Dns сервер ошибка 4013

  • Remove From My Forums

  • Вопрос

  • Добрый день. 

    Прошу помощи. Недавно появилась проблема на первом контролере домена. (у меня их два) 

    В логах DNS ошибка:

    DNS-сервер ожидает от доменных служб Active Directory (AD DS) сигнала о том, что первичная синхронизация каталога завершена. Службу DNS-сервера невозможно запустить до завершения первичной синхронизации, так как критические данные DNS могут
    быть еще не реплицированными на этот контроллер домена. Если журнал событий AD DS показывает, что имеются проблемы с разрешением DNS-имен в адреса, рассмотрите возможность добавления IP-адреса другого DNS-сервера
    для этого домена в список DNS-серверов в свойствах протокола IP этого компьютера. Такое событие будет записываться в журнал каждые две минуты, пока служба AD DS не сообщит об успешном завершении первичной синхронизации.

    На данном сервере не проходит nslookup — 192.168.20.21 

    DNS request timed out.

    Так же в настройках оснастки DNS не проходит простой тест и рекурсивный тест.

    Запускал dcdiag /test:dns

    DCDIAG пишет, что в настройках сетевого адаптера неправильный dns сервер прописан, но там как раз прописано два ip адреса dns и они правильные.

    При этом если на рабочих станциях набрать nslookup — 192.168.20.21, ответ от DNS сервера есть.

    Так же все тесты проходит второй контролер домена. 

    Так же проверял вручную репликацию между домен контролерами. Все работает без ошибок. 

    Очень нужна помощь.

    Спасибо.

    • Изменено

      1 декабря 2017 г. 8:55

Ответы

  • Добрый день.

    Проблема решена! 

    Господа Админы под знаком смерти не рекомендую Вам в своей работе использовать на серверах антивирус кАСПЕРСКОГО. 

    Проблема была именно в нем. 

    Два домен контролера, два антивируса одной версии. 

    Единая политика кАСПЕРСКОГО, которая как раз распространялась на эти два сервера.

    На одном сервере Касперский на уровне драйвера тихо и мирно блокировал все DNS запросы.

    При этом в логах у самого кАСПЕРСКОГО полная тишина.

    Причем, даже если выгрузить кАСПЕРСКОГО ИЗ ПАМЯТИ, все равно на данном сервере запросы заблокированы.

    Помогло удаление касперского. После удаления все запросы заработали.  

    Разница только в операционках и все. 

    Писать кАСПЕРСКОМУ бесполезно, они просто идиоты! 

    Всем спасибо за помощь.

    • Помечено в качестве ответа
      akamsp
      4 декабря 2017 г. 7:14

Источник

We have an issue that only occurs after we rebooting our secondary DC and DNS server/DHCP server. It is a 2008r2 x64 server, DC and DNS/DHCP server. Our main DC is 2003.

Event ID 4013:

“The DNS server is waiting for Active Directory Domain
Services (AD DS) to signal that the initial synchronization of the
directory has been completed. The DNS server service cannot start
until the initial synchronization is complete because critical DNS
data might not yet be replicated onto this domain controller. If
events in the AD DS event log indicate that there is a problem with
DNS name resolution, consider adding the IP address of another DNS
server for this domain to the DNS server list in the Internet Protocol
properties of this computer. This event will be logged every two
minutes until AD DS has signaled that the initial synchronization has
successfully completed.”

I found this solution:

  1. Log onto the First Domain Controller
  2. Open Regedit
  3. Navigate to HKLMSYSTEMCurrentControlSetServicesNTDSParameters
  4. Right-click Parameters, click New, and then click DWORD Value.
  5. Type “Allow Replication With Divergent and Corrupt Partner” and press enter.
  6. Open the entry and in the Value Data box type 0
  7. Reboot First DC wait for it to come back online and then repeat the above steps on the Second DC.

It doesn’t really apply to us, since after about 15 seconds, it syncs up. My question is this, what would happen once we decommission or main DC and make our secondary DC our main DC? Since the warning does not occur after the reboot (like I said, it actually syncs up after about 15 seconds), should I even be concerned about it now?

Thanks!

asked Jul 11, 2012 at 22:06

George's user avatar

GeorgeGeorge

5004 gold badges18 silver badges40 bronze badges

3

Since your DNS is almost certainly AD-integrated for you to be getting that error, it (DNS) will wait until AD DS has completed a synchronization. If you were to decommission the other server, as long as it was done properly, this DC would consider itself to be synchronized since it had no partners.

The registry fix you mentioned would get you around that check, but another option (assuming your other DC was gone) is to transfer all the FSMO roles to this DC. I have had to do this in a virtual lab before when restoring only a single secondary DC. By seizing all the FSMO roles, I was able to get DNS up and running.

answered Jul 12, 2012 at 17:16

Paul Kroon's user avatar

Paul KroonPaul Kroon

2,23016 silver badges20 bronze badges

Источник

Are you stuck with DNS Event ID 4013? We can help you.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team resolve this error.

How to resolve DNS Event ID 4013?

Usually, the following DNS Event ID 4013 is log in the DNS event log of domain controllers that are hosting the DNS server role after Windows starts:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: <%status code%>

Mostly, issue occurs due to below conditions:

  • slow Windows startup
  • the logging of DNS event 4013 on DNS servers that are configure to host AD-integrat zones, which implicitly reside on computers acting as domain controllers.

Some Microsoft and external content have recommend setting the registry value Repl Perform Initial Synchronizations to 0 to bypass initial synchronization requirements in Active Directory.

