new DC/DNS 2k8r2 x64, dns.exe faults/TrustAnchors errors

Discussion in 'DNS Server' started by markm75g, Feb 2, 2010.

  1. markm75g

    markm75g Guest

    I'm seeing a wealth of errors on a new DC i have created.. it is a GC, has a
    "secondary" dns server (ad integrated), by secondary i mean, its the 2nd dns
    server, the first being on the other dc..

    I see the following:

    warning: eventid 4521
    The DNS server encountered error 32 attempting to load zone TrustAnchors
    from Active Directory. The DNS server will attempt to load this zone again on
    the next timeout cycle. This can be caused by high Active Directory load and
    may be a transient condition.

    error: 4001
    The DNS server was unable to open zone TrustAnchors in the Active Directory.
    This DNS server is configured to obtain and use information from the
    directory for this zone and is unable to load the zone without it. Check that
    the Active Directory is functioning properly and reload the zone. The event
    data is the error code.

    Under the application log:
    Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
    0x4a5bc929
    Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc929
    Exception code: 0xc0000005
    Fault offset: 0x000000000001f256
    Faulting process id: 0xc80
    Faulting application start time: 0x01caa40fcf3873cc
    Faulting application path: C:\Windows\system32\dns.exe
    Faulting module path: C:\Windows\system32\dns.exe
    Report Id: 78e01e48-1006-11df-be5e-00155d64533a
    eventid 1000


    I've tried removing and re-adding the dns role to no avail, as mentioned
    somewhere else..

    Possibly related.. but..

    In the tcp/ip for this machine.. should the primary dns be the other dns
    server, while the secondary be the 127.0.0.1 address?

    Thanks for any help
     
    markm75g, Feb 2, 2010
    #1
    1. Advertisements

  2. markm75g

    markm75g Guest

    I'm also getting this on both domain controllers:

    The request subject name is invalid or too long. 0x80094001
     
    markm75g, Feb 2, 2010
    #2
    1. Advertisements


  3. See if this helps.

    Request for Certificate Is Denied and a "The Request Subject Name ...The
    request subject name is invalid or too long. 0x80094001. In addition, the
    following message may be logged in the event log: ...
    http://support.microsoft.com/kb/312344

    Windows Server 2003 Does Not Use the DNS Name as Certificate SubjectIn
    Windows 2000, the Domain Name System (DNS) name of a computer is embedded as
    the ... (0x80094001) The request subject name is invalid or too long. ...
    http://support.microsoft.com/kb/275528

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Feb 2, 2010
    #3

  4. It appears there are AD replication or DNS dupe zone issues. You are saying
    that you have two DCs, and the _msdcs.yourdomain.com and yourdomain.com
    zones are AD integrated? What replication scope are they set to on both DCs?

    Was the zone on one of the DCs ever set to just "Seconday" and not stored in
    AD at one time?

    To check if you have a dupe zone issue, please read my blog on how to find
    and fix it.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/ar...ing-or-duplicate-ad-integrated-dns-zones.aspx

    As far as how to set DNS addresses on DCs, the recommendations for
    configuring DNS addresses, is point the first address to the DC's IP itself,
    then the partner as the second entry. Remove the loopback. The loopback was
    entered by DCPROMO. One of the cleanup phases after running a promotion is
    to set the DNS addresses correctly, which apparently may have been missed in
    this case.

    Curious, what are you using TrustedAnchors for? That's designed to handled
    secured zone transfers between non-authorative DNS servers.

    Distribute Trust Anchors
    Trust anchors are required on all non-authoritative DNS servers that will
    perform DNSSEC validation of data from a signed zone.
    http://technet.microsoft.com/en-us/library/ee649280(WS.10).aspx

    Please provide an ipconfig /all from both DCs.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Feb 2, 2010
    #4
  5. markm75g

    markm75g Guest

    I'm not seeing duplicate zones i dont think.. at one point i think i had a
    read only copy (or maybe secondary) on a third server 192.168.100.16.. but
    not anymore..

    In adsiedit.. I see the reverse lookup zone , domain.local and
    RootDNSservers listed in there (under microsoft dns, under system, under
    DC=domain, dc=local under the default naming context)

    I did notice that this setting is in place on the dns servers (all are 2008
    r2 at this point):

    DomainNC (only for compatibility with Win2000):

    Should i switch it to "to all dns servers running on dcs in this domain" ?

    I dont actually see anything listed in the trusts anchors page..


