Need help - DNS Server and AD problems

K

Krypto9t

Member
Joined
Jan 25, 2015
Messages
20
Hi There,

Is there anyone here who is a System Administrator who knows Windows server 2011 SBS and Active directory well?

Im having some problems with the DNS server and Active Directory. The event ID for this is Event ID: 4015

I have also used Technet forums but cant find a solution there. Any help would be greatly appreciated!!
 
EasyUp Web Hosting

EasyUp Web Hosting

EasyUp Web Hosting
Company Rep
Joined
Mar 18, 2008
Messages
8,517
There are a couple of us here, but we need more information to be able to assist. What are the problems?
 
R4ziel

R4ziel

Expert Member
Joined
Apr 16, 2015
Messages
2,594
Yeah you need to give a hell of a lot more info regarding what the problem is, there will definitely be someone that can assist
 
K

Krypto9t

Member
Joined
Jan 25, 2015
Messages
20
There are some problems with users trying to connect to the vpn. Only if we use the google dns server are they able to connect to the network.

Im also not entirely sure but I think there is a problem with the dns settings on the domain controller.

===ERROR===
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020EF: SvcErr: DSID-02060835, problem 5012 (DIR_ERROR), data -1014". The event data contains the error.

Please let me know what tests I can perform to find out more information?
 
K

Krypto9t

Member
Joined
Jan 25, 2015
Messages
20
===dcdiag===

C:\Users\administrator.SERVER>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = SERVERPDC
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVERPDC
Starting test: Connectivity
The host dae2c238-454d-4271-81f5-a52c44b13df3._msdcs.domain.co.za
could not be resolved to an IP address. Check the DNS server, DHCP,
server name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... SERVERPDC failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVERPDC
Skipping all tests, because server SERVERPDC is not responding to
directory service requests.


Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation

Running enterprise tests on : domain.co.za
Starting test: LocatorCheck
......................... domain.co.za passed test LocatorCheck
Starting test: Intersite
......................... domain.co.za passed test Intersite

C:\Users\administrator.SERVER>
 
K

Krypto9t

Member
Joined
Jan 25, 2015
Messages
20
Here is the most recent warning message from Directory Service events.

Log Name: Directory Service
Source: NTDS ISAM
Date: 2018/05/10 22:46:53
Event ID: 508
Task Category: Performance
Level: Warning
Keywords: Classic
User: N/A
Computer: DOMAINPDC.domain.co.za
Description:
NTDS (568) NTDSA: A request to write to the file "C:\Windows\ntds\temp.edb" at offset 32768 (0x0000000000008000) for 8192 (0x00002000) bytes succeeded, but took an abnormally long time (71 seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NTDS ISAM" />
<EventID Qualifiers="0">508</EventID>
<Level>3</Level>
<Task>7</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-10T20:46:53.000000000Z" />
<EventRecordID>16037</EventRecordID>
<Channel>Directory Service</Channel>
<Computer>DOMAINPDC.domain.co.za</Computer>
<Security />
</System>
<EventData>
<Data>NTDS</Data>
<Data>568</Data>
<Data>NTDSA: </Data>
<Data>C:\Windows\ntds\temp.edb</Data>
<Data>32768 (0x0000000000008000)</Data>
<Data>8192 (0x00002000)</Data>
<Data>71</Data>
</EventData>
</Event>
 
A

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,401
Hi there,

Not sure if you managed to sort your problem out since this is almost a month ago, but here's some of my thoughts:

Your last event warning looks like there is an issue writing that file in a normal amount of time. As the log says, there is probably faulty hardware such as a dying hard drive, bad hard drive controller, bad cable etc.

As for the log above, it looks like some service records are missing in your domain's DNS, which is why the very first error message comes up. In the Forward Lookup Zone _msdcs.domain.co.za, try creating a CNAME record for dae2c238-454d-4271-81f5-a52c44b13df3. to point to SERVERDC.domain.co.za and see if the DCDIAG test passes.
 
DMNknight

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,385
The analysis is correct, it seems you are missing critical DNS entries. However, please don't manually create the DNS entries as it not only fudges with object ownership and permissions but makes it a static record. Not a problem perse, but I like to keep system objects as system owned and controlled.

Rather use this command in an administrative command prompt -> NLTEST /DSREGDNS
That command will force the creation of all DC related DNS entries, including the ones you don't know about.

Any reason why you're running DCDIAG from the local administrator account on a member server?
 
Last edited:
DMNknight

DMNknight

Expert Member
Joined
Oct 17, 2003
Messages
3,385
Krypto9t said:
Here is the most recent warning message from Directory Service events.
Click to expand...

Unless you were running backups at the time, this is most concerning if it is a consistent entry in your Event logs.

2 good practices regarding your AD database.
1) Run it on a different partition to your OS, even if you create a 5Gb partition, do it. Some of the biggest failures I have seen is because a service pack, admin profile or expanding pagefile took up all the C: drive space and suddenly AD cannot write replication data to the DB.
2) Don't have the pagefile on the same drive either. This is a little iffy, but the page file can cause disk thrashing during high memory use, competing with your AD DB for disk I/O which is asking for a corrupt DB.
 
You must log in or register to reply here.
Top