- Remove From My Forums
-
Вопрос
-
Один контроллер домена в сети, он же DNS-сервер
Ошибка ID4000
DNS-серверу не удалось открыть Active Directory.
При попытке открыть оснастку DNS выдается сообщение: «В доступе было отказано…» Переустановка роли DNS не решила проблему, как я понял из-за того, что лежит AD
Помогите пожалуйста !
Ответы
-
Есть другой сервер, чтобы поднять на нём DNS, создать там зону домена — стандартную первичную, с разрешением небезопасных динамических обновлений, и указать его в качестве единственного сервера DNS на КД?
Если да, то, чтобы развязать AD и DNS, сделайте это, выполните динамическую регистрацию всех имён DNS (команды ipconfig /registerdns и nltest /dsregdns) и попробуйте запустить dcdiag после этого.
И ещё, нет ли у вас других серверов DNS в свойствах сетевых подключений на КД? Если есть, то их надо убрать — резолвер на КД вполне мог переключиться на один из них и обратно он просто так не переключится.
Слава России!
-
Помечено в качестве ответа
29 ноября 2017 г. 6:52
-
Помечено в качестве ответа
ИД события 4000:
DNS-серверу не удалось открыть Active Directory. Этот DNS-сервер настроен на получение и использование сведений из каталога для этой зоны и не может загрузить зону без нее. Убедитесь, что Active Directory работает правильно, и перезагрузим зону. Данные события — это код ошибки.
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
ИД события 4007:
DNS-серверу не удалось открыть зону в Active Directory из раздела <zone> каталога <partition name> приложений. Этот DNS-сервер настроен на получение и использование сведений из каталога для этой зоны и не может загрузить зону без нее. Убедитесь, что Active Directory работает правильно, и перезагрузим зону. Данные события — это код ошибки.
The DNS server was unable to open zone <zone> in the Active Directory from the application directory partition <partition name>. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Решение
Если в среде есть другой контроллер домена или DNS-сервер, настройте сервер, на который возникли проблемы, чтобы указать на другой активный DNS-сервер в свойствах TCP/IP.
- Остановите службу KDC на dc, где возникли проблемы.
net stop KDC
- Запустите следующую команду с повышенными правами:
netdom resetpwd /server:<PDC.domain.com> /userd:<Domaindomain_admin> /passwordd:*
пример: netdom resetpwd /server:10.0.10.10 /userd:mydomain.localVasyaVS /passwordd:MyPassw0rd
- Включаем службу KDC на dc.
net start KDC
- Синхронизируем изменения и убедимся, что ошибок при выполнении команды нет:
repadmin /syncall
- Перезагружаем сервер
Recently we had “Patch Monday” – unusual since we usually patch on Fridays (in case something goes wrong we have weekend ahead), but this one time was good opportunity since there was some infrastructure work and we had planed downtime and we took the opportunity to patch.
Unfortunately something went very wrong. First after rebooting one of the Exchange servers I got following error:
Exchange ECP / The LDAP Server is unavailable
“Topology Provider couldn’t find the Microsoft Exchange Active Directory”
In logs event id 2142 MSExchangeADTopology was logged with error “Topology discovery failed”
At first I thought it was a bad patch, but soon after that still unpatched Exchange
reported errors.
Errors obviously point to AD. I looked at domain controller since it also was updated. Immediately after logging onto DC I was greeted with unpleasant surprise.
After opening DNS console “Access Denied” message appeared.
DNS was unreachable.
On DC following events were logged:
Microsoft-Windows-DNS-Server-Service Event ID 4000
The description for Event ID ( 4000 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s
Microsoft-Windows-DNS-Server-Service Event ID 4007
The description for Event ID ( 4007 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding
According to Microsoft / https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load–event-4000–4007 this happens in two cases:
This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC.
This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
I’m still not sure why this happened in my case, but here are steps that resolved this problem for me
Stop KDC (Kerberos Key Distribution Center) Service in Service Console on DC that doesn’t work.
Run command prompt with elevated priviledges (as Administrator) and enter following command
netdom resetpwd /server:DC.domain.local /userd:Domaindomain_admin /passwordd:*
(change dc.domain.local with fqdn of your DC, and DOMAINdomain_admin with your domain and admin account)
You will be prompted for the password. Enter domain admin password that you use for that account.
Once command is executed restart the server.
DNS zones after that worked for me and Exchange Servers were fine.
Disclaimer
I have a vm running server 2016 which is my DC running AD, i shut it down because i had to unplug the server to move it, when i turned it back on i’m getting this error in the event viewer.
—
event id 4000 Error Microsoft-Windows-DNS-Server-Service DNS Server12/11/2020 11
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
—
when i went to select dns from server manager, it showed this box connect to the dns server….doing some research, i saw that it is unable to pull in my records. an article had me try [net stop kdc] i did that and then it had said to run this command………..
netdom resetpwd /server:<PDC.domain.com> /userd:<Domaindomain_admin> /passwordd:*
(I don;t know what PDC is)
i tried to run the command but i did it wrong, so i entered net start kdc…and i was able to pull up my dns records. However the server is still not resolving.
i had to move on to another issue, i have a 2nd DC thank GOD….and now that i’m done with the other issues and back onto this again, i try to access dns, i get the pop up box again.
i’ve had to reconfigure alot of routers at many locations that were using that dns server to now point to the other dns server…..because the secondary dns server setting never works( which i’ve put multiple questions in before but still cant figure out, but thats another topic)…
Can someone help….
