none
DNS Error 4016 and 4004 RRS feed

  • Question

  • Good day.

    There is an infrastructure of two sites. Site A contains three DC 2012 R2 in 2008R2 mode (let's call them conditionally A1, A2, A3), each has a DNS service. Site B contains two RODC 2012 R2 (let's call them conditionally B1, B2), each has a DNS service.

    The last two weeks on A1, A2 and B1 are the following errors:

     4004
    The time during which the DNS server tried to execute the "---" operation of the Active Directory service timed out. Verify that Active Directory is functioning correctly. Event data contains error information.

    The DNS server could not complete the enumeration of the 39.168.192.in-addr.arpa zone in the directory service. This DNS server is configured to retrieve and use data from Active Directory for the specified zone and can not load the zone without them. Check that the Active Directory is working properly, and repeat the enumeration of the zone. Additional debugging error information: "" (may be absent). Event data contains error information.

    4016
    The time during which the DNS server tried to execute on "DC = 36, DC = 200.10.10.in-addr.arpa, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.

    The time during which the DNS server tried to execute on "DC = SERVERNAME, DC = DOMAINNAME.ru, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.

    The time during which the DNS server tried to execute on "DC = _ldap._tcp.gc, DC = _msdcs.DOMAINNAME.ru, cn = MicrosoftDNS, DC = ForestDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.

    The time during which the DNS server tried to execute on "DC = WORKSTATIONNAME, DC = DOMAINNAME.ru, cn = MicrosoftDNS, DC = DomainDnsZones, DC = DOMAINNAME, DC = en" is an Active Directory service operation. Verify that Active Directory is functioning correctly. Event data contains error information.

    At the same time, there are no visible failures in the domain. Everything functions without problems. Errors are strewed for 6-8 hours with a period of 10 hours. Infrastructure in the form in which it operates is now more than a year and no changes have been made to it. Suddenly these errors fell.

    In the AD logs there are no errors - from the word "absolutely"!

    Dcdiag passes almost without errors. Those that it catches are related to stopping replication because of the backup systemstate.

    I did not find a solution to the problem, although many people write about this.
    Thursday, June 1, 2017 6:39 AM

All replies

  • Hi Denis Kotik

    >>Dcdiag passes almost without errors. Those that it catches are related to stopping replication because of the backup systemstate.

    If you run the command of dcdiag /test:dns? If not, please post out warnings and errors in the dcdiag /test:dns results, so we can troubleshoot this issue efficiently.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Friday, June 2, 2017 7:12 AM
  • This is dcdiag  /test:dns results. And i forgot to say thaty we dont have internet connection in our domain.

    DC1



    Diagnostics of the Directory Server

    Perform the initial setup:
       An attempt is made to find the primary server ...
       Primary Server = A1
       * Defined forest AD.
       The collection of the initial data is completed.

    Performing mandatory initial checks

       Validation server: CA \ A1
          Running the test: Connectivity
             ......................... A1 - passed the Connectivity check

    Performing Basic Checks

       Validation server: CA \ A1

          Running the scan: DNS

             DNS checks are performed without hanging. Wait a few minutes ...
             ......................... A1 - DNS check failed

       Performing partition checks on: ForestDnsZones

       Performing partition checks on: DomainDnsZones

       Performing partition checks on: Schema

       Performing partition checks on: Configuration

       Performing partition checks on: DOMAINNAME

       Execution of company checks on: DOMAINNAME.ru
          Running the scan: DNS
             The results of checking domain controllers:

                Domain Controller: A1.DOMAINNAME.ru
                Domain: DOMAINNAME.ru


                   TEST: Basic (Basc)
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS s
    Erver is running)

                   A1 PASS WARN n / a n / a n / a n / a n / a
             ......................... DOMAINNAME.ru - passed DNS check

    ================
    DC2

    Diagnostics of the Directory Server

    Perform the initial setup:
       An attempt is made to find the primary server ...
       Primary Server = A2
       * Defined forest AD.
       The collection of the initial data is completed.

    Performing mandatory initial checks

       Validation server: CA \ A2
          Running the test: Connectivity
             ......................... A2 - passed the Connectivity test

    Performing Basic Checks

       Validation server: CA \ A2

          Running the scan: DNS

             DNS checks are performed without hanging. Wait a few minutes ...
             ......................... A2 - DNS check failed

       Performing partition checks on: ForestDnsZones

       Performing partition checks on: DomainDnsZones

       Performing partition checks on: Schema

       Performing partition checks on: Configuration

       Performing partition checks on: DOMAINNAME

       Execution of company checks on: DOMAINNAME.ru
          Running the scan: DNS
             The results of checking domain controllers:

                Domain Controller: A2.DOMAINNAME.ru
                Domain: DOMAINNAME.ru


                   TEST: Basic (Basc)
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS s
    Erver is running)

                   A2 PASS WARN n / a n / a n / a n / a n / a
             ......................... DOMAINNAME.ru - passed DNS check


    Friday, June 2, 2017 7:45 AM
  • Hi Denis Kotik

    >> DNS checks are performed without hanging. Wait a few minutes ...
             ......................... A1 - DNS check failed

    >>TEST: Basic (Basc)
                      Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)

    Please check if the DNS server is a Bind in your domain.

    For your reference:

    https://social.technet.microsoft.com/Forums/windows/en-US/f5e11f7a-7c62-48ce-b6b8-2975e7645ddf/ad-integrated-dns?forum=winserverDS

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 5, 2017 8:08 AM
  • Sorry but it was my fault. Started dcdiag dns test without administrative permissions.

