I'm having issues with the DNS server service - when set to automatic it
won't allow my DC to boot - hangs on Preparing Network Connections. If I set
it to Manual it boots up and I can login and then I start DNS manually after
login. I believe the problem started after a recent MS Update.

I'm toying with the idea of uninstalling DNS and reinstalling while it is
still a DC with Active Directory. Can I do that or no?

The domain controller I am working on in question does not hold any of the
FSMO roles or anything like that, so I'm hoping that removing DNS from the
server would be okay...I have brought up another DC at this site with DNS
installed, so at least now I have a backup DC handy if necessary...Any
thoughts?

Also - there are no errors in the Event Log pertaining to DNS Server or
anything when it hangs on Preparing Network Connections. Once I log in and
start the service, everything is as happy as can be, replication, name
resolution, etc.

Is there a chance that maybe the network card drivers need updating? The
server is an HP DL360G5 with two, GB ethernet ports, and I have them teamed.
I have 2 other identical servers at 2 other sites (both DCs, running same OS,
everything identical to this one), and they are having no issues at all.

"Saral6978" wrote:

Quote:

I'm having issues with the DNS server service - when set to automatic it won't allow my DC to boot - hangs on Preparing Network Connections. If I set it to Manual it boots up and I can login and then I start DNS manually after login. I believe the problem started after a recent MS Update. I'm toying with the idea of uninstalling DNS and reinstalling while it is still a DC with Active Directory. Can I do that or no?

<Is this the only DC/DNS server?>

At this particular site it was...I orignally had it configured to use itself
and a remote DNS server at my main site for it's DNS server. It was a record
48hrs that it sat at Preparing Network Connections. It had done a reboot
about 5:00am on a Saturday and Monday morning it was still sitting at the
screen. DNS had been flaking out for the past 2 weeks after some updates had
applied, for example, my DNS zone would be empty and I had to manually
restart the DNS server service for it to populate but then it would still
boot up okay...then about 2 weeks later, it just got stuck on that part of
the reboot. I figured out the issue was the DNS Server because I went into
Safe mode and changed it to Manual, then no problem.

<If you have an additional DC, i would make it also DNS server use AD
integrated zones and configure both of them for preferred DNS as itself and
secondary to the other.>

The secondary DNS server that I just brought up, I did install DNS on it as
well, and it's zone is also AD-Integrated. I installed DNS first, then added
the DC role to it so it configured the AD-Integrated zone automatically.
This backup DC is fully operational, replicating with the other 4 DCs in my
domain (at 3 different sites). I configured its DNS with itself as the
primary, the above DC having issues is the secondary, and I added one of my
remote DNS servers as a third.

And like you suggested, I had added my newly promoted DC as the secondary
DNS server to the one having the problem starting up. I have not yet
attempted a reboot yet on the server having the issue, so perhaps this will
solve it, but the problem still exists that why now all of a sudden this
server can't find itself as a DNS server during the boot process when it was
working just fine a couple of weeks ago? That's why I'm wondering if I just
remove DNS from this server and reinstall it, it might fix whatever the
problem is...

Thanks for your reply,

Sara

"Meinolf Weber" wrote:

Quote:

Hello Saral6978, Is this the only DC/DNS server? Well, during the startup the server will try to connect to the domain DNS server. Unfortunally it can happen that the DNS server service needs a long time to start so it can not find it's own DNS server. I think that is the reason for the long time of preparing network connections. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. So it can reach always the secondary if it's own is not started. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm I'm having issues with the DNS server service - when set to automatic it won't allow my DC to boot - hangs on Preparing Network Connections. If I set it to Manual it boots up and I can login and then I start DNS manually after login. I believe the problem started after a recent MS Update. I'm toying with the idea of uninstalling DNS and reinstalling while it is still a DC with Active Directory. Can I do that or no?

Hello Saral6978,

Is this the only DC/DNS server? Well, during the startup the server will
try to connect to the domain DNS server. Unfortunally it can happen that
the DNS server service needs a long time to start so it can not find it's
own DNS server. I think that is the reason for the long time of preparing
netwrok connections. If you have an additional DC, i would make it also DNS
server use AD integrated zones and configure both of them for preferred DNS
as itself and secondary to the other. So it can reach always the secondary
if it's own is not started.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

I'm having issues with the DNS server service - when set to automatic it won't allow my DC to boot - hangs on Preparing Network Connections. If I set it to Manual it boots up and I can login and then I start DNS manually after login. I believe the problem started after a recent MS Update. I'm toying with the idea of uninstalling DNS and reinstalling while it is still a DC with Active Directory. Can I do that or no?

