none
DNS Zone still loading with error after removing RRS feed

  • Question

  • Hi, 

    I had an old zone containing old DC datas and I removed it.

    Unfortunatly after many many many many tries zone is already loading and it create an error causing AD error cause of netlogon pause etc etc...

    After resolving root cause one after others, I'm arriving to this :

    "The DNS server was unable to open zone intranet.MYDOMAIN.net in the Active Directory from the application directory partition DomainDnsZones.intranet.MYDOMAIN.net. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code."

    Reading this, I removed zone intranet.MYDOMAIN.net from DNS and verified in regedit that all were ok (it wasn't, I had to remove from regedit too).

    But after restarting, I always and this error message...

    After 2 hours looking for the reason, I can't find any trace of this record and so can't remove the "intranet..." zone and correct the error..

    From that I can't resolve my problem.

    Thanks for your help guys :)

    Wednesday, May 15, 2019 1:13 AM

All replies

  • Hi,

    This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC.

    This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.

    Please refer to the link below:

    https://support.microsoft.com/en-hk/help/2751452/dns-zones-do-not-load-event-4000-4007  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 15, 2019 3:27 AM
    Moderator
  • Hi, Thanks for reply.

    Unfortunatly I already read this article and follow the process.

    It tells me that password have been well recovered from main controler but still get the error.

    What is strange is that for now (after removing it), domain entry "intranet.mydomain.com" doesn't exist anymore in DNS entries...

    Thanks for help!

    Wednesday, May 15, 2019 4:44 PM
  • Hi,

    I think you need to clean up AD DC server metadata, please refer to the link below:

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 16, 2019 7:31 AM
    Moderator
  • Hi,

    Thanks, I will do it this evening and will tell you here the result.

    This will not demote or affect AC DC/DNS role after cleaning?

    Regards,

    Thursday, May 16, 2019 8:14 AM
  • Hi,

    Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS). You perform metadata cleanup on a domain controller in the domain of the domain controller that you forcibly removed.

    The DNS server believes the zone intranet.MYDOMAIN.net still exists, and we need to clear the data of the zone.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 17, 2019 8:20 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, May 21, 2019 6:20 AM
    Moderator
  • Hi,

    I just tryied your solution, but the problem is that intranet.MYDOMAIN.net never been a domain controler.. Maybe it was in a very old time (I m manager of this business from 8 years).

    I didn't know this server and when i wanted to follow every steps in your link, I understood that the goal is to removed a focibly domain controler of the data. But It has never been indicated as a domain controler so in all the list, I don't have this domain controler.. (and thats absolutly normal).

    I'm the only manager of DNS zones and of the DCs. We have only two DC. One who works and the other one who failed from a few days  (after working great from a long time..)



    You will find complete logs from which I find DNS problem, maybe you will have an other idea..



    8h05 is the time I   put the server up to strat your process.

    Here are logs from DNS :

    www.francelink.net/sites/default/files/images/BugAD/1.jpg

    www.francelink.net/sites/default/files/images/BugAD/2.jpg


    Here are logs from AD DS logs :

    www.francelink.net/sites/default/files/images/BugAD/3.jpg

    www.francelink.net/sites/default/files/images/BugAD/4.jpg

    www.francelink.net/sites/default/files/images/BugAD/5.jpg

    (sorry I cant insert link or image cause tells me account is not verified...)

    Thanks for helping.

    Tell me if you need other informations.
    Tuesday, May 21, 2019 6:32 PM
  • Hi,

    We have only two DC. One who works and the other one who failed from a few days  (after working great from a long time..)  

    Did the problem occur after the DC failed? I think the issue is more related to AD.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 22, 2019 8:05 AM
    Moderator
  • Hi,

    Did the problem occur after the DC failed

    I can't answer this question cause all I see is I have an access denied on lauchnig all AD tools. After searching few hours I understood that's caused by NetLogon service paused what is caused by (it seems) DNS problem that I saw in logs I gave you.

    Don't know what is the root cause and what is the consequence.. But I constated DC problem about 2 weeks ago. I think problem is older than that cause an AD Account is not on failed DC that I created about 2 month ago...  :/

    I will try your solution.

    If I summer this up :

    - Connect to my DC which doesn't work any more (the one from which I gave you the logs)

    - Verify the FSMO holder (move it necessary)

    - Demote it

    - Cleanup it

    - Then Promote it

    I'm right? I'm don't have any manipulation to do on the DC which is functionnal? (the other one, I have only two DC)

    I didn't understand this :

    If you were to decommission the other server, as long as it was done properly, this DC would consider itself to be synchronized since it had no partners.

    Thanks a lot,

       Gwenaël

    Wednesday, May 22, 2019 12:48 PM
  • Hi,

    Yes, you are right.

    Initial synchronization requirements for Windows Server operations master role holders

    https://support.microsoft.com/en-sg/help/305476/initial-synchronization-requirements-for-windows-2000-server-and-windo  

    According to the error log, there is a issue about the initial synchronization. And I think it is more related to the failed DC.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 23, 2019 3:18 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 27, 2019 6:15 AM
    Moderator
  • Hi,

    I juste followed you instructions.

    I didn't succed in cleanup cause once I demoted local DC I was unable to launch cleanup from any way..

    So I promoted again and it tells me that this name already existes in other DC ad that I have to confirm the update of the server of this name on the other DC, I said yes.

    It seems to work.. DC starts, DNS is updated with AD zone, synchronisation works in both direction :)

    It seems all is ok.

    I have 2 questions :

    - How should I have clean up?...

    - I have this warning in AD log :

    The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

    But DNS start well... Do you have an explanation?..

    (precision : I have no other message in DNS log that this one)

    Thanks again :)


    • Edited by Nami69 Tuesday, May 28, 2019 9:11 PM
    Tuesday, May 28, 2019 9:09 PM
  • Hi,

    I believe that troubleshoot the issue requires some hands on access. 

    My suggestion is to contact Microsoft Support to get them involved in checking your configuration.

    Best regards,
    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 29, 2019 7:12 AM
    Moderator