none
How can I resolve DNS Event ID: 4000 and 4007 in AD 2008 R2

    Question

  • Hi there,<o:p></o:p>

    I am glade to post my first topic here. I faced to a very deep and serious problem All day. Actually My DNS integrated DC server is down with event ID: 4000 & 4007. For your information My DC was the only server in our site and as the connection of our sites to the other sites and DCs has been disconnected because of VPN matters, our server didn't has any replication with the rest of DCs; In addition we have done lots of changes in our OU.<o:p></o:p>

    I suppose this problem has occurred when our VPN tunnel linked up with packet loss this morning. All in all what if I go through new dc installation, I'll lose all my changes during the disconnection.    <o:p></o:p>

    In this case I followed many solutions but it does not work. the problem is my DNS server is down and as I didn't have any backup so my network is complete mess. <o:p></o:p>

    Any help would be appreciated.

    Best Regards,

    Pooyan

    Friday, July 12, 2013 3:12 AM

Answers

  • Dear Paul,

    It could not be happened by individual mistake, Any way Let me describe you more about our situation.

    1.     Actually we using AD 2003 mixed mode.
    2.     PDC and Exchange server located in head quarter.
    3.     and in our forest we have a single domain.
    4.     using OU for each organization and branches.
    5.     also our branches and sites connected by VPN tunnel to others.
    6.     because of some reasons the VPN connection between HQ and branches has been down since 3 month ago.
    7.     during the VPN issue in all sites and branches new user was created in their DC for windows authentication.
    8.     and the same user created in the same OU in PDC at Head Quarter for exchange and mail box configuration.
    9.     and in each site many local changes was applied on their dc.

    I suppose this problem could be because of successions replication yesterday, Just as an idea. Today I tried to connect the VPN link again and when I checked our DC log i saw high numbers of 1202 ADWS event error.          

    Since this DC is beyond the TSL, you have to demote this DC, there are no options.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by Pooyan5 Tuesday, July 16, 2013 9:35 PM
    Monday, July 15, 2013 12:06 PM
    Moderator

All replies

  • You really don't need backups of Domain Controllers if you have more than 1.

    I would suggest to get VPN working and then you can reset the secure channel on this server - See http://support.microsoft.com/kb/2751452/en-us

    Even if you get this server up, you need a connection to the other domain controllers no or later.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Friday, July 12, 2013 6:26 AM
  • You really don't need backups of Domain Controllers if you have more than 1.

    ...

    Hello Vik Singh,

    who told you this, sorry for the wording, crappy answer? A domain without a backup is a big problem. There may be always an option that a backup is required to restore either a single object or even the complete forest in case of complete datacenter loss. Or virus harms your domain etc. etc.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, July 12, 2013 8:39 AM
  • Hello,

    if that DC is down and you don't have any kind of backup that include the changes you have done you are lost. And down means in your case it is broken hardware and it can't be repaired? Are at least the disks healthy and you have a spare machine to built them into that one?

    But as it is your site and not the complete domain you can at least get the status from the other DCs so you have a starting point.

    What i am confused about is your replication setup to the other DCs, even in your own site there is replication from your changes to the other DC, so they should also have your configuration up to the day when the VPN brakes down. Default for inter-site replication is 180 minutes, so at least after 3 hours your changes are replicated to the other DCs before VPN break down.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    Friday, July 12, 2013 8:45 AM
  • Agreed Meinolf, and I meant it in other ways. To deviate the thinking and take approach to resolve the problem.

    I should have mentioned or stated it this way - For this current problem, backups are not necessarily going to resolve this specific issue.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"


    • Edited by Vik Singh Friday, July 12, 2013 9:13 AM Typo
    Friday, July 12, 2013 9:11 AM
  • I don't understand what your topology is?  A DC can be disconnected for to the legth of the tombstone lifetime (Majority is 180  days).  Once the DC has been reconnected with the domain the changes that have occured between the dc's within the domain will replciate with one another and everything will be back in sync.

    So I am not sure what your question is?  You speak about DNS being down, but I don't understand why or if this is integrated DNS.  Could you please just explain in great detail what your problem is and what the exact toplogy of the site and rest of your domain.

    Don't worry if you made mistakes, we all do.  Lets just work together to help get your problem resolved.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, July 12, 2013 11:57 AM
    Moderator
  • This man has two issues. One - the DC with DNS is inoperative and two his VPN Tunnel is down.