The specific registry subkey and the values for that setting are as follows:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

This configuration change isn’t recommend for use in production environments, or in any environment on an ongoing basis.

The use of Repl Perform Initial Synchronizations should use only in critical situations to resolve temporary and specific problems.

How to resolve it?

Today, let us see the steps followed by our Support Techs to resolve it.

The default setting should restore after such problems are resolve.

Other feasible options include:

  • Firstly, remove references to stale domain controllers.
  • Then, make offline or non-functioning domain controllers operational.
  • Domain controllers hosting AD-integrate DNS zones shouldn’t point to a single domain controller and especially only to themselves as prefer DNS for name resolution.
  • DNS name registration and name resolution for domain controllers is a relatively lightweight operation that’s highly cache by DNS clients and servers.
  • Configuring domain controllers to point to a single DNS server’s IP address, including the 127.0.0.1 loopback address, represents a single point of failure.

This setting is tolerable in a forest with only one domain controller, but not in forests with multiple domain controllers.

Hub-site domain controllers should point to DNS servers in the same site as them for prefer and alternate DNS server and then finally to itself as another alternate DNS server.

Branch site domain controllers should configure the prefer DNS server IP address to point to a hub-site DNS server, the alternate DNS server IP address to point to an in-site DNS server or one in the closest available site, and finally to itself using the 127.0.0.1 loopback address or current static IP address.

Dynamic domain controller SRV and host A and AAAA record registrations may not make it off-box if the registering domain controller in a branch site is unable to outbound replicate.

Member computers and servers should continue to point to site-optimal DNS servers as prefer DNS. And they may point to off-site DNS servers for additional fault tolerance.

Your ultimate goal is to prevent everything from causing a denial of service while balancing costs, risks, and network utilization, such as:
    • replication latency and replication failures
    • hardware failures, software failures
    • operational practices
    • short and long-term power outages
    • fire, theft, flood, and earthquakes
    • terrorist events
    • Are available at Windows startup.
    • Host, forward, or delegate the _msdcs. and primary DNS suffix zones for current and potential source domain controllers.
    • Can resolve the current CNAME GUID records (for example, dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com) and host records of current and potential source domain controllers.
    • Then, make sure that destination domain controllers can resolve source domain controllers using DNS (for example, avoid fallback).

      Domain controllers should point to DNS servers that:
  • Optimize domain controllers for name resolution fallback.The inability to configure DNS properly so that domain controllers could resolve the domain controller CNAME GUID records to host records in DNS was common.
  • To ensure end-to-end replication of Active Directory partitions, Windows Server 2003 SP1 and later domain controllers were modify to perform name resolution fallback:
    • from domain controller CNAME GUID to fully qualify hostname.
    • Then, fully qualified hostname to NetBIOS computer name.

    The NTDS replication Event IDs 2087 and 2088 in the Directory Service event logs indicate that:

    • a destination domain controller couldn’t resolve the domain controller CNAME GUID record to a host record.
    • Then, name resolution fallback is occurring.

    WINS, HOST files, and LMHOST files can all configure.

  • Change the startup value for the DNS server service to manual if booting into a known bad configuration.If booting a domain controller in a known bad configuration that’s discussed in this article, follow these steps:
    1. Firstly, set the DNS Server service startup value to manual.
    2. Reboot, wait for the domain controller to advertise.
    3. Finally, restart the DNS Server service.

    If the service startup value for DNS Server service is set to manual, Active Directory doesn’t wait for the DNS Server service to start.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrate how to resolve DNS Event ID 4013

Источник

Sys-Admin Forum

Loading

Источник
  • Remove From My Forums

  • Question

  • Hello everybody I have a problem and ask the help of the forum to try to resolveAfter starting the process of installing Windows Server 2008 R2 Interprise.In a new server, new domain, server, completely separate from the old domain (which currently runs)After running all updates to Windows Server starts with the following:I made the following settings on the NIC:IP: 192.168.0.1Mask: 255.255.255.0preferred dns: 192.168.0.1IPV4IPV6 — disabledI ran dcpromo, and then install the domain, installed dns.Configure DNS so that when I run nslookup correctly points to the server ip.
    I configured a reverse zone as well.The problem occurs whenever I restart the server every 10 minutes or occurs with below error in event viewer:Event ID: 4013The DNS server is waiting for the signal from the Active Directory Domain Services (AD DS) that the initial synchronization of the directory has been completed.
    The DNS Server service can not be started until the initial synchronization is complete because critical DNS data might not yet have been replicated in the domain controller.If the events of event log indicates that AD DS is a problem with a DNS name resolution, consider adding the IP address of another DNS server in this domain name to the list of DNS server in IP properties of this computer.
    Stephen Fry: event will be included in the log every two minutes until the AD DS signals that the initial synchronization was completed successfullyIf you can give me a line thank you.

    MCP

Answers

  • Hi Daniel,

    It’s not required to have two DCs, but highly recommended. I can’t see how adding a DC fixed this problem.

    I assumed prior to adding the new DC that you removed the ::1 and 127.0.0.1 address and only configured  192.168.0.1 as the only DNS address?

    Ace

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP — Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by

      Monday, October 25, 2010 5:44 PM

Источник

Понравилась статья? Поделить с друзьями:
  • Dns сервер не отвечает ошибка на компьютере
  • Dns сервер не отвечает ошибка 651
  • Dns сервер не отвечает как устранить ошибку
  • Dodge ошибка р0700
  • Dodge ошибка p2119