Event ID 4007 error

Tony Benham · 21-03-2007

I've just moved our small domain from NT to Server 2003 via an intermediate
PC on which I installed NT Server, upgraded to PDC, then to 2003 Server,
then to DC. I then added a new 2003 machine as DC to the domain, and then
removed DC role for the intermediate machine, and removed the old NT machine
and the intermediate machine from our network. I think I screwed up the DNS
slightly.
On start up of the new 2003 DC, I'm getting an Event ID 4007 with error
message
"The DNS server was unable to open zone _msdcs.somename.mydomain.com in the
Active Directory from the application directory partition
ForestDnsZones.somename.mydomain.com. This DNS server is configured to
obtain and use information from the directory for this zone and is unable to
load the zone without it. Check that the Active Directory is functioning
properly and reload the zone. The event data is the error code."

I ran dcdiag to try to find out more

TEST: Delegations (Del)
Warning: DNS server: oldname.somename.mydomain.com. IP:
<Unavailable> Failure:Missing glue A record

Now oldname was the intermediate machine, which is no longer there. I looked
in the dns management tool but could not find this server
oldname.somename.mydomain.com mentioned anywhere. How can I fix this ?
Regards
Tony

Kevin D. Goodknecht Sr. [MVP] · 22-03-2007

Read inline please.

In news:[email protected],
Tony Benham <[email protected]> typed:
> I've just moved our small domain from NT to Server 2003 via an
> intermediate PC on which I installed NT Server, upgraded to PDC, then
> to 2003 Server, then to DC. I then added a new 2003 machine as DC to
> the domain, and then removed DC role for the intermediate machine,
> and removed the old NT machine and the intermediate machine from our
> network. I think I screwed up the DNS slightly.
> On start up of the new 2003 DC, I'm getting an Event ID 4007 with
> error message
> "The DNS server was unable to open zone _msdcs.somename.mydomain.com
> in the Active Directory from the application directory partition
> ForestDnsZones.somename.mydomain.com. This DNS server is configured to
> obtain and use information from the directory for this zone and is
> unable to load the zone without it. Check that the Active Directory
> is functioning properly and reload the zone. The event data is the
> error code."

Do you get this error only when the server starts?
Do you have only one DC/DNS?

> I ran dcdiag to try to find out more
>
> TEST: Delegations (Del)
> Warning: DNS server: oldname.somename.mydomain.com.
> IP: <Unavailable> Failure:Missing glue A record
>
> Now oldname was the intermediate machine, which is no longer there. I
> looked in the dns management tool but could not find this server
> oldname.somename.mydomain.com mentioned anywhere. How can I fix this ?

Can you post an (unedited) ipconfig /all, the AD Domain name from AD Users &
Computers, and a list of all zones in DNS? (Need all three)

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Tony Benham · 22-03-2007

Hi Kevin,
Replies inline below.
> In news:[email protected],
> Tony Benham <[email protected]> typed:
>> I've just moved our small domain from NT to Server 2003 via an
>> intermediate PC on which I installed NT Server, upgraded to PDC, then
>> to 2003 Server, then to DC. I then added a new 2003 machine as DC to
>> the domain, and then removed DC role for the intermediate machine,
>> and removed the old NT machine and the intermediate machine from our
>> network. I think I screwed up the DNS slightly.
>> On start up of the new 2003 DC, I'm getting an Event ID 4007 with
>> error message
>> "The DNS server was unable to open zone _msdcs.somename.mydomain.com
>> in the Active Directory from the application directory partition
>> ForestDnsZones.somename.mydomain.com. This DNS server is configured to
>> obtain and use information from the directory for this zone and is
>> unable to load the zone without it. Check that the Active Directory
>> is functioning properly and reload the zone. The event data is the
>> error code."
>
>
> Do you get this error only when the server starts?
> Do you have only one DC/DNS?

Yes only on startup.
Yes only one DC/DNS (same machine)

> Can you post an (unedited) ipconfig /all, the AD Domain name from AD Users
> &
> Computers, and a list of all zones in DNS? (Need all three)
C:\Documents and Settings\admin>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : ORAC
Primary Dns Suffix . . . . . . . : imageproc.imageproc.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : imageproc.imageproc.com
imageproc.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-13-72-34-BF-A4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.92.109.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.92.109.4
DNS Servers . . . . . . . . . . . : 127.0.0.1

AD Users and Computers lists imageproc.imageproc.com and Saved Queries
and shows [ORAC.imageproc.com.imageproc.com] in the title bar for the rh
window.
DNSmanagment for ORAC shows 6 items
Cached Lookups,Forward Lookup Zones, Reverse Lookup Zones,Event Viewer, Root
Hints and
Forwarders.
Under forward lookup zones we have
_msdcs.imageproc.imageproc.com
imageproc.imageproc.com

Regards
Tony

Kevin D. Goodknecht Sr. [MVP] · 22-03-2007

Read inline please.
In news:[email protected],
Tony Benham <[email protected]> typed:
> "The DNS server was unable to open zone _msdcs.somename.mydomain.com
> in the Active Directory from the application directory partition
> ForestDnsZones.somename.mydomain.com.