Hello Saral6978,

48 hours is really to long. I will crosspost to microsoft.public.windows.server.dns,
there are the DNS experts.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Is this the only DC/DNS server? At this particular site it was...I orignally had it configured to use itself and a remote DNS server at my main site for it's DNS server. It was a record 48hrs that it sat at Preparing Network Connections. It had done a reboot about 5:00am on a Saturday and Monday morning it was still sitting at the screen. DNS had been flaking out for the past 2 weeks after some updates had applied, for example, my DNS zone would be empty and I had to manually restart the DNS server service for it to populate but then it would still boot up okay...then about 2 weeks later, it just got stuck on that part of the reboot. I figured out the issue was the DNS Server because I went into Safe mode and changed it to Manual, then no problem. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. The secondary DNS server that I just brought up, I did install DNS on it as well, and it's zone is also AD-Integrated. I installed DNS first, then added the DC role to it so it configured the AD-Integrated zone automatically. This backup DC is fully operational, replicating with the other 4 DCs in my domain (at 3 different sites). I configured its DNS with itself as the primary, the above DC having issues is the secondary, and I added one of my remote DNS servers as a third. And like you suggested, I had added my newly promoted DC as the secondary DNS server to the one having the problem starting up. I have not yet attempted a reboot yet on the server having the issue, so perhaps this will solve it, but the problem still exists that why now all of a sudden this server can't find itself as a DNS server during the boot process when it was working just fine a couple of weeks ago? That's why I'm wondering if I just remove DNS from this server and reinstall it, it might fix whatever the problem is... Thanks for your reply, Sara "Meinolf Weber" wrote: Hello Saral6978, Is this the only DC/DNS server? Well, during the startup the server will try to connect to the domain DNS server. Unfortunally it can happen that the DNS server service needs a long time to start so it can not find it's own DNS server. I think that is the reason for the long time of preparing network connections. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. So it can reach always the secondary if it's own is not started. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm I'm having issues with the DNS server service - when set to automatic it won't allow my DC to boot - hangs on Preparing Network Connections. If I set it to Manual it boots up and I can login and then I start DNS manually after login. I believe the problem started after a recent MS Update. I'm toying with the idea of uninstalling DNS and reinstalling while it is still a DC with Active Directory. Can I do that or no?

"Meinolf Weber" wrote in message
news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com...

Quote:

Is this the only DC/DNS server? At this particular site it was...I orignally had it configured to use itself and a remote DNS server at my main site for it's DNS server. It was a record 48hrs that it sat at Preparing Network Connections. It had done a reboot about 5:00am on a Saturday and Monday morning it was still sitting at the screen. DNS had been flaking out for the past 2 weeks after some updates had applied, for example, my DNS zone would be empty and I had to manually restart the DNS server service for it to populate but then it would still boot up okay...then about 2 weeks later, it just got stuck on that part of the reboot. I figured out the issue was the DNS Server because I went into Safe mode and changed it to Manual, then no problem. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. The secondary DNS server that I just brought up, I did install DNS on it as well, and it's zone is also AD-Integrated. I installed DNS first, then added the DC role to it so it configured the AD-Integrated zone automatically. This backup DC is fully operational, replicating with the other 4 DCs in my domain (at 3 different sites). I configured its DNS with itself as the primary, the above DC having issues is the secondary, and I added one of my remote DNS servers as a third. And like you suggested, I had added my newly promoted DC as the secondary DNS server to the one having the problem starting up. I have not yet attempted a reboot yet on the server having the issue, so perhaps this will solve it, but the problem still exists that why now all of a sudden this server can't find itself as a DNS server during the boot process when it was working just fine a couple of weeks ago? That's why I'm wondering if I just remove DNS from this server and reinstall it, it might fix whatever the problem is... Thanks for your reply, Sara

Sara,

What operating system and service pack level are your DCs?
Do you have AD Sites configured properly?
What errors are on any of the DCs? If any exist, please post the EventID#
and Source names.

I'm trying to get a handle on your infrastructure. Not sure what was
installed or updated, but any of the updates would not cause this issue. So
I'll give you a generalization of what to look for with configuring your DCs
in a multi-site scenario and other recommendations.

In a multi-site config with Sites configured properly, always point DNS to
itself as first, and pick another DC in another site as second.

There is no such thing as a 'secondary' zone, unless of coure you are
speaking of the position as being the 'second' DNS address in ip properties.

If you have any DC with a tru "Secondary" zone of a zone that is AD
integrated, expect huge problems. If so, it will cause duplicate zones in
the AD database and that is not easily cleaned up.

If you have ever wanted to uninstall DNS on a DC, and decided to manually
delete an AD Integrated zone first prior to uninstallation, you have just
effectively deleted the whole zone out of AD. If you want to remove the DNS
service off a DC that has an AD integrated zone, simply go into Add/Remove,
Windows Components, and uncheck the box. Never delete the zone first.

If a server cannot 'find itself' for DNS, I would suggest to change it's
first entry to another DC in another Site with an operational DNS and let it
come up. Then put itself as second. Reboot after about an hour to make sure
it still comes up. If it comes up clean, then change it to itself as the
first entry, then the other one as the second entry. The reason why it can't
find itself is because AD is not up yet for whatever reason, such as
possibly an update, or an app change and needed to do something during the
restart, etc, therefore since AD is not up yet, and the zone is Ad
integrated, then DNS can't find it in the AD database simply because AD
services have not started yet.

Make sense?

So applying what i mentioned, can you backtrack on what was done and in what
order as to what was done to better understand what may have happened?


