domain.com Enlisted Auto Domain
> DomainDnsZones.sub1.domain.com Not-Enlisted
> DomainDnsZones.sub2.domain.com Not-Enlisted
> DomainDnsZones.sub3.domain.com Not-Enlisted
> ForestDnsZones.domain.com Enlisted Auto Forest
>
> So I tried out ntdsutil:
>
> C:>ntdsutil
> ntdsutil: domain management
> domain management: connection
> server connections: connect to server server1.domain.com
> Binding to server1.domain.com ...
> Connected to server1.domain.com using credentials of locally logged on
> user.
> server connections: quit
> domain management: list nc replicas dc=domaindnszones,dc=domain,dc=com
> The application directory partition
> dc=domaindnszones,dc=domain,dc=com's Replicas are:
> CN=NTDS Settings,CN=server1,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
> CN=NTDS Settings,CN=server2,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
> CN=NTDS Settings,CN=server3,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
> CN=NTDS Settings,CN=server4,CN=Servers,CN=Default-First-Site-
> Name,CN=Sites,CN=Configuration,DC=domain,DC=com *
> NOTE: Couldn't verify the instantiated/uninstantiated state of these
> replicas.
> domain management:
>
> I assume that ntds couldn't verify the state because it is denied
> access due to an issue with the directory partition (I don't get this
> note with my other domains or with the ForestDnsZones).
>
> I next tried adsiedit, but when I tried to connect to
> DC=DomainDnsZones,DC=domain,DC=COM an any of the servers I received
> the error:
>
> "A referral was returned from the server"
>
> Adsiedit lets me connect to the ForestDnsZones partition and the
> DomainDnsZones partitions on my subdomains, just not this one at the
> top of the structure.
>
> I don't know very much about how any of this works. Would it be safe
> to do a "DELETE NC" from ntdsutil? Would this even work (sincednscmd
> couldn't delete it). I think that the root hints are the only thing
> that should be in it, so I assume that it should be safe to try. All
> of the other DNS zones in the AD appear to be replicated either to
> "All domain controllers in the domain" or "all DNS servers in the
> forest". Are there any other tools out there that could help? As
> always and suggestions as to how I should proceed would be greatly
> appreciated.
>
> Thanks,
> Chris
>
> On May 19, 12:57 am, cburgess...@gmail.com wrote:
>
>
>
> > For me thednscmd/config . /bootmethodmakes the problem go away. If
> > I restart DNS, still no problem, but if I restart the server the
> > problem happens again. This only happens on domain controllers for my
> > domain at the top of my forest. All of my domain controllers in its
> > subdomains work fine. The other strange thing with the domain
> > controllers at the top of the forest is that I can't set any zone
> > replication to "All DNS servers" in the domain, however I can set the
> > replication to "All DNS servers" in the forest, or "All domain
> > controllers" in the domain. However with my subdomains setting to "All
> > DNS servers" in the domain works just fine. I don't know very much
> > about DNS on Win 2K3, could I have an issue with DomainDnsZones? My
> > ForestDnsZones has info for all my domain controllers, but my
> > DomainDnsZones only has info for one domain controller (there are four
> > domain controllers in its domain). Is this normal? My forest and all
> > domains are at 2003 functional level, and domain controllers are a mix
> > of 2003 and 2003 R2.
>
> > The switch from 2000 functional level to 2003 functional level was
> > fairly recent, and I had the9002error on one of my servers quite a
> > while before this. All the other servers worked fine until recently.
>
> > Does any of this sound familiar to anybody? Any insights would be
> > greatly apreciated.
>
> > Thanks,
> > Chris- Hide quoted text -
>
> - Show quoted text -

Yes, your solution works, but it's rather complicated and you
misspelled one of the commands:
"delete NC dc=domainsdnszone,dc=domain,dc=com"
should be:
"delete NC dc=domaindnszones,dc=domain,dc=com"

In my case I preferred the advice given by Mike Lou to reinstall
dynamic DNS AD-integrated zones by following the procedure given at
http://support.microsoft.com/kb/294328 as I had only a few static host
records in my DNS servers.

--rpr. /Robert Premuz/

On May 19, 10:39 pm, cburgess...@gmail.com wrote:
>
> I have a solution to my "." zone loading issue.
>
> I first verified that none of my DNS zones were being stored in the
> DomainDnsZones partition (other that "." trying to go there). I did
> this with "dnscmd /enumzones" for each server. I used the "ntdsutil"
> "list NC replicas" command to find out where the partition was
> replicating to. I then removed all the replicas of the DomainDnsZones
> partition from each of the servers that it was replicating to and
> waited for domain replication to get things in sync.
>
> I next ran "delete NC dc=domainsdnszone,dc=domain,dc=com" and got back
> the following message:
>
> The operation was successful. The partition has been marked for
> removal from the enterprise. It will be removed over time in the
> background.
> Note: Please do not create another partition with the same name until
> the servers which hold this partition have had an opportunity to
> remove it. This will occur when knowledge of the deletion of this
> partition has replicated throughout the forest, and the servers which
> held the partition have removed all the objects within that partition.
> Complete removal of the partition can be verified by consulting the
> Directory event log on each server.
>
> After waiting a bit, and verifying that the DomainDnsZones partition
> was gone from all the servers, I ran "dnscmd /
> CreateBuiltinDirectoryPartitions /Domain", and I had success. I could
> see the DomainDnsZones zone getting populated with information, and I
> could now view the DomainDnsZones partition with adsiedit.
>
> After this was replicated to all the servers, I ran "dnscmd /Config . /
> BootMethod 3", and now had a functioning DomainDnsZones stored "."
> root hint zone. I verified the entries with adsiedit, and all looks
> good.
>
> Hope this can help some others out there with this issue.
>
> - Chris

[Geoff-]

Hi,

Apologies for dredging up an old thread but this was one of the top hits on Google for my problem.

I noticed that running "dnscmd /zoneinfo ." on both of my DCs gave different output, the working one said it was loading from cache.dns and that was it. The non-working one had extra output down the bottom indicating it was trying to load from AD. running "dnscmd /config . /bootmethod" worked until dns/netlogon was restarted - its output would match the working DC's until the restart and then it would try and reload from AD again. This matches several peoples' symptoms in the thread.

I solved the issue by the following method:

1) go into DNS MMC snap-in
2) right click server, properties
3) click the Advanced tab
4) change "Load zone data on startup" to be "from registry" (previously from registry and active directory).

After this I can restart the DNS service and it does not come up with the eventlog error any more.

Cheers,

Geoff