Event ID 4007 error

Discussion in 'DNS Server' started by Tony Benham, Mar 21, 2007.

  1. Tony Benham

    Tony Benham Guest

    I've just moved our small domain from NT to Server 2003 via an intermediate
    PC on which I installed NT Server, upgraded to PDC, then to 2003 Server,
    then to DC. I then added a new 2003 machine as DC to the domain, and then
    removed DC role for the intermediate machine, and removed the old NT machine
    and the intermediate machine from our network. I think I screwed up the DNS
    slightly.
    On start up of the new 2003 DC, I'm getting an Event ID 4007 with error
    message
    "The DNS server was unable to open zone _msdcs.somename.mydomain.com in the
    Active Directory from the application directory partition
    ForestDnsZones.somename.mydomain.com. This DNS server is configured to
    obtain and use information from the directory for this zone and is unable to
    load the zone without it. Check that the Active Directory is functioning
    properly and reload the zone. The event data is the error code."

    I ran dcdiag to try to find out more

    TEST: Delegations (Del)
    Warning: DNS server: oldname.somename.mydomain.com. IP:
    <Unavailable> Failure:Missing glue A record

    Now oldname was the intermediate machine, which is no longer there. I looked
    in the dns management tool but could not find this server
    oldname.somename.mydomain.com mentioned anywhere. How can I fix this ?
    Regards
    Tony
     
    Tony Benham, Mar 21, 2007
    #1
    1. Advertisements

  2. Read inline please.

    In

    Do you get this error only when the server starts?
    Do you have only one DC/DNS?


    Can you post an (unedited) ipconfig /all, the AD Domain name from AD Users &
    Computers, and a list of all zones in DNS? (Need all three)



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 22, 2007
    #2
    1. Advertisements

  3. Tony Benham

    Tony Benham Guest

    Hi Kevin,
    Replies inline below.
    Yes only on startup.
    Yes only one DC/DNS (same machine)
    C:\Documents and Settings\admin>ipconfig /all
    Windows IP Configuration
    Host Name . . . . . . . . . . . . : ORAC
    Primary Dns Suffix . . . . . . . : imageproc.imageproc.com
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : imageproc.imageproc.com
    imageproc.com
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
    Physical Address. . . . . . . . . : 00-13-72-34-BF-A4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.92.109.6
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.92.109.4
    DNS Servers . . . . . . . . . . . : 127.0.0.1

    AD Users and Computers lists imageproc.imageproc.com and Saved Queries
    and shows [ORAC.imageproc.com.imageproc.com] in the title bar for the rh
    window.
    DNSmanagment for ORAC shows 6 items
    Cached Lookups,Forward Lookup Zones, Reverse Lookup Zones,Event Viewer, Root
    Hints and
    Forwarders.
    Under forward lookup zones we have
    _msdcs.imageproc.imageproc.com
    imageproc.imageproc.com

    Regards
    Tony
     
    Tony Benham, Mar 22, 2007
    #3
  4. Read inline please.
    In
    4007 and other 40xx events are pretty common in Single DC/DNS environments
    because DNS cannot load the zone out of Active Directory, until AD has
    started. AD cannot start until DNS has started so it puts you in catch22.
    If the events only happen on startup, you can safely ignore them. If you add
    a second DC and point each DC to the other for the Preferred DNS, you won't
    see these errors. You can also make the AD zones standard primaries, but it
    is not recommended because there is no security on Standard primary zones.
    Your ipconfig looks properly configured, although, I recommend replacing the
    127.0.0.1 Loopback address with the DC's own private IP address.

    On a side note- Your AD domain appears to a sub domain of your public domain
    name, if you don't have a local zone for imageproc.com you should remove
    that zone from your DNS suffix search list. With this name in the list your
    public domain suffix is appended to all DNS names that are not followed with
    a trailing ".". Because of this (If you use nslookup -d2 you will see this),
    www.yahoo.com (Example) gets appended with the suffixes from this list, and
    becomes www.yahoo.com.imageproc.com which is forwarded to the external DNS.
    Many public DNS providers add a Wildcard "*" record to the zones they host,
    www.yahoo.com.imageproc.com will resolve to this Wildcard record's IP.




    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 22, 2007
    #4
  5. Tony Benham

    Tony Benham Guest

    Hi Kevin,
    Question below.
    I can't find out where the DNS Suffix search list is specified. Is it in the
    DNS server settings somewhere ?
    Or in the dns settings for the server network connection itself ?
    Thanks for your help
    Tony
     
    Tony Benham, Mar 22, 2007
    #5
  6. Tony Benham

    Tony Benham Guest

    Hi Kevin,
    See below.

    I think I found this is on the append parent suffix in the dns tab of tcpip
    properties. If I untick this,
    I get www.yahoo.com.imageproc.imageproc.com , but not
    www.yahoo.com.imageproc.com Ideally I would hve thought that on the machine
    that is the domain dns server, any unresolved names such as www.yahoo.com
    should not have any suffix applied ? But the dns tab of tcpip properties
    will not allow you to untick both suffix items in the dns tab, by ticking
    append these dns suffixes ? What is the correct settings on the DC/DNS
    server for dns tcp/ip properties ?
    Thanks
    Tony
     
    Tony Benham, Mar 22, 2007
    #6
  7. Read inline please.

    In
    The DNS suffix is applied to all names not ended with a trailing "."


    What is the correct settings on the DC/DNS server for dns tcp/ip properties
    ?

    The correct setting would be to have only suffixes in the list needed for
    NetBIOS type host names in the local domain, so if your local domain is
    imageproc.imageproc.com, use that name in the suffix search list.




    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    Send IM: http://www.icq.com/people/webmsg.php?to=296095728
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Mar 23, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.