Can you remove DNS from Domain Controller and reinstall to repair?

Discussion in 'Windows Server' started by Saral6978, Sep 19, 2008.

  1. Saral6978

    Saral6978 Guest

    I'm having issues with the DNS server service - when set to automatic it
    won't allow my DC to boot - hangs on Preparing Network Connections. If I set
    it to Manual it boots up and I can login and then I start DNS manually after
    login. I believe the problem started after a recent MS Update.

    I'm toying with the idea of uninstalling DNS and reinstalling while it is
    still a DC with Active Directory. Can I do that or no?
    Saral6978, Sep 19, 2008
    1. Advertisements

  2. Saral6978

    Saral6978 Guest

    The domain controller I am working on in question does not hold any of the
    FSMO roles or anything like that, so I'm hoping that removing DNS from the
    server would be okay...I have brought up another DC at this site with DNS
    installed, so at least now I have a backup DC handy if necessary...Any

    Also - there are no errors in the Event Log pertaining to DNS Server or
    anything when it hangs on Preparing Network Connections. Once I log in and
    start the service, everything is as happy as can be, replication, name
    resolution, etc.

    Is there a chance that maybe the network card drivers need updating? The
    server is an HP DL360G5 with two, GB ethernet ports, and I have them teamed.
    I have 2 other identical servers at 2 other sites (both DCs, running same OS,
    everything identical to this one), and they are having no issues at all.
    Saral6978, Sep 19, 2008
    1. Advertisements

  3. Hello Saral6978,

    Is this the only DC/DNS server? Well, during the startup the server will
    try to connect to the domain DNS server. Unfortunally it can happen that
    the DNS server service needs a long time to start so it can not find it's
    own DNS server. I think that is the reason for the long time of preparing
    netwrok connections. If you have an additional DC, i would make it also DNS
    server use AD integrated zones and configure both of them for preferred DNS
    as itself and secondary to the other. So it can reach always the secondary
    if it's own is not started.

    Best regards

    Meinolf Weber
    Meinolf Weber, Sep 19, 2008
  4. Saral6978

    Saral6978 Guest

    <Is this the only DC/DNS server?>

    At this particular site it was...I orignally had it configured to use itself
    and a remote DNS server at my main site for it's DNS server. It was a record
    48hrs that it sat at Preparing Network Connections. It had done a reboot
    about 5:00am on a Saturday and Monday morning it was still sitting at the
    screen. DNS had been flaking out for the past 2 weeks after some updates had
    applied, for example, my DNS zone would be empty and I had to manually
    restart the DNS server service for it to populate but then it would still
    boot up okay...then about 2 weeks later, it just got stuck on that part of
    the reboot. I figured out the issue was the DNS Server because I went into
    Safe mode and changed it to Manual, then no problem.

    <If you have an additional DC, i would make it also DNS server use AD
    integrated zones and configure both of them for preferred DNS as itself and
    secondary to the other.>

    The secondary DNS server that I just brought up, I did install DNS on it as
    well, and it's zone is also AD-Integrated. I installed DNS first, then added
    the DC role to it so it configured the AD-Integrated zone automatically.
    This backup DC is fully operational, replicating with the other 4 DCs in my
    domain (at 3 different sites). I configured its DNS with itself as the
    primary, the above DC having issues is the secondary, and I added one of my
    remote DNS servers as a third.

    And like you suggested, I had added my newly promoted DC as the secondary
    DNS server to the one having the problem starting up. I have not yet
    attempted a reboot yet on the server having the issue, so perhaps this will
    solve it, but the problem still exists that why now all of a sudden this
    server can't find itself as a DNS server during the boot process when it was
    working just fine a couple of weeks ago? That's why I'm wondering if I just
    remove DNS from this server and reinstall it, it might fix whatever the
    problem is...

    Thanks for your reply,

    Saral6978, Sep 19, 2008
  5. Hello Saral6978,

    48 hours is really to long. I will crosspost to,
    there are the DNS experts.

    Best regards

    Meinolf Weber
    Meinolf Weber, Sep 20, 2008
  6. in message


    What operating system and service pack level are your DCs?
    Do you have AD Sites configured properly?
    What errors are on any of the DCs? If any exist, please post the EventID#
    and Source names.

    I'm trying to get a handle on your infrastructure. Not sure what was
    installed or updated, but any of the updates would not cause this issue. So
    I'll give you a generalization of what to look for with configuring your DCs
    in a multi-site scenario and other recommendations.

    In a multi-site config with Sites configured properly, always point DNS to
    itself as first, and pick another DC in another site as second.

    There is no such thing as a 'secondary' zone, unless of coure you are
    speaking of the position as being the 'second' DNS address in ip properties.