Thanks
Event ID 4000 — DNS Server Active Directory Integration
Updated: November 13, 2007
Applies To: Windows Server 2008
You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration.
Event Details
Product: | Windows Operating System |
ID: | 4000 |
Source: | Microsoft-Windows-DNS-Server-Service |
Version: | 6.0 |
Symbolic Name: | DNS_EVENT_DS_OPEN_FAILED |
Message: | The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. |
Resolve
Troubleshoot AD DS and restart the DNS Server service
The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.
For information about troubleshooting AD DS, see Active Directory Troubleshooting Topics (http://go.microsoft.com/fwlink/?LinkId=95789).
To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.
To restart the DNS Server service:
- On the DNS server, start Server Manager. To start Server Manager, click Start, click Administrative Tools, and then click Server Manager.
- In the console tree, expand Roles, expand DNS Server, and then expand DNS.
- Right-click the DNS server, click All Tasks, and then click Restart.
If the problem continues, restart the computer and then use Server Manager to confirm that the DNS Server service has started.
To restart the computer:
- Click Start, click the arrow next to the Lock button, and then click Restart.
To confirm that the DNS Server service has started:
- On the DNS server, start Server Manager.
- In the console tree, expand Roles, and then click DNS Server.
The System Services list shows the state of the DNS Server service.
Verify
Ensure that Event IDs 4523 and 4524 are being logged and that no events in the range 4000 to 4019 appear in the Domain Name System (DNS) event log.
Related Management Information
DNS Server Active Directory Integration
DNS Infrastructure
Skip to content
I came across an Exchange issue where the exchange services were not starting up after a reboot of my Exchange Server(On the same server AD also hosted). For one it took a long time to start up – indicating DNS issues and after boot up DNS stopped to work. Gave the above error message. The Event Logs were filled with two errors:
Event ID 4000:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Event id 4007:
The DNS server was unable to open zone in the Active Directory from the application directory partition . This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
Symptoms:–
-When you try to open the DNS console you get a pop up giving “Access Denied”.
– You notice that the DNS Server service is up and running.
– When you try to perform any operation on the AD integrated zones using DNSCMD you get “Access Denied”.
Causes:
-This happens when theDC/DNS server has lost its Secure channel with itself or PDC.
-This can also happen in a single DC environment where the DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
Resoultion:
-Stop the KDC service on the DC experiencing the issue.
-Run the following command with elevated rights: netdom resetpwd /server: /userd: /passwordd:*
-It will prompt for the password of the Domain Admin account that you used, enter that.
-Once the command executes, reboot the server.
-DNS zones should load now.
-Exchange services should be started.
Make sure you do not configured google IP as DNS server.
Recently we had “Patch Monday” – unusual since we usually patch on Fridays (in case something goes wrong we have weekend ahead), but this one time was good opportunity since there was some infrastructure work and we had planed downtime and we took the opportunity to patch.
Unfortunately something went very wrong. First after rebooting one of the Exchange servers I got following error:
Exchange ECP / The LDAP Server is unavailable
“Topology Provider couldn’t find the Microsoft Exchange Active Directory”
In logs event id 2142 MSExchangeADTopology was logged with error “Topology discovery failed”
At first I thought it was a bad patch, but soon after that still unpatched Exchange
reported errors.
Errors obviously point to AD. I looked at domain controller since it also was updated. Immediately after logging onto DC I was greeted with unpleasant surprise.
After opening DNS console “Access Denied” message appeared.
DNS was unreachable.
On DC following events were logged:
Microsoft-Windows-DNS-Server-Service Event ID 4000
The description for Event ID ( 4000 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s
Microsoft-Windows-DNS-Server-Service Event ID 4007
The description for Event ID ( 4007 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding
According to Microsoft / https://support.microsoft.com/en-us/help/2751452/dns-zones-do-not-load–event-4000–4007 this happens in two cases:
This happens when that particular DC/DNS server has lost its Secure channel with itself or PDC.
This can also happen in a single DC environment where that DC/DNS server holds all the FSMO roles and is pointing to itself as Primary DNS server.
I’m still not sure why this happened in my case, but here are steps that resolved this problem for me
Stop KDC (Kerberos Key Distribution Center) Service in Service Console on DC that doesn’t work.
Run command prompt with elevated priviledges (as Administrator) and enter following command
netdom resetpwd /server:DC.domain.local /userd:Domaindomain_admin /passwordd:*
(change dc.domain.local with fqdn of your DC, and DOMAINdomain_admin with your domain and admin account)
You will be prompted for the password. Enter domain admin password that you use for that account.
Once command is executed restart the server.
DNS zones after that worked for me and Exchange Servers were fine.