Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

DNS Error 4011 on Active Directory-Integrated DNS

672 views
Skip to first unread message

mjb...@gmail.com

unread,
Jun 3, 2008, 2:24:40 AM6/3/08
to
Hello,

I have a Windows 2003 domain controller running an Active Directory-
Integrated DNS, and I've recently been getting the following error
message:

The DNS server was unable to add or write an update of domain name
dc02 in zone mydomain.com to the Active Directory. Check that the
Active Directory is functioning properly and add or update this domain
name using the DNS console. The extended error debug information
(which may be empty) is "00002098: SecErr: DSID-03150A45, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0". The event data contains the error.

The Help and Support Center says to:

Check the permissions on the specified file:
1. In Windows Explorer, go to the Systemroot\System32\Dns folder.
2. Right-click the specified database file, and then click
Properties.
3. Click the Security tab, and then click Permissions.
4. Verify that you have the proper permissions to read, write, and run
the file.

I have three .dns files in this directory: cache.dns, 1.16.172.in-
addr.arpa.dns, and 3.16.172.in-addr.arpa.dns. I've never changed the
security settings on any of these files to start with, and I'm not
sure how or why they could have been altered. Since the error message
has started appearing, I've checked the security settings, and they
seem right to me:

DOMAIN\Administrators -- Full Control
Authenticated Users -- Read & Execute; Read
DOMAIN\Domain Admins -- Full Control
DOMAIN\Server Operators -- Modify; Read & Execute; Read; Write
SYSTEM -- Full Control

The DNS server seems to function properly, but I'd like to fix this
error to be sure that updates from other servers are being propagated
to this one. No similar errors are occurring on other servers. There
are no Active Directory errors in the Event Viewer and there are no
failed tests in DCDIAG. I'd really appreciate any suggestions about
solving this problem.

Meinolf Weber

unread,
Jun 3, 2008, 3:23:43 AM6/3/08
to
Hello mjb...@gmail.com,

Have a look here:
http://support.microsoft.com/kb/252695

http://support.microsoft.com/kb/267855

http://www.eventid.net/display.asp?eventid=4011&eventno=483&source=DNS&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

mjb...@gmail.com

unread,
Jun 3, 2008, 5:28:01 PM6/3/08
to
On Jun 3, 3:23 am, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
> Hello mjb...@gmail.com,
>
> Have a look here:http://support.microsoft.com/kb/252695
>
> http://support.microsoft.com/kb/267855
>
> http://www.eventid.net/display.asp?eventid=4011&eventno=483&source=DN...

>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> > solving this problem.- Hide quoted text -
>
> - Show quoted text -

Thanks for the help. I had already seen the first KB article, and the
second was not applicable, as there aren't nearly that many DC's in
the domain. The third link was helpful in that I tried one author's
suggestion to remove the DNS server's Active Directory Integration,
then re-instate it. This seemed to fix the problem.

Thanks again for pointing me in the right direction!

Meinolf Weber

unread,
Jun 3, 2008, 5:41:33 PM6/3/08
to
Hello mjb...@gmail.com,

Nice to hear that it helps.

0 new messages