    Ask this question: The DC that is inoperational...is it the FSMO holder? If it is then he will have to rebuild a DC controller and seize the roles using a backup of the schema from a remote DC. If it is not than he should not create a new DC until the VPN connection is reestablished. To rebuild a DC at this point will be effectively creating a completely new domain.

    First order of business is to re-establish the VPN Tunnel. The users will then be able to connect to the domain and then rebuild a DC.

    Friday, July 12, 2013 5:41 PM
  • Hello Dear Meinolf

    Thanks for your answer. As I explained my DC was the only DC in our site, so I don't have any other DC to use and I didn't had any success replication since 3 month ago.   

    Friday, July 12, 2013 8:13 PM
  • Dear Paul,

    It could not be happened by individual mistake, Any way Let me describe you more about our situation.

    1.     Actually we using AD 2003 mixed mode.
    2.     PDC and Exchange server located in head quarter.
    3.     and in our forest we have a single domain.
    4.     using OU for each organization and branches.
    5.     also our branches and sites connected by VPN tunnel to others.
    6.     because of some reasons the VPN connection between HQ and branches has been down since 3 month ago.
    7.     during the VPN issue in all sites and branches new user was created in their DC for windows authentication.
    8.     and the same user created in the same OU in PDC at Head Quarter for exchange and mail box configuration.
    9.     and in each site many local changes was applied on their dc.

    I suppose this problem could be because of successions replication yesterday, Just as an idea. Today I tried to connect the VPN link again and when I checked our DC log i saw high numbers of 1202 ADWS event error.          

    Saturday, July 13, 2013 12:04 AM
  • Hello,

    I am confused again, first you said the DC/DNS is down and can not be brought back online. Now you wrote "when I checked our DC log"??? Please elaborate this.

    Do you have a running DC in the site or not?


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, July 13, 2013 1:16 PM
  • Dear Meinolf,

    I mean when i checked our problematic DC event log, I understand the problem could be TSL (Tombstone lifetime) because we didn't pass any replication in past 60 days....  

    Sunday, July 14, 2013 2:31 AM
  • Hello,

    as the DC is over the TSL demote it and promote it again to DC. If demoting fails with an error message run dcpromo /forceremoval and run metadata cleanup according to http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

    Also remove the failed DC from AD sites and services, DNS zones and Name server tab from the DNS zone properties.

    With a not running VPN over the tombstone lifetime, which I personally cannot understand, you have to create all objects again after having a running DC again in your site.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, July 14, 2013 4:23 PM
  • I would make it simple by just demoting the DC, obviously, I'll backup the data & identify the necessary services before demoting this DC. Next it promote the DC back & you are done. As others have mentioned if DC has passed the TSL nothing can be done except demotion. Since, you got DC in other site, its simple to perform demote & promote to reconfigure the problem DC. I would also check replication health using below tool to find out if my overall replication health of the domain is healthy or not.

    Active Directory Replication Status Tool Released

    What does DCDIAG actually… do?  


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, July 15, 2013 12:59 AM
    Moderator
  • Thanks for advising I'll test and let you know....
    Monday, July 15, 2013 3:44 AM
  • Dear Paul,

    It could not be happened by individual mistake, Any way Let me describe you more about our situation.

    1.     Actually we using AD 2003 mixed mode.
    2.     PDC and Exchange server located in head quarter.
    3.     and in our forest we have a single domain.
    4.     using OU for each organization and branches.
    5.     also our branches and sites connected by VPN tunnel to others.
    6.     because of some reasons the VPN connection between HQ and branches has been down since 3 month ago.
    7.     during the VPN issue in all sites and branches new user was created in their DC for windows authentication.
    8.     and the same user created in the same OU in PDC at Head Quarter for exchange and mail box configuration.
    9.     and in each site many local changes was applied on their dc.

    I suppose this problem could be because of successions replication yesterday, Just as an idea. Today I tried to connect the VPN link again and when I checked our DC log i saw high numbers of 1202 ADWS event error.          

    Since this DC is beyond the TSL, you have to demote this DC, there are no options.


    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Marked as answer by Pooyan5 Tuesday, July 16, 2013 9:35 PM
    Monday, July 15, 2013 12:06 PM
    Moderator