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Enter into an artificial quantum singularity lined with fermions and
neutrino scatterings depicted by electrons smashing into protons and
neutrons like billiard balls moving at warp 9 exposing quarks, mesons and
baryons, the essentials of their existence, that are spinning off in half
scatters. You have now entered the Twilight Zone.

Ace - thank you so much for your reply, I really appreciate it.

3 of the DCs, which includes the one I'm having issues with, are running
Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2.

I am getting one error in the DNS Server log, but I have to confirm if it's
being generated during the reboot when DNS is set to automatic, or if it's
being logged because I have DNS Server set to manual. In any case, it's
Event ID 4015: The DNS server has encountered a critical error from the
Active Directory. Check that the Active Directory is functioning properly.
The event data contains the error.

I have been looking into this error and possible causes. My AD does seem to
be functioning correctly though, as there are no other errors in my event
log, and shortly after 4015 is logged, another event says DNS has started and
there are no other errors. I'm not sure if that's when I manually turned it
on or not. I will be doing a reboot Monday and keep better track of when
these errors/alerts are happening.

AD sites and services is setup properly and replication is running
seamlessly. I do have DNS set to point to itself first on all my DCs, and
then I pick another DC in another site as second. When I meant "secondary",
I meant just the secondary DNS server, not a zone. I only have the one zone
with the one domain.

I would never have deleted the Zone from DNS - My plan was to go into
Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by
what you said, I should be able to safely uninstall DNS from Windows
Components on the domain controller without hosing my current Active
Directory/AD Integrated Zone and affecting my other DCs? If I can do this,
it might be worth a shot to see if this would solve the problem.

But, before I do that, since I now have a 2nd DC at this particular site, I
will change my problem DC's 1st DNS server to the the 2nd DC of that site and
see if I can get it to start. Someone had also mentioned there are a few
Windows updates that are specifically security updates for DNS that can
affect services from starting (using UDP ports) and that you have to reserve
a port, because there is a port that DNS or AD might be using that it can't
because this port is in use. Problem is, I have no idea what ports to
attempt to reserve to see if that is truly the problem. DNS to my knowledge
only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't
checked it.

Thanks, again!

Sara

"Ace Fekay [MVP Direcrtory Services]" wrote:

Quote:

"Meinolf Weber" wrote in message news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com... Is this the only DC/DNS server? At this particular site it was...I orignally had it configured to use itself and a remote DNS server at my main site for it's DNS server. It was a record 48hrs that it sat at Preparing Network Connections. It had done a reboot about 5:00am on a Saturday and Monday morning it was still sitting at the screen. DNS had been flaking out for the past 2 weeks after some updates had applied, for example, my DNS zone would be empty and I had to manually restart the DNS server service for it to populate but then it would still boot up okay...then about 2 weeks later, it just got stuck on that part of the reboot. I figured out the issue was the DNS Server because I went into Safe mode and changed it to Manual, then no problem. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. The secondary DNS server that I just brought up, I did install DNS on it as well, and it's zone is also AD-Integrated. I installed DNS first, then added the DC role to it so it configured the AD-Integrated zone automatically. This backup DC is fully operational, replicating with the other 4 DCs in my domain (at 3 different sites). I configured its DNS with itself as the primary, the above DC having issues is the secondary, and I added one of my remote DNS servers as a third. And like you suggested, I had added my newly promoted DC as the secondary DNS server to the one having the problem starting up. I have not yet attempted a reboot yet on the server having the issue, so perhaps this will solve it, but the problem still exists that why now all of a sudden this server can't find itself as a DNS server during the boot process when it was working just fine a couple of weeks ago? That's why I'm wondering if I just remove DNS from this server and reinstall it, it might fix whatever the problem is... Thanks for your reply, Sara Sara, What operating system and service pack level are your DCs? Do you have AD Sites configured properly? What errors are on any of the DCs? If any exist, please post the EventID# and Source names. I'm trying to get a handle on your infrastructure. Not sure what was installed or updated, but any of the updates would not cause this issue. So I'll give you a generalization of what to look for with configuring your DCs in a multi-site scenario and other recommendations. In a multi-site config with Sites configured properly, always point DNS to itself as first, and pick another DC in another site as second. There is no such thing as a 'secondary' zone, unless of coure you are speaking of the position as being the 'second' DNS address in ip properties. If you have any DC with a tru "Secondary" zone of a zone that is AD integrated, expect huge problems. If so, it will cause duplicate zones in the AD database and that is not easily cleaned up. If you have ever wanted to uninstall DNS on a DC, and decided to manually delete an AD Integrated zone first prior to uninstallation, you have just effectively deleted the whole zone out of AD. If you want to remove the DNS service off a DC that has an AD integrated zone, simply go into Add/Remove, Windows Components, and uncheck the box. Never delete the zone first. If a server cannot 'find itself' for DNS, I would suggest to change it's first entry to another DC in another Site with an operational DNS and let it come up. Then put itself as second. Reboot after about an hour to make sure it still comes up. If it comes up clean, then change it to itself as the first entry, then the other one as the second entry. The reason why it can't find itself is because AD is not up yet for whatever reason, such as possibly an update, or an app change and needed to do something during the restart, etc, therefore since AD is not up yet, and the zone is Ad integrated, then DNS can't find it in the AD database simply because AD services have not started yet. Make sense? So applying what i mentioned, can you backtrack on what was done and in what order as to what was done to better understand what may have happened? -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Enter into an artificial quantum singularity lined with fermions and neutrino scatterings depicted by electrons smashing into protons and neutrons like billiard balls moving at warp 9 exposing quarks, mesons and baryons, the essentials of their existence, that are spinning off in half scatters. You have now entered the Twilight Zone.