    If you have any DC with a tru "Secondary" zone of a zone that is AD
    integrated, expect huge problems. If so, it will cause duplicate zones in
    the AD database and that is not easily cleaned up.

    If you have ever wanted to uninstall DNS on a DC, and decided to manually
    delete an AD Integrated zone first prior to uninstallation, you have just
    effectively deleted the whole zone out of AD. If you want to remove the DNS
    service off a DC that has an AD integrated zone, simply go into Add/Remove,
    Windows Components, and uncheck the box. Never delete the zone first.

    If a server cannot 'find itself' for DNS, I would suggest to change it's
    first entry to another DC in another Site with an operational DNS and let it
    come up. Then put itself as second. Reboot after about an hour to make sure
    it still comes up. If it comes up clean, then change it to itself as the
    first entry, then the other one as the second entry. The reason why it can't
    find itself is because AD is not up yet for whatever reason, such as
    possibly an update, or an app change and needed to do something during the
    restart, etc, therefore since AD is not up yet, and the zone is Ad
    integrated, then DNS can't find it in the AD database simply because AD
    services have not started yet.

    Make sense?

    So applying what i mentioned, can you backtrack on what was done and in what
    order as to what was done to better understand what may have happened?


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check for regional support phone numbers.

    Enter into an artificial quantum singularity lined with fermions and
    neutrino scatterings depicted by electrons smashing into protons and
    neutrons like billiard balls moving at warp 9 exposing quarks, mesons and
    baryons, the essentials of their existence, that are spinning off in half
    scatters. You have now entered the Twilight Zone.
    Ace Fekay [MVP Direcrtory Services], Sep 20, 2008
  7. Saral6978

    Saral6978 Guest

    Ace - thank you so much for your reply, I really appreciate it.

    3 of the DCs, which includes the one I'm having issues with, are running
    Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.

    I am getting one error in the DNS Server log, but I have to confirm if it's
    being generated during the reboot when DNS is set to automatic, or if it's
    being logged because I have DNS Server set to manual. In any case, it's
    Event ID 4015: The DNS server has encountered a critical error from the
    Active Directory. Check that the Active Directory is functioning properly.
    The event data contains the error.

    I have been looking into this error and possible causes. My AD does seem to
    be functioning correctly though, as there are no other errors in my event
    log, and shortly after 4015 is logged, another event says DNS has started and
    there are no other errors. I'm not sure if that's when I manually turned it
    on or not. I will be doing a reboot Monday and keep better track of when
    these errors/alerts are happening.

    AD sites and services is setup properly and replication is running
    seamlessly. I do have DNS set to point to itself first on all my DCs, and
    then I pick another DC in another site as second. When I meant "secondary",
    I meant just the secondary DNS server, not a zone. I only have the one zone
    with the one domain.

    I would never have deleted the Zone from DNS - My plan was to go into
    Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
    what you said, I should be able to safely uninstall DNS from Windows
    Components on the domain controller without hosing my current Active
    Directory/AD Integrated Zone and affecting my other DCs? If I can do this,
    it might be worth a shot to see if this would solve the problem.

    But, before I do that, since I now have a 2nd DC at this particular site, I
    will change my problem DC's 1st DNS server to the the 2nd DC of that site and
    see if I can get it to start. Someone had also mentioned there are a few
    Windows updates that are specifically security updates for DNS that can
    affect services from starting (using UDP ports) and that you have to reserve
    a port, because there is a port that DNS or AD might be using that it can't
    because this port is in use. Problem is, I have no idea what ports to
    attempt to reserve to see if that is truly the problem. DNS to my knowledge
    only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
    checked it.

    Thanks, again!

    Saral6978, Sep 21, 2008
  8. Meinolf Weber, Sep 21, 2008

  9. Hi Sara,

    Honestly I haven't heard of these problems until now. But a real important
    point, is that you must keep the DNS service set to automatic at all times.
    Otherwise leaving it to manual will cause issues at startup because AD can't
    find itself if the first entry is pointed to itself unless the DNS service
    is running. Otherwise, how is it supposed to query a non-running DNS

    As for uninstalling, yes, just uncheck the box. But I would leave the
    service enabled and try it out.

    The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
    are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes
    this can cause problems with 3rd apps installed that need these ports as
    well as the IPSec service. Otherwise, if you don't have anything else
    installed, it shouldn't be a problem. The following is more info on the
    security update and the ports being used. But I don't think this is the
    cause of the problem.

