new DC/DNS 2k8r2 x64, dns.exe faults/TrustAnchors errors
markm75g
"secondary" dns server (ad integrated), by secondary i mean, its the 2nd dns
server, the first being on the other dc..
I see the following:
warning: eventid 4521
The DNS server encountered error 32 attempting to load zone TrustAnchors
from Active Directory. The DNS server will attempt to load this zone again on
the next timeout cycle. This can be caused by high Active Directory load and
may be a transient condition.
error: 4001
The DNS server was unable to open zone TrustAnchors in the Active Directory.
This DNS server is configured to obtain and use information from the
directory for this zone and is unable to load the zone without it. Check that
the Active Directory is functioning properly and reload the zone. The event
data is the error code.
Under the application log:
Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
0x4a5bc929
Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc929
Exception code: 0xc0000005
Fault offset: 0x000000000001f256
Faulting process id: 0xc80
Faulting application start time: 0x01caa40fcf3873cc
Faulting application path: C:\Windows\system32\dns.exe
Faulting module path: C:\Windows\system32\dns.exe
Report Id: 78e01e48-1006-11df-be5e-00155d64533a
eventid 1000
I've tried removing and re-adding the dns role to no avail, as mentioned
somewhere else..
Possibly related.. but..
In the tcp/ip for this machine.. should the primary dns be the other dns
server, while the secondary be the 127.0.0.1 address?
Thanks for any help
markm75g
The request subject name is invalid or too long. 0x80094001
Ace Fekay [MVP-DS, MCT]
news:91DDB331-1CD6-4102...@microsoft.com...
> I'm also getting this on both domain controllers:
>
> The request subject name is invalid or too long. 0x80094001
See if this helps.
Request for Certificate Is Denied and a "The Request Subject Name ...The
request subject name is invalid or too long. 0x80094001. In addition, the
following message may be logged in the event log: ...
http://support.microsoft.com/kb/312344
Windows Server 2003 Does Not Use the DNS Name as Certificate SubjectIn
Windows 2000, the Domain Name System (DNS) name of a computer is embedded as
the ... (0x80094001) The request subject name is invalid or too long. ...
http://support.microsoft.com/kb/275528
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Ace Fekay [MVP-DS, MCT]
It appears there are AD replication or DNS dupe zone issues. You are saying
that you have two DCs, and the _msdcs.yourdomain.com and yourdomain.com
zones are AD integrated? What replication scope are they set to on both DCs?
Was the zone on one of the DCs ever set to just "Seconday" and not stored in
AD at one time?
To check if you have a dupe zone issue, please read my blog on how to find
and fix it.
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
As far as how to set DNS addresses on DCs, the recommendations for
configuring DNS addresses, is point the first address to the DC's IP itself,
then the partner as the second entry. Remove the loopback. The loopback was
entered by DCPROMO. One of the cleanup phases after running a promotion is
to set the DNS addresses correctly, which apparently may have been missed in
this case.
Curious, what are you using TrustedAnchors for? That's designed to handled
secured zone transfers between non-authorative DNS servers.
Distribute Trust Anchors
Trust anchors are required on all non-authoritative DNS servers that will
perform DNSSEC validation of data from a signed zone.
http://technet.microsoft.com/en-us/library/ee649280(WS.10).aspx
Please provide an ipconfig /all from both DCs.
markm75g
read only copy (or maybe secondary) on a third server 192.168.100.16.. but
not anymore..
In adsiedit.. I see the reverse lookup zone , domain.local and
RootDNSservers listed in there (under microsoft dns, under system, under
DC=domain, dc=local under the default naming context)
I did notice that this setting is in place on the dns servers (all are 2008
r2 at this point):
DomainNC (only for compatibility with Win2000):
Should i switch it to "to all dns servers running on dcs in this domain" ?
I dont actually see anything listed in the trusts anchors page..
Here are the ipconfigs (note, the best practices tool on r2, said that the
first dns should point to the Other DNS server, while the second is loopback,
doing this made the warning indication go away, but obviously didnt fix other
issues)
first is the first dc, called vsborg01:
Windows IP Configuration
Host Name . . . . . . . . . . . . : vsborg01
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-64-5B-12
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::a523:5025:c96d:834b%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.100.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCPv6 IAID . . . . . . . . . . . : 285218141
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
DNS Servers . . . . . . . . . . . : 192.168.100.61
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{3FD2A97E-D911-4EA6-8310-53D2505DD715}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
and now the other:
Windows IP Configuration
Host Name . . . . . . . . . . . . : vsborg02
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-64-53-3A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::2d62:5eeb:8b5d:a314%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.100.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCPv6 IAID . . . . . . . . . . . : 285218141
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
DNS Servers . . . . . . . . . . . : 192.168.100.60
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{73116582-123C-475F-92B8-AAEF513F1CC2}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
> .
