Windows 2003 Server AD question
 

Hi!

I am onsite today and am starting to install a new Windows 2003 server and some workstations. The server is setup, but when I went to setup Active Directory, I had forgot to setup DNS first. The AD setup prompted me to install DNS, which I did, but now when the server starts, I get these event codes:

4015: The DNS server has encountered a critical error from the Active Directory. Check that the AD is functioning properly.....

and

4004: The DNS server was unable to complete directory service enumeration of zone ..

I have looked it up online, but have not found a clear answer. Any ideas? The server has been running for about 45 minutes and those errors only happened on reboot (each time). After the computer has booted, there are no more errors.

A piece of info I found, said that if the DNS server starts before AD, these errors show up.

Did I miss a step? Any help would be great.

Dave

I think the easiest fix if you haven't done a ton of work putting users and such in would be to demote and repromote it and see what happens.

Go to a command prompt and run DCPromo and kill off the domain and then again to rebuild it.

If DNS isn't functioning properly when the domain is built, it can be fixed, but it's very rarely worth the time unless you have something you're trying to rescue.

I actually had to do that anyway. I used the wrong domain name. We'll see if it happens again.

Thanks,

Dave

Actually, I know how to fix this without demoting the server. (5 years working for Microsoft in the Active Directory Support group).

Check your DNS settings on the server. It needs to register in DNS when it starts AD. It sounds like you have it pointed at a different DNS server that doesn't allow dynamic updates.

Point it to itself for DNS.

slodave
I have seen this on some AD environments that I have worked on.
Do you have only 1 DC in this domain? If you have 2 than you can point DC1 primary DNS settings to DC2 and vise versa.
Have you run netdiag to see if you get a failure?

Of course it sounds like you may have found your problem.

Clay Perrine
5 years of MS AD support- do you have any hair left? :)
If you point it to itself I think you may get the same errors in the log, since when the DC is booting up AD may not be fully initialized (depending on what else is starting up on the DC).

Just a thought.

Rob

You're running DHCP, also, right? I got this exact same error on a 2003 Server I manage. How I fixed it was to configure DNS Dynamic update credentials.

I remember doing it from the command line, but I can't seem to find or remember the commands, so instead, I'm going to point you to the TechNet article I found about it.

TechNet: DNs Dynamic update credentials

Let us know if that works for you.

I forgot to check the logs before I left this evening, but after demoting and recreating the AD (I used the wrong domain), the error on startup - at least one service failed.... did not show up. I'll check the logs in the morning.

Thanks for the advice and help!

Dave

The same three errors were there today. After the server boots and logs those three, they do not appear again. I wonder if it has to do with the services loading out of order. I am still in the setup stage of the workstations, so I am not worrying about it too much and the wkstations are not having any problems with DHCP, DNS or authenticating against the server.

The server is managing DNS, DHCP and AD. DNS is pointing to itself.

Dave

All evil in the world of AD comes back to DNS.

Is the DNS suffix on the DC correct?

Are the SRV record being created correctly? You should have a delegation record in the zone file, and a seperate .msdcs zone with your SRV records for the domain. If the SRV records are not being created properly, the DC does know its a DC! All boxes, DCs included, rely on the SRV records to confirm which machines are DCs.