    The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
    netstat -ab, it will display the 2500 UDP ports that have been
    reserved, but not necessarily in use. This is part of the memory
    consumption. I've noticed the following (your mileage may vary):

    dns.exe Before After
    Mem usage 9758K 36,232K
    Peak Mem 10,208K 36,584K
    Paged Pool 71K 798K
    NP Pool 17K 4,833K
    Handles 238 5,217
    Threads 20 20

    MS08-037: Description of the security update for DNS in Windows Server 2003,
    in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:

    MS08-037: Vulnerabilities in DNS could allow spoofing

    How to reserve a range of ephemeral ports on a computer that is running
    Windows Server 2003 or Windows 2000 Server

    You experience issues with UDP-dependent network services after you install
    DNS Server service security update 953230 (MS08-037)

    Some Services May Fail to Start or May Not Work Properly After Installing
    MS08-037 (951746 and 951748)

    SBS Services failing after MS08-037 - KB951746 and 951748
    Ace Fekay [MVP Direcrtory Services], Sep 21, 2008
  10. Saral6978

    Saral6978 Guest

    Thank you Meinolf - I did look at this link last Friday. I did look at the
    (.) root zone part, but to me, they are suggesting I change my zone to type,
    and I'm not sure I am comfortable doing that when I'm not having issues with
    my other DCs and their DNS server service, etc...
    Saral6978, Sep 22, 2008
  11. Saral6978

    Saral6978 Guest

    Ace -

    Yes, I realize that DNS should be set to automatic, believe me, I want to
    switch it back. Unfortunately, the server won't boot up if it is set to
    automatic. Currently, it is still set to manual, and if I happen to reboot
    the server, I then log in and start DNS Server right away manually. It's not
    that I have DNS stopped altogether or anything.

    <<The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
    are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this
    can cause problems with 3rd apps installed that need these ports as well as
    the IPSec service.>>

    I don't have much running on this DC, but I do have 3rd party tools, like a
    SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which
    communicate with AD. I've looked at all the documentation that you noted
    below about the ports last week. Thursday night I did remove 3 updates that
    I suspected might be causing the issue and when I removed them my server
    booted normally with DNS Server on automatic. I then applied the 3 updates
    one at a time and after I installed KB945553 (which is a DNS security
    update), my server got stuck again on Preparing Network Connections. I then
    booted into Safe Mode, switched DNS back to manual, then booted back into the
    regular OS and uninstalled only that update and switched DNS back to Auto,
    but unfortunately, the server still got stuck on reboot. I removed those
    other 2 updates again, and it still wouldn't boot. So, I'm not sure why it
    booted okay the first time after I removed all 3 updates (only difference was
    that I didn't remove them in the same order that I did the first time).

    Well, in any case, I'm going to do a reboot this morning to see what happens
    with using a different DNS server as the primary and of course, resetting my
    service back to Automatic before the reboot.

    Saral6978, Sep 22, 2008
  12. Saral6978

    Saral6978 Guest

    Well, this is kind of is what I did. I installed all need
    critical updates, including all the DNS security updates I hadn't yet
    applied, and the ones I removed, added my other DC as the Secondary DNS
    server on the NIC, changed the DNS Server service to automatic and rebooted.
    My server rebooted very quickly and successfully! I then remove that
    secondary DNS server and put in one from my remote site, and then rebooted
    the server and it still worked!

    So, I'm thinking that by installing ALL the necessary windows updates that
    it might have fixed my problem...I really don't know. I know longer have the
    4015 error, and no other errors pertaining to DNS or active directory.
    Everything is running as it should.

    I don't know what to say about this...very strange.

    Thanks Ace and Meinolf for your responses to my questions! They were much

    Saral6978, Sep 22, 2008
  13. Hello Saral6978,

    Nice to hear that you fixed it.

    Best regards

    Meinolf Weber
    Meinolf Weber, Sep 22, 2008
  14. There is no harm with this procedure. None whatsoever. Believe me, done it a
    thousand times, and I can say that because of numerous testing and as a
    trainer in a classroom scenario, as well as in production environments.

    Ace Fekay [MVP Direcrtory Services], Sep 22, 2008
  15. Same here, nice to hear it's taken care of. For the security updates to
    cause this would indicate one of those apps are trying to use a UDP
    emepheral port in the reserved range and is causing a conflict. I'm willing
    to bet that if those apps were moved off the DC (usually we recommend no
    apps on a DC and let a DC be a DC), that it will work. There are known
    issues with 3rd party apps that do not recognize the port reservation still
    picks a random port in that range causing a conflict.

    For the time being if you want to leave the 3rd party apps on it, that is
    fine. If you ever do move them off, be sure to install those updates.

    Ace Fekay [MVP Direcrtory Services], Sep 22, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.