"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com...

Quote:

Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara

Hi Sara,

Honestly I haven't heard of these problems until now. But a real important
point, is that you must keep the DNS service set to automatic at all times.
Otherwise leaving it to manual will cause issues at startup because AD can't
find itself if the first entry is pointed to itself unless the DNS service
is running. Otherwise, how is it supposed to query a non-running DNS
service?

As for uninstalling, yes, just uncheck the box. But I would leave the
service enabled and try it out.

The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes
this can cause problems with 3rd apps installed that need these ports as
well as the IPSec service. Otherwise, if you don't have anything else
installed, it shouldn't be a problem. The following is more info on the
security update and the ports being used. But I don't think this is the
cause of the problem.

---------------------------------
The DNS patch will reserve 2500 ephemeral UDP ports. When you run a
netstat -ab, it will display the 2500 UDP ports that have been
reserved, but not necessarily in use. This is part of the memory
consumption. I've noticed the following (your mileage may vary):

dns.exe Before After
Mem usage 9758K 36,232K
Peak Mem 10,208K 36,584K
Paged Pool 71K 798K
NP Pool 17K 4,833K
Handles 238 5,217
Threads 20 20

MS08-037: Description of the security update for DNS in Windows Server 2003,
in Windows XP, and in Windows 2000 Server (client side): July 8, 2008:
http://support.microsoft.com/?id=951748

MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/default.aspx/kb/953230

How to reserve a range of ephemeral ports on a computer that is running
Windows Server 2003 or Windows 2000 Server
http://support.microsoft.com/kb/812873

You experience issues with UDP-dependent network services after you install
DNS Server service security update 953230 (MS08-037)
http://support.microsoft.com/default.aspx/kb/956188

Some Services May Fail to Start or May Not Work Properly After Installing
MS08-037 (951746 and 951748)
http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx

SBS Services failing after MS08-037 - KB951746 and 951748
http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx
--------------------------------------------

Ace

Hello Saral6978,

For event id 4015 check out this article and the part with the (.) root zone
from Adrian Grigorof.
http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara "Ace Fekay [MVP Direcrtory Services]" wrote: "Meinolf Weber" wrote in message news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com... Is this the only DC/DNS server? At this particular site it was...I orignally had it configured to use itself and a remote DNS server at my main site for it's DNS server. It was a record 48hrs that it sat at Preparing Network Connections. It had done a reboot about 5:00am on a Saturday and Monday morning it was still sitting at the screen. DNS had been flaking out for the past 2 weeks after some updates had applied, for example, my DNS zone would be empty and I had to manually restart the DNS server service for it to populate but then it would still boot up okay...then about 2 weeks later, it just got stuck on that part of the reboot. I figured out the issue was the DNS Server because I went into Safe mode and changed it to Manual, then no problem. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. The secondary DNS server that I just brought up, I did install DNS on it as well, and it's zone is also AD-Integrated. I installed DNS first, then added the DC role to it so it configured the AD-Integrated zone automatically. This backup DC is fully operational, replicating with the other 4 DCs in my domain (at 3 different sites). I configured its DNS with itself as the primary, the above DC having issues is the secondary, and I added one of my remote DNS servers as a third. And like you suggested, I had added my newly promoted DC as the secondary DNS server to the one having the problem starting up. I have not yet attempted a reboot yet on the server having the issue, so perhaps this will solve it, but the problem still exists that why now all of a sudden this server can't find itself as a DNS server during the boot process when it was working just fine a couple of weeks ago? That's why I'm wondering if I just remove DNS from this server and reinstall it, it might fix whatever the problem is... Thanks for your reply, Sara Sara, What operating system and service pack level are your DCs? Do you have AD Sites configured properly? What errors are on any of the DCs? If any exist, please post the EventID# and Source names. I'm trying to get a handle on your infrastructure. Not sure what was installed or updated, but any of the updates would not cause this issue. So I'll give you a generalization of what to look for with configuring your DCs in a multi-site scenario and other recommendations. In a multi-site config with Sites configured properly, always point DNS to itself as first, and pick another DC in another site as second. There is no such thing as a 'secondary' zone, unless of coure you are speaking of the position as being the 'second' DNS address in ip properties. If you have any DC with a tru "Secondary" zone of a zone that is AD integrated, expect huge problems. If so, it will cause duplicate zones in the AD database and that is not easily cleaned up. If you have ever wanted to uninstall DNS on a DC, and decided to manually delete an AD Integrated zone first prior to uninstallation, you have just effectively deleted the whole zone out of AD. If you want to remove the DNS service off a DC that has an AD integrated zone, simply go into Add/Remove, Windows Components, and uncheck the box. Never delete the zone first. If a server cannot 'find itself' for DNS, I would suggest to change it's first entry to another DC in another Site with an operational DNS and let it come up. Then put itself as second. Reboot after about an hour to make sure it still comes up. If it comes up clean, then change it to itself as the first entry, then the other one as the second entry. The reason why it can't find itself is because AD is not up yet for whatever reason, such as possibly an update, or an app change and needed to do something during the restart, etc, therefore since AD is not up yet, and the zone is Ad integrated, then DNS can't find it in the AD database simply because AD services have not started yet. Make sense? So applying what i mentioned, can you backtrack on what was done and in what order as to what was done to better understand what may have happened? -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Enter into an artificial quantum singularity lined with fermions and neutrino scatterings depicted by electrons smashing into protons and neutrons like billiard balls moving at warp 9 exposing quarks, mesons and baryons, the essentials of their existence, that are spinning off in half scatters. You have now entered the Twilight Zone.