    Here is real  dcdiag log, its the same for every DC:


    Diagnostics of the Directory Server

    Perform the initial setup:
       An attempt is made to find the primary server ...
       Primary Server = A1
       * Defined forest AD.
       The collection of the initial data is completed.

    Performing mandatory initial checks

       Validation server: CA \ A1
          Running the test: Connectivity
             ......................... A1 - passed the Connectivity check

    Performing Basic Checks

       Validation server: CA \ A1

          Running the scan: DNS

             DNS checks are performed without hanging. Wait a few minutes ...
             ......................... A1 - passed DNS check

       Performing partition checks on: ForestDnsZones

       Performing partition checks on: DomainDnsZones

       Performing partition checks on: Schema

       Performing partition checks on: Configuration

       Performing partition checks on: DOMAINNAME

       Execution of company checks on: DOMAINNAME.ru
          Running the scan: DNS
             The results of checking domain controllers:

                Domain Controller: A1.DOMAINNAME.ru
                Domain: DOMAINNAME.ru


                   TEST: Forwarders / Root hints (Forw)
                      Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.

                   TEST: Dynamic update (Dyn)
                      Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru

             A report on the results of checking the DNS servers used by the above domain controllers:

                DNS-server: 128.63.2.53 (h.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 128.63.2.53
                DNS-server: 128.8.10.90 (d.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 128.8.10.90
                DNS-server: 192.112.36.4 (g.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.112.36.4
                DNS-server: 192.203.230.10 (e.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.203.230.10
                DNS server: 192.228.79.201 (b.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.228.79.201
                DNS-server: 192.33.4.12 (c.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server
                DNS-server: 192.36.148.17 (i.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.36.148.17
                DNS-server: 192.5.5.241 (f.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.5.5.241
                DNS-server: 192.58.128.30 (j.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 192.58.128.30.
                DNS-server: 193.0.14.129 (k.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 193.0.14.129
                DNS Server: 198.41.0.4 (a.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 198.41.0.4
                DNS server: 199.7.83.42 (l.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 199.7.83.42
                DNS-server: 202.12.27.33 (m.root-servers.net.)
                   1 - check for this DNS server failed
                   PTR record query for the 1.0.0.127.in-addr.arpa. Failed on the DNS server 202.12.27.33
             DNS Result Check Report:

                                                Auth Basc ForW Del Dyn RReg Ext
                _________________________________________________________________
                Domain: DOMAINNAME.ru
                   A1 PASS PASS FAIL PASS WARN PASS n / a

             ......................... DOMAINNAME.ru - DNS check failed


    Monday, June 5, 2017 1:27 PM
  • Hi Denis Kotik,

    >>Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru

    This warning occurred because both of the methods of Dynamic updates selected on the DNS Server is “Nonsecure and Secure”, please convert the zone to “Secure only” on Dynamic updates and then have a test again.

    In addition, if the Dynamic updates add/delete test record process works properly, we can ignore this warning without issue.

    >>Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.

    Did you configure the forwarder? Is the forwarder working properly?

    The root hints error are because of the wrong forwarder configured.

    When you access external website it will use root hints and forwarder to resolve external website, but if forwarder is wrongly configured root hints will fail and that why you see that result.

    You could configure the forwarder with 8.8.8.8 and again run the dcdiag /test:DNS to check if still problem.

    You also could contact contact your ISP, get the public DNS server for you domain and again run the command.
    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, June 6, 2017 8:17 AM

  • >>Error. Root and forwarding servers are not configured or corrupted. Make sure that at least one of them works.

    Did you configure the forwarder? Is the forwarder working properly?

    The root hints error are because of the wrong forwarder configured.

    When you access external website it will use root hints and forwarder to resolve external website, but if forwarder is wrongly configured root hints will fail and that why you see that result.

    You could configure the forwarder with 8.8.8.8 and again run the dcdiag /test:DNS to check if still problem.

    You also could contact contact your ISP, get the public DNS server for you domain and again run the command.


     Hi, thank you for answer. But we dont have and dont need  internet connection in our domain. So i think this is normal error for disconnected network.

    About "Secure only" - Ill try it.

    Tuesday, June 6, 2017 8:46 AM
  • Hi Denis Kotik,

    Thanks for your posting here.

    If you have any updates, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, June 6, 2017 8:53 AM
  • So there is a problem. We have non-authorative dhcp in our domain. I think it will be problem to add addresses from tihis dhcp to dns if i will turn on "Secure only", isnt it?
    Tuesday, June 6, 2017 8:56 AM
  • Hi Denis Kotik,

    >>We have non-authorative dhcp in our domain.

    Non-authorative dhcp will not be affected.

    Generally, it will be no problem.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 6, 2017 9:25 AM
  • >>Warning: Failed to delete the test record dcdiag-test-record in zone DOMAINNAME.ru

    Ok. This error disappeared after i turned on "Secure only" mode. But what now? Everything seems to be ok in domain but today we had a lot of 4016 errors again. Im just really dont know where to search now. All logs are good except dns. And ithink its not good to ignore such problem.

    Tuesday, June 6, 2017 12:17 PM
  • Hi Denis Kotik,

    Please use ADSI Edit to make sure there is no duplicate zones exist.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones 

    https://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Wednesday, June 7, 2017 8:50 AM
  • Hi Candy. 

    Thank you for trying to help me, but still nothing. Looked in ADSI. We havent any duplicate zones.

    Wednesday, June 7, 2017 9:17 AM
  • Hi Denis Kotik,

    I have researched for a period of time but I did not find other useful information related to this issue.

    I suggest you could open a case with Microsoft, more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    Here is the link:

    https://support.microsoft.com/en-us/gp/support-options-for-business

    Best Regards,
    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 7, 2017 9:26 AM