Re: Windows 2003 server DNS problems

In news:OAvzcBSnFHA.3300@xxxxxxxxxxxxxxxxxxxx,
John <john@xxxxxxx> made this post, which I then commented about below:
> I seem to have a problem with an upgrade Windows NT to Windows 2003
> installation.
>
> There was one domain controller on the network, and a second domain
> controller was installed as the temporary upgrade server, the
> temporary server was promoted as a PDC and the original PDC was
> promoted to a BDC. The temporary PDC was disconnected from the
> network and Windows 2003 was applied as an upgrade. Everything went
> ok, then when I added DNS I started to get the errors below. The DNS
> server is setup as a forwarder and is pointing to the router, and
> under tcp/ip properties the server is setup to point to itself.
>
> Here are the errors.
>
> Any idea's?
>
> Thanks
> John
> ================
> Event Type: Error
> Event Source: DNS
> Event Category: None
> Event ID: 4004
> Date: 8/9/2005
> Time: 2:57:45 PM
> User: N/A
> Computer: TEMPSRV
> Description:
> The DNS server was unable to complete directory service enumeration
> of zone abc.com. This DNS server is configured to use information
> obtained from Active Directory for this zone and is unable to load
> the zone without it. Check that the Active Directory is functioning
> properly and repeat enumeration of the zone. The extended error debug
> information (which may be empty) is "". The event data contains the
> error.
> Data:
> 0000: 2a 23 00 00 *#..
>
> =================
> Event Type: Error
> Event Source: DNS
> Event Category: None
> Event ID: 4015
> Date: 8/9/2005
> Time: 2:57:45 PM
> User: N/A
> Computer: TEMPSRV
> Description:
> The DNS server has encountered a critical error from the Active
> Directory. Check that the Active Directory is functioning properly.
> The extended error debug information (which may be empty) is "". The
> event data contains the error.
>
> Data:
> 0000: 51 00 00 00 Q...
>
> =========================
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 8/9/2005
> Time: 3:00:43 PM
> User: N/A
> Computer: TEMPSRV
> Description:
> The Security System could not establish a secured connection with the
> server DNS/prisoner.iana.org. No authentication protocol was
> available.
> Data:
> 0000: 8b 01 00 c0 <..À
>
> ===============
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40960
> Date: 8/9/2005
> Time: 3:00:25 PM
> User: N/A
> Computer: TEMPSRV
> Description:
> The Security System detected an authentication error for the server .
> The failure code from authentication protocol Kerberos was "There are
> currently no logon servers available to service the logon request.
> (0xc000005e)".
>
> Data:
> 0000: 5e 00 00 c0 ^..À

John,

The 40960 and 40961 SPNEGO errors are based on Kerberos where it tries to
verify the SPN (Service Principal Name) and it's "ego", meaning it
identifies itself by IP and wants to make sure the reverse PTR entry for
that IP points to the correct name under your AD zone. If you create a
reverse zone, that error will disappear. This was mandated in 2003. Win2000
didn't check for this.

The 4004 and 4015 errors means the zone is AD Integrated, but it cannot grab
the zone data out of the AD database. Tell you what, just for this purpose,
since you only have the one DC for right not, change the zone properties to
a Primary zone that is not stored in AD and let that go for a couple of days
insuring the errors disappear. Once confirmed, change it back to AD
Integrated and keep an eye on it.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================



.

Relevant Pages

  • RE: exchange server cannot mount mailbox store
    ... What's the exact detailed DNS Events ... Type desired internal IP address of your SBS server. ... it will delete the reverse lookup zone if the zone no longer ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: NT Domain to AD migration
    ... Windows 2000/XP always prefer Kerberos authentication, ... Server 2003 Active Directory service, ensure that you have designed a DNS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Event 4515 :another copy of zone has been found
    ... running on the old 2000 server. ... I then installed DNS on ... I seem to remember hearing that if you just delete/remove the zone it ... Container), the Configuration Partition, and the Schema Partition. ...
    (microsoft.public.windows.server.dns)
  • Re: Replication between parent child domains
    ... install dns before i run the dcpromo on the melbourne server. ... DNS server will forward any query it can't answer, Checks zone ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication between parent child domains
    ... DNS server will forward any query it can't answer, Checks zone ... DNS Servers) all queries will go to tld DNS server (including Internet ... Stub zones: Stub zones contain a read-only copy with specific records ...
    (microsoft.public.windows.server.active_directory)