Thank you Meinolf - I did look at this link last Friday. I did look at the
(.) root zone part, but to me, they are suggesting I change my zone to type,
and I'm not sure I am comfortable doing that when I'm not having issues with
my other DCs and their DNS server service, etc...

"Meinolf Weber" wrote:

Quote:

Hello Saral6978, For event id 4015 check out this article and the part with the (.) root zone from Adrian Grigorof. http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara "Ace Fekay [MVP Direcrtory Services]" wrote: "Meinolf Weber" wrote in message news:ff16fb667ac58cae934bc873a5b@msnews.microsoft.com... Is this the only DC/DNS server? At this particular site it was...I orignally had it configured to use itself and a remote DNS server at my main site for it's DNS server. It was a record 48hrs that it sat at Preparing Network Connections. It had done a reboot about 5:00am on a Saturday and Monday morning it was still sitting at the screen. DNS had been flaking out for the past 2 weeks after some updates had applied, for example, my DNS zone would be empty and I had to manually restart the DNS server service for it to populate but then it would still boot up okay...then about 2 weeks later, it just got stuck on that part of the reboot. I figured out the issue was the DNS Server because I went into Safe mode and changed it to Manual, then no problem. If you have an additional DC, i would make it also DNS server use AD integrated zones and configure both of them for preferred DNS as itself and secondary to the other. The secondary DNS server that I just brought up, I did install DNS on it as well, and it's zone is also AD-Integrated. I installed DNS first, then added the DC role to it so it configured the AD-Integrated zone automatically. This backup DC is fully operational, replicating with the other 4 DCs in my domain (at 3 different sites). I configured its DNS with itself as the primary, the above DC having issues is the secondary, and I added one of my remote DNS servers as a third. And like you suggested, I had added my newly promoted DC as the secondary DNS server to the one having the problem starting up. I have not yet attempted a reboot yet on the server having the issue, so perhaps this will solve it, but the problem still exists that why now all of a sudden this server can't find itself as a DNS server during the boot process when it was working just fine a couple of weeks ago? That's why I'm wondering if I just remove DNS from this server and reinstall it, it might fix whatever the problem is... Thanks for your reply, Sara Sara, What operating system and service pack level are your DCs? Do you have AD Sites configured properly? What errors are on any of the DCs? If any exist, please post the EventID# and Source names. I'm trying to get a handle on your infrastructure. Not sure what was installed or updated, but any of the updates would not cause this issue. So I'll give you a generalization of what to look for with configuring your DCs in a multi-site scenario and other recommendations. In a multi-site config with Sites configured properly, always point DNS to itself as first, and pick another DC in another site as second. There is no such thing as a 'secondary' zone, unless of coure you are speaking of the position as being the 'second' DNS address in ip properties. If you have any DC with a tru "Secondary" zone of a zone that is AD integrated, expect huge problems. If so, it will cause duplicate zones in the AD database and that is not easily cleaned up. If you have ever wanted to uninstall DNS on a DC, and decided to manually delete an AD Integrated zone first prior to uninstallation, you have just effectively deleted the whole zone out of AD. If you want to remove the DNS service off a DC that has an AD integrated zone, simply go into Add/Remove, Windows Components, and uncheck the box. Never delete the zone first. If a server cannot 'find itself' for DNS, I would suggest to change it's first entry to another DC in another Site with an operational DNS and let it come up. Then put itself as second. Reboot after about an hour to make sure it still comes up. If it comes up clean, then change it to itself as the first entry, then the other one as the second entry. The reason why it can't find itself is because AD is not up yet for whatever reason, such as possibly an update, or an app change and needed to do something during the restart, etc, therefore since AD is not up yet, and the zone is Ad integrated, then DNS can't find it in the AD database simply because AD services have not started yet. Make sense? So applying what i mentioned, can you backtrack on what was done and in what order as to what was done to better understand what may have happened? -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Enter into an artificial quantum singularity lined with fermions and neutrino scatterings depicted by electrons smashing into protons and neutrons like billiard balls moving at warp 9 exposing quarks, mesons and baryons, the essentials of their existence, that are spinning off in half scatters. You have now entered the Twilight Zone.