    Here are the ipconfigs (note, the best practices tool on r2, said that the
    first dns should point to the Other DNS server, while the second is loopback,
    doing this made the warning indication go away, but obviously didnt fix other
    issues)

    first is the first dc, called vsborg01:


    Windows IP Configuration

    Host Name . . . . . . . . . . . . : vsborg01
    Primary Dns Suffix . . . . . . . : domain.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.local

    Ethernet adapter Local Area Connection 3:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
    Adapter #3
    Physical Address. . . . . . . . . : 00-15-5D-64-5B-12
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . :
    fe80::a523:5025:c96d:834b%14(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.100.60(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.100.1
    DHCPv6 IAID . . . . . . . . . . . : 285218141
    DHCPv6 Client DUID. . . . . . . . :
    00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
    DNS Servers . . . . . . . . . . . : 192.168.100.61
    127.0.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{3FD2A97E-D911-4EA6-8310-53D2505DD715}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    and now the other:



    Windows IP Configuration

    Host Name . . . . . . . . . . . . : vsborg02
    Primary Dns Suffix . . . . . . . : domain.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : domain.local

    Ethernet adapter Local Area Connection 3:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
    Adapter #3
    Physical Address. . . . . . . . . : 00-15-5D-64-53-3A
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . :
    fe80::2d62:5eeb:8b5d:a314%14(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.100.61(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.100.1
    DHCPv6 IAID . . . . . . . . . . . : 285218141
    DHCPv6 Client DUID. . . . . . . . :
    00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
    DNS Servers . . . . . . . . . . . : 192.168.100.60
    127.0.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{73116582-123C-475F-92B8-AAEF513F1CC2}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
     
    markm75g, Feb 4, 2010
    #5

  6. You could make the first one point to a partner DC. This will help to
    quicken startup of a DC, however, the general consensus among most of us out
    here is to use the actual IP of itself as the first, then the IP of the
    partner. If you decide toleave it the way you set it, remove the Loopback,
    and ues the actual IP.

    Good to hear that there are not dupes. No.leave the replication scope on the
    middle button. That is the application partition DomainDnsZones, whereas the
    bottom one is the DomainNC (for backward compatibility).

    Did you create a TrustAnchors record? If so, are you using this feature?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 4, 2010
    #6
  7. markm75g

    markm75g Guest

    No i never created any trust anchors.. actually the dns setting is on the
    compatibility one (bottom).. so i should move it to the middle then?
     
    markm75g, Feb 5, 2010
    #7
  8. You didn't create any? You can delete it, but hold off on that for right
    now.

    Yes, I would suggest the center selection.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #8
  9. Select the center one as long as there are no 2000 DCs in existence.

    I assume the _msdcs.domain.local zone is the top selection, in the forest
    replicaiton scope.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #9
  10. markm75g

    markm75g Guest

    Ok, so now..

    if i do properties on domain.local under the dns tree.. i have set it to
    "all dns servers in the domain"..

    For the _msdcs one, it was already set to the top option.. to all dns in the
    forest.


    As far as the trust anchors.. where do i delete them.. as under the trust
    anchors tab i have nothing listed.

    Thanks again
     
    markm75g, Feb 5, 2010
    #10
  11. ..
    Do you see a folder or other object in DNS called Trustedanchors? If so,
    delete it.

    I'm trying to read up on Trustedanchors and DNSSEC (DNS security - a new
    industry implementation that is now offered in Windows 2008 R2). It's a new
    feature that when you implement it, it associates a certificate (or key) to
    a zone in DNS. Somehow during setup, it was specified to allow DNS security,
    hence why it is assuming there is a trustedanchor.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #11
  12. markm75g

    markm75g Guest

    No, dont see any trust anchors in the tree..

    Thats interesting, didnt realize R2 added that, perhaps that is indeed the
    cause.
     
    markm75g, Feb 5, 2010
    #12
  13. Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #13
  14. markm75g

    SethB Guest

    We just stood up our first 2k842 DC & DNS server, and are seeing the exact
    same errors. Did you find a solution to this?
     
    SethB, Mar 20, 2010
    #14

  15. Usually I suggest if you are having a similar issue, to start a new thread instead of replying to an older one. Everyone's system is unique, so there may or may not be one 'canned' solution. However, there has been much discussed in this thread with possible solutions and links to read up on seeing if any of them applies to your specific issues based on your own specific configuration.

    Have you read through the thread? Has any of it helped guide you in possible solution for what you are experiencing?

    Ace
     
    Ace Fekay [MVP-DS, MCT], Mar 20, 2010
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.