> Yes only on startup.
> Yes only one DC/DNS (same machine)

4007 and other 40xx events are pretty common in Single DC/DNS environments
because DNS cannot load the zone out of Active Directory, until AD has
started. AD cannot start until DNS has started so it puts you in catch22.
If the events only happen on startup, you can safely ignore them. If you add
a second DC and point each DC to the other for the Preferred DNS, you won't
see these errors. You can also make the AD zones standard primaries, but it
is not recommended because there is no security on Standard primary zones.
Your ipconfig looks properly configured, although, I recommend replacing the
127.0.0.1 Loopback address with the DC's own private IP address.

On a side note- Your AD domain appears to a sub domain of your public domain
name, if you don't have a local zone for imageproc.com you should remove
that zone from your DNS suffix search list. With this name in the list your
public domain suffix is appended to all DNS names that are not followed with
a trailing ".". Because of this (If you use nslookup -d2 you will see this),
www.yahoo.com (Example) gets appended with the suffixes from this list, and
becomes www.yahoo.com.imageproc.com which is forwarded to the external DNS.
Many public DNS providers add a Wildcard "*" record to the zones they host,
www.yahoo.com.imageproc.com will resolve to this Wildcard record's IP.

>> Can you post an (unedited) ipconfig /all, the AD Domain name from AD
>> Users &
>> Computers, and a list of all zones in DNS? (Need all three)
> C:\Documents and Settings\admin>ipconfig /all
> Windows IP Configuration
> Host Name . . . . . . . . . . . . : ORAC
> Primary Dns Suffix . . . . . . . : imageproc.imageproc.com
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : imageproc.imageproc.com
> imageproc.com
> Ethernet adapter Local Area Connection:
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
> Ethernet Physical Address. . . . . . . . . : 00-13-72-34-BF-A4
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.92.109.6
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.92.109.4
> DNS Servers . . . . . . . . . . . : 127.0.0.1

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Tony Benham · 22-03-2007

Hi Kevin,
Question below.

> On a side note- Your AD domain appears to a sub domain of your public
> domain
> name, if you don't have a local zone for imageproc.com you should remove
> that zone from your DNS suffix search list. With this name in the list
> your
> public domain suffix is appended to all DNS names that are not followed
> with
> a trailing ".". Because of this (If you use nslookup -d2 you will see
> this),
> www.yahoo.com (Example) gets appended with the suffixes from this list,
> and
> becomes www.yahoo.com.imageproc.com which is forwarded to the external
> DNS.
> Many public DNS providers add a Wildcard "*" record to the zones they
> host,
> www.yahoo.com.imageproc.com will resolve to this Wildcard record's IP.

I can't find out where the DNS Suffix search list is specified. Is it in the
DNS server settings somewhere ?
Or in the dns settings for the server network connection itself ?
Thanks for your help
Tony

Tony Benham · 22-03-2007

Hi Kevin,
See below.

"Tony Benham" <[email protected]> wrote in message
news:[email protected]...
> Hi Kevin,
> Question below.
>
>> On a side note- Your AD domain appears to a sub domain of your public
>> domain
>> name, if you don't have a local zone for imageproc.com you should remove
>> that zone from your DNS suffix search list. With this name in the list
>> your
>> public domain suffix is appended to all DNS names that are not followed
>> with
>> a trailing ".". Because of this (If you use nslookup -d2 you will see
>> this),
>> www.yahoo.com (Example) gets appended with the suffixes from this list,
>> and
>> becomes www.yahoo.com.imageproc.com which is forwarded to the external
>> DNS.
>> Many public DNS providers add a Wildcard "*" record to the zones they
>> host,
>> www.yahoo.com.imageproc.com will resolve to this Wildcard record's IP.
>
> I can't find out where the DNS Suffix search list is specified. Is it in
> the DNS server settings somewhere ?
> Or in the dns settings for the server network connection itself ?

I think I found this is on the append parent suffix in the dns tab of tcpip
properties. If I untick this,
I get www.yahoo.com.imageproc.imageproc.com , but not
www.yahoo.com.imageproc.com Ideally I would hve thought that on the machine
that is the domain dns server, any unresolved names such as www.yahoo.com
should not have any suffix applied ? But the dns tab of tcpip properties
will not allow you to untick both suffix items in the dns tab, by ticking
append these dns suffixes ? What is the correct settings on the DC/DNS
server for dns tcp/ip properties ?
Thanks
Tony

Kevin D. Goodknecht Sr. [MVP] · 23-03-2007

Read inline please.

In news:[email protected],
Tony Benham <[email protected]> typed:
> Hi Kevin,
> See below.
>>
>> I can't find out where the DNS Suffix search list is specified. Is
>> it in the DNS server settings somewhere ?
>> Or in the dns settings for the server network connection itself ?
>
> I think I found this is on the append parent suffix in the dns tab of
> tcpip properties. If I untick this,
> I get www.yahoo.com.imageproc.imageproc.com , but not
> www.yahoo.com.imageproc.com Ideally I would hve thought that on the
> machine that is the domain dns server, any unresolved names such as
> www.yahoo.com should not have any suffix applied ?

The DNS suffix is applied to all names not ended with a trailing "."

What is the correct settings on the DC/DNS server for dns tcp/ip properties
?

The correct setting would be to have only suffixes in the list needed for
NetBIOS type host names in the local domain, so if your local domain is
imageproc.imageproc.com, use that name in the suffix search list.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================