none
DNS Error 4000. NO DNS , NO Active Directory RRS feed

  • Question

  •  A user had issue with PC which gave message about losing trust relationship. Did not know issue was with server. Removed PC from domain , added to workgroup then tried to re add to domain. Thats when i realized something was wrong. Went to server and noticed all the errors in DNS and AD. No one can join domain. For drive mappings i can do manually with IP address and share e.g. //10.2.5.20/share. . Went through a lot of blogs.

     

    Windows 2012 Server . Single server environment with Server also acting as DNS server

    dns ID - 4000

    ad ID - 1202

    Ensure server pointing to itself for DNS.

    Tried to do Netdom resetpwd however i get " An internal error has occured". The command failed to complete successfully. Using the domain admisistrator for user.

     nltest /sc_reset:corp.server.com -  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    Sunday, August 28, 2016 12:05 AM

Answers

  • Hi Wgiwir,

    >>The dynamic registration of the DNS record '_ldap._tcp.pdc._msdcs.corp.<domain>.com. 600 IN SRV 0 100 389 SVHAUS.corp.<domain>.com.' failed on the following DNS server:  

    DNS server IP address: 161.58.134.130 
    Returned Response Code (RCODE): 5 
    Returned Status Code: 9017  

    The message means SRV record registration failed.

    On domain controller, what is IP address of the preferred DNS server?

    Please try to restart Netlogon service and turn off firewall.

    Please perform the operation as article mentioned to troubleshoot Active Directory:

    Troubleshooting Active Directory—Related DNS Problems

    https://msdn.microsoft.com/en-us/library/bb727055.aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Friday, September 9, 2016 8:28 AM
    • Proposed as answer by John Lii Monday, September 19, 2016 8:22 AM
    • Marked as answer by Leo HanModerator Thursday, September 22, 2016 1:31 AM
    Friday, September 9, 2016 8:27 AM

All replies

  • Hi Wgiwir,

    According to error ID, the DNS server was unable to pen Active Directory.

    Please Check the AD is functioning properly and reload the zone.

    You could follow the link below to troubleshoot it:

    Event ID 4000 — DNS Server Active Directory Integration

    https://technet.microsoft.com/en-us/library/cc735673%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    >>nltest /sc_reset:corp.server.com -  I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    Please check the domain name is correct.

    You could reference article to troubleshoot it:

    Nltest.exe Generates an Error Message When You Try to Query the Global Catalog

    https://support.microsoft.com/en-us/kb/253096

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 8:30 AM
  • Event ID 4000:
    The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    Event id 4007:
    The DNS server was unable to open zone <zone> in the Active Directory from the application directory partition <partition name>. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

    > In case you have other Domain Controller/ DNS server present in the environment then configure the server experiencing the issue to point to other active DNS server in TCP/IP properties.
    > Stop the KDC service on the DC experiencing the issue.
    > Run the following command with elevated rights: netdom resetpwd /server:<PDC.domain.com> /userd:<Domain\domain_admin> /passwordd:*
    >  It will prompt for the password of the Domain Admin account that you used, enter that.
    > Once the command executes, reboot the server.
    > DNS zones should load now.

    If this is the only DC in the environment and there are no other DNS Servers available then perform the same steps but replate the "PDC.Domain.com" with the server's own IP address (since it itself is the PDC)

    https://technet.microsoft.com/en-us/library/cc735673(v=ws.10).aspx

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.

    If you have feedback for TechNet Subscriber Support, contact hshakir182@outlook.com

    regards.

    hshakir

    Monday, August 29, 2016 10:07 AM
  • HI

    Thanks for the feedback. As far as loading the zone if i go into DNS , and choose DNS is on this server , i get "Access was Denied would you like to add it anyway". Once that is done , the server is there nothing else and a red mark through the servers Name

    I only have one Domain Server which also acts as the DNS server

    Also stopped the KDC service, use the netdom command an i get the  An internal error has occured". The command failed to complete successfully. On purpose i put the wrong password for the Admin user and i get the message that my username or password is incorrect. Whenever i put the right password i get the  Internal error message

    Monday, August 29, 2016 6:03 PM
  • Hi Wgiwir,

    >>i get "Access was Denied would you like to add it anyway"

    Please check the case below, there has met similar issue with yours:

    DNS. Access was denied. Would you like to add it anyway?