Ace -

Yes, I realize that DNS should be set to automatic, believe me, I want to
switch it back. Unfortunately, the server won't boot up if it is set to
automatic. Currently, it is still set to manual, and if I happen to reboot
the server, I then log in and start DNS Server right away manually. It's not
that I have DNS stopped altogether or anything.


<<The security update reserves 2500 UDP ephemeral ports. The ephemeral ports
are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this
can cause problems with 3rd apps installed that need these ports as well as
the IPSec service.>>

I don't have much running on this DC, but I do have 3rd party tools, like a
SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which
communicate with AD. I've looked at all the documentation that you noted
below about the ports last week. Thursday night I did remove 3 updates that
I suspected might be causing the issue and when I removed them my server
booted normally with DNS Server on automatic. I then applied the 3 updates
one at a time and after I installed KB945553 (which is a DNS security
update), my server got stuck again on Preparing Network Connections. I then
booted into Safe Mode, switched DNS back to manual, then booted back into the
regular OS and uninstalled only that update and switched DNS back to Auto,
but unfortunately, the server still got stuck on reboot. I removed those
other 2 updates again, and it still wouldn't boot. So, I'm not sure why it
booted okay the first time after I removed all 3 updates (only difference was
that I didn't remove them in the same order that I did the first time).

Well, in any case, I'm going to do a reboot this morning to see what happens
with using a different DNS server as the primary and of course, resetting my
service back to Automatic before the reboot.

Sara

"Ace Fekay [MVP Direcrtory Services]" wrote:

Quote:

"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com... Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara Hi Sara, Honestly I haven't heard of these problems until now. But a real important point, is that you must keep the DNS service set to automatic at all times. Otherwise leaving it to manual will cause issues at startup because AD can't find itself if the first entry is pointed to itself unless the DNS service is running. Otherwise, how is it supposed to query a non-running DNS service? As for uninstalling, yes, just uncheck the box. But I would leave the service enabled and try it out. The security update reserves 2500 UDP ephemeral ports. The ephemeral ports are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this can cause problems with 3rd apps installed that need these ports as well as the IPSec service. Otherwise, if you don't have anything else installed, it shouldn't be a problem. The following is more info on the security update and the ports being used. But I don't think this is the cause of the problem. --------------------------------- The DNS patch will reserve 2500 ephemeral UDP ports. When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the memory consumption. I've noticed the following (your mileage may vary): dns.exe Before After Mem usage 9758K 36,232K Peak Mem 10,208K 36,584K Paged Pool 71K 798K NP Pool 17K 4,833K Handles 238 5,217 Threads 20 20 MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008: http://support.microsoft.com/?id=951748 MS08-037: Vulnerabilities in DNS could allow spoofing http://support.microsoft.com/default.aspx/kb/953230 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server http://support.microsoft.com/kb/812873 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) http://support.microsoft.com/default.aspx/kb/956188 Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748) http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx SBS Services failing after MS08-037 - KB951746 and 951748 http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx -------------------------------------------- Ace

Well, this is kind of interesting...here is what I did. I installed all need
critical updates, including all the DNS security updates I hadn't yet
applied, and the ones I removed, added my other DC as the Secondary DNS
server on the NIC, changed the DNS Server service to automatic and rebooted.
My server rebooted very quickly and successfully! I then remove that
secondary DNS server and put in one from my remote site, and then rebooted
the server and it still worked!

So, I'm thinking that by installing ALL the necessary windows updates that
it might have fixed my problem...I really don't know. I know longer have the
4015 error, and no other errors pertaining to DNS or active directory.
Everything is running as it should.

I don't know what to say about this...very strange.

Thanks Ace and Meinolf for your responses to my questions! They were much
appreciated!

Sara
"Saral6978" wrote:

Quote:

