Windows 2003 errors normal at startup?

[bdoub1eu]

Hi all! I've got a new 2003 server that I just promoted to a DC and I've got some errors in the event logs whenever I reboot. Server takes a while (20) minutes to get to the login screen...

In the app logs, I have 3096 (Primay Domain Controller for domain cannot be found) and NEGO error 40960.

In the DS logs, I have 2088 Active Directory could not use DNS to resolve the IP address of the source domain controller listed below but there is a 1394 error right after that that says All problems preventing updates to the Active Directory Database have been cleared. New updates to the Active Directory database are succeeding. The Net Logon service has restarted.

KB articles 824217 talk about the NEGO errors...I have ran dcdiag and netdiag on this server and it comes up clean...Are these just erroneous errors?

 

[Larsdemo]

Your DNS aint installed correctly, you need to install DNS on your dc and after that make a zone domainname.com. If you did that restart the netlogon service a view times this will let the dc register its prt records that are needed for the domain to function correctly. I assume the other dc that it needs to find is on another subnet, you could point the server you are talking about to that dns server for name resolution first and after that when the records for the server we are now talking about are registered you can do a zonetransfer from master and that's it.

Regards Lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003

 

[bdoub1eu]

What's interesting is that the warnings (not errors) are only at bootup...After that, AD/DNS seems to work just fine and I won't get anymore

AD won't install without DNS...I installed DNS first and then DCPROMO'd the machine. AD automatically configured DNS for me with the correct zone. I have two other DC's on this subnet. Strange...DCDIAG and NETDIAG come back clean...Does take the server about 15 minutes to get the login screen...

Should I delete the zone and re-create it? If I do delete it, it won't delete it from other DNS servers will it?

Larsdemo, thanks for your help!

Another tidbit, if I point DNS to a different server (another 2003 DC), boots up just fine and no warnings...

I guess I could just point this server to a different DNS server but I thought DC's were supposed to point to themselves for DNS.

 

[djtech2k]

You are correct. An AD DC should point to itself as DNS. You may want to try this to see what happens:

1) Flush the DNS Server cache

2) Flush DNS client cache on the DC. ipconfig /flushdns

3) Register DNS client on DC. ipconfig /registerdns

This is just a general DNS troubleshooting method.

 

[bdoub1eu]

I pointed this server that is having the warnings to the other DNS server in the TCP/IP properties and it booted right up with no errors...

So it does sound like something on this machine...I pointed the other server to this servers DNS and everything looks fine too (No warnings/errors). What gives? Should I just delete the zone and recreate it? If I delete it will it replicate the deletion to other DC's?

 

[djtech2k]

You could also uninstall/reinstall DNS on that box and then force replication of the DNS partition.

 

[bdoub1eu]

I can uninstall DNS on a DC? How do you force replication of the DNS partition...

If something is wrong with DNS on server 1, you would think that server 2 would have issues when DNS on that machine is pointed to server 1. Server 2 didn't have any issues/warnings...

 

[djtech2k]

Yes, you can uninstall it. Its not advisable to keep it uninstalled for more than a couple minutes though.

To force replication, use replmon.

 

[bdoub1eu]

Uninstalled/reinstalled DNS and same issue...Server takes about 15 minutes to get to the login screen. Don't understand...DNS is working fine on other DC's...When I install DNS, that just pulls the DNS info from AD so how could DNS be different on this server?

 

[djtech2k]

On the DNS client config on this server, do you have primary as itself and secondary as the other DC? Do you have any forwarders setup on these DNS servers?

 

[bdoub1eu]

No, I just have the primary as itself...the other 4 DC's I also have themselves as the primary...None of the DC's have a secondary DNS server...Should they? I'll try that and see if that does away with the errors/warnings...

 

[bdoub1eu]

Under the forwarders tab, I have "all other DNS domains"...

I don't have a specific IP below that...I had read that if I left that option blank, then my DNS servers would send DNS requests out to the root servers ror resolution.

 

[bdoub1eu]

Getting netlogon warnings in the system log:

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'DomainDnsZones.domain.com.' failed

and

Dynamic registration or deletion of one or more DNS records associated with DNS domain 'ForestDnsZones.domain.com.' failed

 

[djtech2k]

First, I would put your second DC as secondary DNS server under DNS client settings for all DC's. Second, I would put in a forwarder under the "All other..." forwarder to point to an upstream DNS provider, like your ISP.

I dont think those things will fix this problem, but its a best practive. As for your problem, I dont know. It looks like you have some bad DNS records in there. Maybe try scavenging on the bad DNS server, then clearing the cache. I would maybe then reboot and try again. I know its guessing, but this is a weird circumstance.

 

[bdoub1eu]

Pointed the alternate to a secondary DNS and got this under system logs:

The Security System detected an authentication error for the server DNS/intranet-hb.domain.com. The failure code from authentication protocol Kerberos was "The specified user does not exist.
(0xc0000064)"


The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was intranet-hb$ and lookup type 0x0.

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was intranet-hb$@domain.COM and lookup type 0x20.


Got this under DNS logs:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

Pulling my hair out here

Thanks djtech for you help in this.

 

[bdoub1eu]

In DNS, I found reverse ptr records and other entries for this server...Apparantly, when I installed the drivers for the nic, it automatically went out and got an ip from our DHCP server before I could create a static IP and then it registered that dynamic ip in DNS...

Would other entries in DNS for this server cause this problem?

 

[bdoub1eu]

Deleted all the records that were invalid for this server and rebooted...Same warnings at bootup and taking a long time to login...

Definitely DNS related...If I point the primary to another DNS server, it works fine...And if I point another DC to this servers DNS, it's fine...There's something about this servers DNS with itself...

 

[bdoub1eu]

Sorry, I think I have two posts going...

I read this:

From a newsgroup post: "This can be caused if you have a single DC or two DCs and they point to themselves as the first entry in the DNS list in IP properties and the zone is AD Integrated. Reason could be that the DC has many services running on it (SQL, Exchange, etc.) or is a slower machine, and when the Netlogon service tries to register into the zone at boot time, AD is not quite initialized yet and so you get the error. You can either ignore it or change the zone to a Primary, or if you have multiple DCs, change the first entry to the partner and the second to itself".

 

[djtech2k]

I run my enterprise that way without any problems. I dont know why it would be a problem for you.

Try running dcdiag from the server causing problems and see what it says.

 

[djtech2k]

I would also initiate scavenge on the DNS server to get rid of all bad names/IP's.