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e2369a4f-2001-4d4f-83cf-040f0d91e412/dns-access-was-denied-would-you-like-to-add-it-anyway?forum=winservergen

    >>The command failed to complete successfully.

    Could you please provide specific netdom command you ran?

    Have you installed thirty-party software on server?

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 2:40 AM
  • hI

    Did all the steps in the article. The Host file had the localhost IP hashed out so i removed the hash , save, restart DNS client and server in Services. Still get the Access Denied for the DNS and the 4000 ID errror still there. I

    netdom resetpwd /s:10.59.0.3 /ud:corp.<domain>.com\administrator /pd:* - This is command i run. If i intentionally use wrong admin password the error tells me wrong username or password. If i put the correct password i get " Internal error" message

    No nothing installed. The reason i found out something was wrong a user received a message that his computer had lost trust relationship with domain.

    Tuesday, August 30, 2016 9:39 PM
  • Hi Wgiwir,

    Please run dcdiag command to check AD function properly.

    You could reference link below to understand it:

    Dcdiag

    https://technet.microsoft.com/en-us/library/cc731968(v=ws.11).aspx

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 31, 2016 9:44 AM
  • Below is initial DCDIAG results. Will run more commands

    irectory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = SVHAUS

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Default-First-Site-Name\SVHAUS

          Starting test: Connectivity

             The host e6c32f4d-ae3d-4148-ab81-d9a224ac4eda._msdcs.corp.<domain>.com could not be resolved to an IP

             address. Check the DNS server, DHCP, server name, etc.

             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.

             ......................... SVHAUS failed test Connectivity



    Doing primary tests

       
       Testing server: Default-First-Site-Name\SVHAUS

          Skipping all tests, because server SVHAUS is not responding to directory service requests.

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : corp

          Starting test: CheckSDRefDom

             ......................... corp passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... corp passed test CrossRefValidation

       
       Running enterprise tests on : corp.<domain>.com

          Starting test: LocatorCheck

             Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

             A KDC could not be located - All the KDCs are down.

             ......................... corp.<domain>.com failed test LocatorCheck

          Starting test: Intersite

             ......................... corp.<domain>.com passed test Intersite

    Wednesday, August 31, 2016 5:46 PM
  • Hi Wgiwir,

    >>A KDC could not be located - All the KDCs are down.

    Please check if you have enabled KDC service.

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 1, 2016 7:45 AM
  • Hi

    Yes i had turned it off as that was the instructions to run the Netdom command. It is back on. Please see the new results


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = SVHAUS

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Default-First-Site-Name\SVHAUS

          Starting test: Connectivity

             The host e6c32f4d-ae3d-4148-ab81-d9a224ac4eda._msdcs.corp.<domain>.com could not be resolved to an IP

             address. Check the DNS server, DHCP, server name, etc.

             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.

             ......................... SVHAUS failed test Connectivity



    Doing primary tests

       
       Testing server: Default-First-Site-Name\SVHAUS

          Skipping all tests, because server SVHAUS is not responding to directory service requests.

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : corp

          Starting test: CheckSDRefDom

             ......................... corp passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... corp passed test CrossRefValidation

       
       Running enterprise tests on : corp.<domain>.com

          Starting test: LocatorCheck

             ......................... corp.<domain>.com passed test LocatorCheck

          Starting test: Intersite

             ......................... corp.<domain>.com passed test Intersite

    Thursday, September 1, 2016 9:32 AM
  • Hi Wgiwir,

    Please reference the article below to fix it and then try again:

    FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621

    https://support.microsoft.com/en-sg/kb/978387

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 2, 2016 10:09 AM
  • Tried the suggestions in the last article sent. Did not work> Any other suggestions?
    Tuesday, September 6, 2016 7:40 PM
  • Hi,

    Disable IPV6 and turn off firewall then check again.

    Tuesday, September 6, 2016 8:11 PM
  • Hi Wgiwir,

    >> The host e6c32f4d-ae3d-4148-ab81-d9a224ac4eda._msdcs.corp.<domain>.com could not be resolved to an IP address

    Please open DNS manager and click _msdcs.hostname.com, and then ensure CNAME record(it is e6c32f4d-ae3d-4148-ab81-d9a224ac4eda._msdcs.corp.<domain>.com) is correct.

    Please check if A record of DC is correct.