Ace - Yes, I realize that DNS should be set to automatic, believe me, I want to switch it back. Unfortunately, the server won't boot up if it is set to automatic. Currently, it is still set to manual, and if I happen to reboot the server, I then log in and start DNS Server right away manually. It's not that I have DNS stopped altogether or anything. The security update reserves 2500 UDP ephemeral ports. The ephemeral ports are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this can cause problems with 3rd apps installed that need these ports as well as the IPSec service. I don't have much running on this DC, but I do have 3rd party tools, like a SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which communicate with AD. I've looked at all the documentation that you noted below about the ports last week. Thursday night I did remove 3 updates that I suspected might be causing the issue and when I removed them my server booted normally with DNS Server on automatic. I then applied the 3 updates one at a time and after I installed KB945553 (which is a DNS security update), my server got stuck again on Preparing Network Connections. I then booted into Safe Mode, switched DNS back to manual, then booted back into the regular OS and uninstalled only that update and switched DNS back to Auto, but unfortunately, the server still got stuck on reboot. I removed those other 2 updates again, and it still wouldn't boot. So, I'm not sure why it booted okay the first time after I removed all 3 updates (only difference was that I didn't remove them in the same order that I did the first time). Well, in any case, I'm going to do a reboot this morning to see what happens with using a different DNS server as the primary and of course, resetting my service back to Automatic before the reboot. Sara "Ace Fekay [MVP Direcrtory Services]" wrote: "Saral6978" <Saral6978@discussions.microsoft.com> wrote in message news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com... Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara Hi Sara, Honestly I haven't heard of these problems until now. But a real important point, is that you must keep the DNS service set to automatic at all times. Otherwise leaving it to manual will cause issues at startup because AD can't find itself if the first entry is pointed to itself unless the DNS service is running. Otherwise, how is it supposed to query a non-running DNS service? As for uninstalling, yes, just uncheck the box. But I would leave the service enabled and try it out. The security update reserves 2500 UDP ephemeral ports. The ephemeral ports are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this can cause problems with 3rd apps installed that need these ports as well as the IPSec service. Otherwise, if you don't have anything else installed, it shouldn't be a problem. The following is more info on the security update and the ports being used. But I don't think this is the cause of the problem. --------------------------------- The DNS patch will reserve 2500 ephemeral UDP ports. When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the memory consumption. I've noticed the following (your mileage may vary): dns.exe Before After Mem usage 9758K 36,232K Peak Mem 10,208K 36,584K Paged Pool 71K 798K NP Pool 17K 4,833K Handles 238 5,217 Threads 20 20 MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008: http://support.microsoft.com/?id=951748 MS08-037: Vulnerabilities in DNS could allow spoofing http://support.microsoft.com/default.aspx/kb/953230 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server http://support.microsoft.com/kb/812873 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) http://support.microsoft.com/default.aspx/kb/956188 Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748) http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx SBS Services failing after MS08-037 - KB951746 and 951748 http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services-failing-after-ms08-037-kb951746-and-951748.aspx -------------------------------------------- Ace

