Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4000 Source: DNS

Source
Level
Description
The DNS server was unable to complete directory service enumeration of zone .. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone. The event data contains the error.
Comments
 
It is likely that DC either is not configured to use a DNS server that has as valid copy of the DNS zone, or the zone does not have the needed SRV records. Running DCDiag (from the Windows 2000 Resource Kit) may provide some information about the source of the errors. Also, NETDiag can be run for additional information.

From a newsgroup post: "If you have installed AD using Dcprom , the dcpromo create the .(root) zone and when you need to use the forwords option as Microsoft recommendation for Internet names resolution you will always get the 4004 & 4015 errors in your log. To solve this problem and stop these events do the following:
1. Create a .(root) zone file
2. Right click the .(root) name and select Properties
3. Change the zone into a primary zone instead of the integrated AD zone type
4. Delete the .(root) zone"
A badly configured Windows Time Service may be causing this error. Check if there are any error reports in the event log from the W32Time Service. When logging on, it seems that a badly configured W32Time Service is causing an overload, and your DNS cannot reach the Active Directory at this time, reporting event 4004 (and more) in the event log. In my case, I had a Server 2003 PDC (primary domain controller) reporting the DNS 4004 error. After disabling "NTPClient" in the registry and restarting the server the problem was gone. (Go to HKLM/System/CurrentControlSet/Services/W32Time/NTPClient, Open/Edit the "Enabled" key, set it to 0 (zero) and restart). See ME816042 for more information about the W32Time Service and its configuration.
We found that our server had two NICs and the DNS was pointing to a NIC with a different IP. We changed the UTP cable to the other NIC and this event dissapeared.
In one case, this happened on a Windows 2003 SP1 computer, which was a domain controller with Active Directory integrated zones, where the DNS Server address had defaulted to 127.0.0.1. Five of these Event IDs were preceded by EventID 4015 from source DNS. Changing the DNS server address did not solve the problem. DNS was uninstalled and reinstalled (go to Control Panel -> Add/Remove Programs -> Add/Remove Windows Components -> Networking Services) without an intervening restart of the computer. The DNS Server was then checked and minor configuration changes made. The computer was restarted and EventID 4004 or 4015 did not reappear.

The minor changes that I made were just clearing up redundant records. The important thing is to uninstall and reinstall DNS. On this computer, I did not restart between the uninstall and install because it was the only DNS server in the domain, and if I did so, I would have lost all the DNS records. If you have DNS installed on two or more servers and it is configured with Active Directory-integrated zones, then I have found that restarting the computer between the uninstall and install is better because it completely clears DNS on that computer and when it is installed again the records get replicated from another DNS server in the domain. Incidentally, uninstall/restart/install is the only fix that I have found when the "Test Now" button on the DNS Servers Properties "Monitoring" tab results in the Simple Query or Recursive Query displaying a result of FAIL.
I had this error after the migration of the Active Directory to W2K3. Changing the permission settings of the registry key: HKLM\Software\Microsoft fixed the error.


As per Microsoft: "The DNS Server service uses Active Directory to store DNS data, and it encountered a Lightweight Directory Access Protocol (LDAP) error while querying the directory. This error could be caused by either a high load on the domain controller or the failure of other domain controller services". See MSW2KDB for more information.

From a newsgroup post: "If you have 2 DC/DNS servers, to avoid this error, make sure you have the following under IP properties:
DC1:
  First DNS address points to DC2.
  Second DNS address points to itself.
DC2:
  First DNS address points to DC1.
  Second DNS address points to itself".

From a newsgroup post: "This can be caused if you have a single DC or two DCs and they point to themselves as the first entry in the DNS list in IP properties and the zone is AD Integrated. Reason could be that the DC has many services running on it (SQL, Exchange, etc.) or is a slower machine, and when the Netlogon service tries to register into the zone at boot time, AD is not quite initialized yet and so you get the error. You can either ignore it or change the zone to a Primary, or if you have multiple DCs, change the first entry to the partner and the second to itself".
In my case, this error appeared after I changed the network and I forgot to change the reverse-lookupzone.
MS PSS reports this error may occur in a single-server environment, during server startup, for AD-integrated DNS zones.  Apparently, DNS is starting before AD is ready to answer queries, and DNS cannot wait for AD to start since AD needs DNS.  PSS reports the error can be ignored, as the DNS zones will load as soon as AD is ready.  PSS said that switching to a standard (not AD-integrated) zone would work around the problem.
The error may occure if the "RootDNSServers"-entry was deleted and the DNS-job not restarted.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...