    Best Regards

    John


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 7, 2016 9:12 AM
  • DNS services is running in services but i cannot do anything in the menu . All greyed out

    

    Wednesday, September 7, 2016 3:41 PM
  • Wednesday, September 7, 2016 3:42 PM
  • Wednesday, September 7, 2016 3:46 PM
  • All that is highlighted in yellow is grey out . I cannot do anything

    Wednesday, September 7, 2016 3:47 PM
  • Wednesday, September 7, 2016 4:16 PM
  • Hi Wgiwir,

    Please click Properties, and then select security tab.

    please ensure you have permission to control DNS server.

    According to your screenshot of Action, DNS server did not correctly integrate into the AD.

    Please check the website below to deploy it:

    Integrating AD DS into an Existing DNS Infrastructure

    https://technet.microsoft.com/en-us/library/cc770785(v=ws.10).aspx

    Best Regards

    John


    Please remember to <b>mark the replies as  answers</b> if they help and <b>unmark</b> them if they provide no help.<br />If you have feedback for TechNet Subscriber Support, contact <a href="mailto:tnmff@microsoft.com">tnmff@microsoft.com</a>.



    • Edited by John Lii Friday, September 9, 2016 7:35 AM
    Thursday, September 8, 2016 9:12 AM
  • HI

    Where do i check on the permissions. I am logged into the server as Admin.

    I also noticed one of the logs gave me the info below? It is normal ? Seems like it is pointing outside to an external DNS server. I do not recognize that address

    The dynamic registration of the DNS record '_ldap._tcp.pdc._msdcs.corp.<domain>.com. 600 IN SRV 0 100 389 SVHAUS.corp.<domain>.com.' failed on the following DNS server:  

    DNS server IP address: 161.58.134.130 
    Returned Response Code (RCODE): 5 
    Returned Status Code: 9017  

    For computers and users to locate this domain controller, this record must be registered in DNS.  

    USER ACTION  
    Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. 
      Or, you can manually add this record to DNS, but it is not recommended.  

    ADDITIONAL DATA 
    Error Value: DNS bad key.

    Thursday, September 8, 2016 5:20 PM
  • Please note this is not a brand new installtion. Active Directory and DNS were already installd and working fine. Single Server domain. No changes were made. I cannot do any configuration in DNS as  everything is greyed out
    Thursday, September 8, 2016 10:41 PM
  • Hi Wgiwir,

    >>The dynamic registration of the DNS record '_ldap._tcp.pdc._msdcs.corp.<domain>.com. 600 IN SRV 0 100 389 SVHAUS.corp.<domain>.com.' failed on the following DNS server:  

    DNS server IP address: 161.58.134.130 
    Returned Response Code (RCODE): 5 
    Returned Status Code: 9017  

    The message means SRV record registration failed.

    On domain controller, what is IP address of the preferred DNS server?

    Please try to restart Netlogon service and turn off firewall.

    Please perform the operation as article mentioned to troubleshoot Active Directory:

    Troubleshooting Active Directory—Related DNS Problems

    https://msdn.microsoft.com/en-us/library/bb727055.aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Friday, September 9, 2016 8:28 AM
    • Proposed as answer by John Lii Monday, September 19, 2016 8:22 AM
    • Marked as answer by Leo HanModerator Thursday, September 22, 2016 1:31 AM
    Friday, September 9, 2016 8:27 AM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 19, 2016 8:22 AM
  • HI. I am in a single server environment where the DC is also the DNS server.  The IP address is 10.59.0.3. Again I have had this working now for over 2 years. Did not change anything on te server. 

    Only thing that has happened recently is one of the drives on the raid controller failed so I had to replace .

    Firewall is off

    Go into DNS snap in -  , i get "Access was Denied would you like to add it anyway". Once that is done , the server is there nothing else and a red mark through the servers Name. No entries are listed there as shown above.

    DCDIAG - Starting test: Connectivity
             The host e6c32f4d-ae3d-4148-ab81-d9a224ac4eda._msdcs.corp.<domain>.com could not be resolved to an IP
             address. Check the DNS server, DHCP, server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
             ......................... SVHAUS failed test Connectivity

    Netdom- Get cannot change password . internal error. If I use the wrong password tells me wrong password however if I put in the right password tells me internal error has occurred 

    Monday, September 19, 2016 5:41 PM
  • Hi Wgiwir,

    I am sorry that this issue still hasn't been resolved.

    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Have a nice day!

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 20, 2016 6:41 AM