Hello Saral6978,

Nice to hear that you fixed it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Well, this is kind of interesting...here is what I did. I installed all need critical updates, including all the DNS security updates I hadn't yet applied, and the ones I removed, added my other DC as the Secondary DNS server on the NIC, changed the DNS Server service to automatic and rebooted. My server rebooted very quickly and successfully! I then remove that secondary DNS server and put in one from my remote site, and then rebooted the server and it still worked! So, I'm thinking that by installing ALL the necessary windows updates that it might have fixed my problem...I really don't know. I know longer have the 4015 error, and no other errors pertaining to DNS or active directory. Everything is running as it should. I don't know what to say about this...very strange. Thanks Ace and Meinolf for your responses to my questions! They were much appreciated! Sara "Saral6978" wrote: Ace - Yes, I realize that DNS should be set to automatic, believe me, I want to switch it back. Unfortunately, the server won't boot up if it is set to automatic. Currently, it is still set to manual, and if I happen to reboot the server, I then log in and start DNS Server right away manually. It's not that I have DNS stopped altogether or anything. The security update reserves 2500 UDP ephemeral ports. The ephemeral ports are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this can cause problems with 3rd apps installed that need these ports as well as the IPSec service. I don't have much running on this DC, but I do have 3rd party tools, like a SurfControl Agent, a SpecOpsPasswordPolicy agent running, both which communicate with AD. I've looked at all the documentation that you noted below about the ports last week. Thursday night I did remove 3 updates that I suspected might be causing the issue and when I removed them my server booted normally with DNS Server on automatic. I then applied the 3 updates one at a time and after I installed KB945553 (which is a DNS security update), my server got stuck again on Preparing Network Connections. I then booted into Safe Mode, switched DNS back to manual, then booted back into the regular OS and uninstalled only that update and switched DNS back to Auto, but unfortunately, the server still got stuck on reboot. I removed those other 2 updates again, and it still wouldn't boot. So, I'm not sure why it booted okay the first time after I removed all 3 updates (only difference was that I didn't remove them in the same order that I did the first time). Well, in any case, I'm going to do a reboot this morning to see what happens with using a different DNS server as the primary and of course, resetting my service back to Automatic before the reboot. Sara "Ace Fekay [MVP Direcrtory Services]" wrote: "Saral6978" <Saral6978@discussions.microsoft.com> wrote in message news:72CEBDBC-AE50-4510-A5EA-7D6A0319F8F0@microsoft.com... Ace - thank you so much for your reply, I really appreciate it. 3 of the DCs, which includes the one I'm having issues with, are running Windows 2003 R2, SP2, and the other 2 DCs are running Windows 2003, SP2. I am getting one error in the DNS Server log, but I have to confirm if it's being generated during the reboot when DNS is set to automatic, or if it's being logged because I have DNS Server set to manual. In any case, it's Event ID 4015: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error. I have been looking into this error and possible causes. My AD does seem to be functioning correctly though, as there are no other errors in my event log, and shortly after 4015 is logged, another event says DNS has started and there are no other errors. I'm not sure if that's when I manually turned it on or not. I will be doing a reboot Monday and keep better track of when these errors/alerts are happening. AD sites and services is setup properly and replication is running seamlessly. I do have DNS set to point to itself first on all my DCs, and then I pick another DC in another site as second. When I meant "secondary", I meant just the secondary DNS server, not a zone. I only have the one zone with the one domain. I would never have deleted the Zone from DNS - My plan was to go into Add/Remove programs and uncheck DNS from the DC and uninstall it. So, by what you said, I should be able to safely uninstall DNS from Windows Components on the domain controller without hosing my current Active Directory/AD Integrated Zone and affecting my other DCs? If I can do this, it might be worth a shot to see if this would solve the problem. But, before I do that, since I now have a 2nd DC at this particular site, I will change my problem DC's 1st DNS server to the the 2nd DC of that site and see if I can get it to start. Someone had also mentioned there are a few Windows updates that are specifically security updates for DNS that can affect services from starting (using UDP ports) and that you have to reserve a port, because there is a port that DNS or AD might be using that it can't because this port is in use. Problem is, I have no idea what ports to attempt to reserve to see if that is truly the problem. DNS to my knowledge only uses TCP and UDP ports 53. I'm not sure about AD though, I haven't checked it. Thanks, again! Sara Hi Sara, Honestly I haven't heard of these problems until now. But a real important point, is that you must keep the DNS service set to automatic at all times. Otherwise leaving it to manual will cause issues at startup because AD can't find itself if the first entry is pointed to itself unless the DNS service is running. Otherwise, how is it supposed to query a non-running DNS service? As for uninstalling, yes, just uncheck the box. But I would leave the service enabled and try it out. The security update reserves 2500 UDP ephemeral ports. The ephemeral ports are the response ports anywhere between UDP 1025 and UDP 2500. Sometimes this can cause problems with 3rd apps installed that need these ports as well as the IPSec service. Otherwise, if you don't have anything else installed, it shouldn't be a problem. The following is more info on the security update and the ports being used. But I don't think this is the cause of the problem. --------------------------------- The DNS patch will reserve 2500 ephemeral UDP ports. When you run a netstat -ab, it will display the 2500 UDP ports that have been reserved, but not necessarily in use. This is part of the memory consumption. I've noticed the following (your mileage may vary): dns.exe Before After Mem usage 9758K 36,232K Peak Mem 10,208K 36,584K Paged Pool 71K 798K NP Pool 17K 4,833K Handles 238 5,217 Threads 20 20 MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008: http://support.microsoft.com/?id=951748 MS08-037: Vulnerabilities in DNS could allow spoofing http://support.microsoft.com/default.aspx/kb/953230 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server http://support.microsoft.com/kb/812873 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037) http://support.microsoft.com/default.aspx/kb/956188 Some Services May Fail to Start or May Not Work Properly After Installing MS08-037 (951746 and 951748) http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fa il-to-start-or-may-not-work-properly-after-installing-ms08-037-95174 6-and-951748.aspx SBS Services failing after MS08-037 - KB951746 and 951748 http://msmvps.com/blogs/thenakedmvp/archive/2008/07/18/sbs-services- failing-after-ms08-037-kb951746-and-951748.aspx -------------------------------------------- Ace

"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:1316F612-CBA7-4165-AFDB-7C9B24FF54EE@microsoft.com...

Quote:

Thank you Meinolf - I did look at this link last Friday. I did look at the (.) root zone part, but to me, they are suggesting I change my zone to type, and I'm not sure I am comfortable doing that when I'm not having issues with my other DCs and their DNS server service, etc...

There is no harm with this procedure. None whatsoever. Believe me, done it a
thousand times, and I can say that because of numerous testing and as a
trainer in a classroom scenario, as well as in production environments.

Ace

"Saral6978" <Saral6978@discussions.microsoft.com> wrote in message
news:0AF107B4-B142-4A5F-9B61-BDC06E44BF4C@microsoft.com...

Quote:

Well, this is kind of interesting...here is what I did. I installed all need critical updates, including all the DNS security updates I hadn't yet applied, and the ones I removed, added my other DC as the Secondary DNS server on the NIC, changed the DNS Server service to automatic and rebooted. My server rebooted very quickly and successfully! I then remove that secondary DNS server and put in one from my remote site, and then rebooted the server and it still worked! So, I'm thinking that by installing ALL the necessary windows updates that it might have fixed my problem...I really don't know. I know longer have the 4015 error, and no other errors pertaining to DNS or active directory. Everything is running as it should. I don't know what to say about this...very strange. Thanks Ace and Meinolf for your responses to my questions! They were much appreciated! Sara

Same here, nice to hear it's taken care of. For the security updates to
cause this would indicate one of those apps are trying to use a UDP
emepheral port in the reserved range and is causing a conflict. I'm willing
to bet that if those apps were moved off the DC (usually we recommend no
apps on a DC and let a DC be a DC), that it will work. There are known
issues with 3rd party apps that do not recognize the port reservation still
picks a random port in that range causing a conflict.

For the time being if you want to leave the 3rd party apps on it, that is
fine. If you ever do move them off, be sure to install those updates.

Ace