Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4000 Source: DNS

The DNS server was unable to open Active Directory.  This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Data: 0000: f5 25 00 00
In my case, after a reboot of a Windows 2008 R2 server, KDC service did not start. Started KDC and DNS came back on line.
Apparently, this problem was fixed in Windows 2000 Service Pack 1 (see the link below) but we have received reports about this error even on systems with Service Pack 2. See ME258072 for more details.

Each instance of this problem should be approached based on the error code in the Data portion of the event. The fix for one will not apply to the other so pay attention to that. Example of codes:

Data: 3a 00 00 00 = The specified server cannot perform the requested operation.

Data: 54 05 00 00 = A specified authentication package is unknown.

Data: 2a 23 00 00 = DNS server failure.

Data: 2d 23 00 00 = DNS operation refused. Some support forums suggest that this may happen if DNS attempts to start before AD itself finished initializing.

Data: f5 25 00 00 = The directory service is unavailable.
The behavior will occur if the DNS server IP address is incorrect. See "JSI Tip 8507" to solve the problem. WITP81885
Data: 0000: f5 25 00 00 - This is a permissions issues. See ME305837.

ME316685 describes a situation when certain settings for the Windows event log creates this problem.

According to ME884499, this can happen on servers with two or more network adapters. Only the first IP address can be used for DNS.
In my case, this error message came up after a crash on a single W2K AD Server. You could not log into the system with any AD account. The fix was to reboot in safe mode (AD restore) and restore AD.
The odd thing is that the next time the system crashed (a month later), the same symptoms returned. Any restore I ran that was dated after the first crash would not fix the problem. I had to use a tape that was created before the first crash that created this problem, which, then fixed the problem.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.