>
Ace Fekay [MVP-DS, MCT]
You could make the first one point to a partner DC. This will help to
quicken startup of a DC, however, the general consensus among most of us out
here is to use the actual IP of itself as the first, then the IP of the
partner. If you decide toleave it the way you set it, remove the Loopback,
and ues the actual IP.
Good to hear that there are not dupes. No.leave the replication scope on the
middle button. That is the application partition DomainDnsZones, whereas the
bottom one is the DomainNC (for backward compatibility).
Did you create a TrustAnchors record? If so, are you using this feature?
Ace
markm75g
compatibility one (bottom).. so i should move it to the middle then?
"Ace Fekay [MVP-DS, MCT]" wrote:
> .
>
Ace Fekay [MVP-DS, MCT]
> No i never created any trust anchors.. actually the dns setting is on the
> compatibility one (bottom).. so i should move it to the middle then?
>
Select the center one as long as there are no 2000 DCs in existence.
I assume the _msdcs.domain.local zone is the top selection, in the forest
replicaiton scope.
Ace
Ace Fekay [MVP-DS, MCT]
> No i never created any trust anchors.. actually the dns setting is on the
> compatibility one (bottom).. so i should move it to the middle then?
>
You didn't create any? You can delete it, but hold off on that for right
now.
Yes, I would suggest the center selection.
Ace
markm75g
Ok, so now..
if i do properties on domain.local under the dns tree.. i have set it to
"all dns servers in the domain"..
For the _msdcs one, it was already set to the top option.. to all dns in the
forest.
As far as the trust anchors.. where do i delete them.. as under the trust
anchors tab i have nothing listed.
Thanks again
"Ace Fekay [MVP-DS, MCT]" wrote:
> .
>
Ace Fekay [MVP-DS, MCT]
> Ok, so now..
>
> if i do properties on domain.local under the dns tree.. i have set it to
> "all dns servers in the domain"..
>
> For the _msdcs one, it was already set to the top option.. to all dns in
> the
> forest.
>
>
> As far as the trust anchors.. where do i delete them.. as under the trust
> anchors tab i have nothing listed.
>
> Thanks again
Do you see a folder or other object in DNS called Trustedanchors? If so,
delete it.
I'm trying to read up on Trustedanchors and DNSSEC (DNS security - a new
industry implementation that is now offered in Windows 2008 R2). It's a new
feature that when you implement it, it associates a certificate (or key) to
a zone in DNS. Somehow during setup, it was specified to allow DNS security,
hence why it is assuming there is a trustedanchor.
Ace
markm75g
Thats interesting, didnt realize R2 added that, perhaps that is indeed the
cause.
"Ace Fekay [MVP-DS, MCT]" wrote:
> "markm75g" <mark...@discussions.microsoft.com> wrote in message
> news:B35CECFC-D5D0-447C...@microsoft.com...
> > Ok, so now..
> >
> > if i do properties on domain.local under the dns tree.. i have set it to
> > "all dns servers in the domain"..
> >
> > For the _msdcs one, it was already set to the top option.. to all dns in
> > the
> > forest.
> >
> >
> > As far as the trust anchors.. where do i delete them.. as under the trust
> > anchors tab i have nothing listed.
> >
> > Thanks again
> ..
> Do you see a folder or other object in DNS called Trustedanchors? If so,
> delete it.
>
> I'm trying to read up on Trustedanchors and DNSSEC (DNS security - a new
> industry implementation that is now offered in Windows 2008 R2). It's a new
> feature that when you implement it, it associates a certificate (or key) to
> a zone in DNS. Somehow during setup, it was specified to allow DNS security,
> hence why it is assuming there is a trustedanchor.
>
> Ace
>
>
> .
>
Ace Fekay [MVP-DS, MCT]
> No, dont see any trust anchors in the tree..
>
> Thats interesting, didnt realize R2 added that, perhaps that is indeed the
> cause.
>
If you look in the zone's properties, Trustedanchors tab, what do you see?
Did you configure a zone in there? See this link to see what I mean:
Distribute Trust Anchors
http://technet.microsoft.com/en-us/library/ee649280(WS.10).aspx
DNS Security Extensions (DNSSEC)
http://technet.microsoft.com/en-us/library/ee683904(WS.10).aspx
Ace Fekay [MVP-DS, MCT]
"SethB" <Se...@discussions.microsoft.com> wrote in message news:7DB21B4E-CCA7-4822...@microsoft.com...
>
> We just stood up our first 2k842 DC & DNS server, and are seeing the exact
> same errors. Did you find a solution to this?
>
Usually I suggest if you are having a similar issue, to start a new thread instead of replying to an older one. Everyone's system is unique, so there may or may not be one 'canned' solution. However, there has been much discussed in this thread with possible solutions and links to read up on seeing if any of them applies to your specific issues based on your own specific configuration.
Have you read through the thread? Has any of it helped guide you in possible solution for what you are experiencing?
Ace