4013 предупреждение microsoft windows dns server service dns server

  • Remove From My Forums
  • Вопрос

  • Доброго дня, коллеги.

    Так и не нашел, однозначного ответа, как решить проблему с этой ошибкой.

    Предупреждение : 4013
    «DNS-сервер ожидает от доменных служб Active Directory (AD DS) сигнала о том, что первичная синхронизация каталога завершена. Службу DNS-сервера невозможно запустить до завершения первичной синхронизации, так как критические данные DNS могут быть еще не реплицированными
    на этот контроллер домена. Если журнал событий AD DS показывает, что имеются проблемы с разрешением DNS-имен в адреса, рассмотрите возможность добавления IP-адреса другого DNS-сервера для этого домена в список DNS-серверов в свойствах протокола IP этого компьютера.
    Такое событие будет записываться в журнал каждые две минуты, пока служба AD DS не сообщит об успешном завершении первичной синхронизации.»

    Вообще, использую 2 DNS сервера и проблем не испытываю. Один ссылается на второй и наоборот.

    Но вот сегодня, выключили свет на 2 часа. Естественно, все сервера пришлось потушить.

    Когда появился свет, в первую очередь включил контроллер домена. И тут началось. 2 часа не могла иницализироваться служба ДНС и сыпала в лог эту ошибку.

    • Изменено

      21 ноября 2012 г. 5:49

Ответы

  • Если сейчас DNS работает и с репликацией проблем нет, то в чём тогда вопрос? Почему долго шла начальная синхронизация AD? Ответ: потому что в сети не было работоспособных DNS. Если у Вас все DNS только на контроллерах домена — то ситуация нормальная для
    подобной структуры. Выход: делать в сети третий DNS, который будет вторичным DNS для зон AD и будет хранить эти зоны не в AD, а в файлах. Альтернативный выход: никогда не выключать ВСЕ контроллеры домена.


    Сергей Панченко

    • Помечено в качестве ответа
      Vinokurov Yuriy
      26 ноября 2012 г. 13:03

  • К сожалению, это — нормальное поведение: AD на хозяевах ролей FSMO в многосерверной конфигурации при недоступности остальных КД стартует долго из-за требования начальной синхронизации (http://support.microsoft.com/kb/305476).
    А начальная синхронизация оказывается невозможной из-за недоступости DNS.

    Начальную синхронизацию можно отключить в реестре ( http://support.microsoft.com/kb/2001093 ), но это помжет привести к повреждению AD в случае, если в сеть будет возвращен контроллер домена,
    бывший хозяином роли FSMO, которые у него были принудительно захвачены (seize).

    Насколько я понимаю (не проверял), помочь с разрешением ситуации может наличие КД, не являющегося хозяином ни одной роли FSMO, и являющийся сервером DNS — у него не должно быть таких задержек с запуском.


    Слава России!

    • Изменено
      M.V.V. _
      21 ноября 2012 г. 9:29
    • Помечено в качестве ответа
      Vinokurov Yuriy
      26 ноября 2012 г. 13:03

Are you stuck with DNS Event ID 4013? We can help you.

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Service.

Let’s take a look at how our Support Team resolve this error.

How to resolve DNS Event ID 4013?

Usually, the following DNS Event ID 4013 is log in the DNS event log of domain controllers that are hosting the DNS server role after Windows starts:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4013
Date: Date
Time: Time
User: N/A
Computer: ComputerName
Description:
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: <%status code%>

Mostly, issue occurs due to below conditions:

  • slow Windows startup
  • the logging of DNS event 4013 on DNS servers that are configure to host AD-integrat zones, which implicitly reside on computers acting as domain controllers.

Some Microsoft and external content have recommend setting the registry value Repl Perform Initial Synchronizations to 0 to bypass initial synchronization requirements in Active Directory.

The specific registry subkey and the values for that setting are as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

This configuration change isn’t recommend for use in production environments, or in any environment on an ongoing basis.

The use of Repl Perform Initial Synchronizations should use only in critical situations to resolve temporary and specific problems.

How to resolve it?

Today, let us see the steps followed by our Support Techs to resolve it.

The default setting should restore after such problems are resolve.

Other feasible options include:

  • Firstly, remove references to stale domain controllers.
  • Then, make offline or non-functioning domain controllers operational.
  • Domain controllers hosting AD-integrate DNS zones shouldn’t point to a single domain controller and especially only to themselves as prefer DNS for name resolution.
  • DNS name registration and name resolution for domain controllers is a relatively lightweight operation that’s highly cache by DNS clients and servers.
  • Configuring domain controllers to point to a single DNS server’s IP address, including the 127.0.0.1 loopback address, represents a single point of failure.

This setting is tolerable in a forest with only one domain controller, but not in forests with multiple domain controllers.

Hub-site domain controllers should point to DNS servers in the same site as them for prefer and alternate DNS server and then finally to itself as another alternate DNS server.

Branch site domain controllers should configure the prefer DNS server IP address to point to a hub-site DNS server, the alternate DNS server IP address to point to an in-site DNS server or one in the closest available site, and finally to itself using the 127.0.0.1 loopback address or current static IP address.

Dynamic domain controller SRV and host A and AAAA record registrations may not make it off-box if the registering domain controller in a branch site is unable to outbound replicate.

Member computers and servers should continue to point to site-optimal DNS servers as prefer DNS. And they may point to off-site DNS servers for additional fault tolerance.

Your ultimate goal is to prevent everything from causing a denial of service while balancing costs, risks, and network utilization, such as:
    • replication latency and replication failures
    • hardware failures, software failures
    • operational practices
    • short and long-term power outages
    • fire, theft, flood, and earthquakes
    • terrorist events
    • Are available at Windows startup.
    • Host, forward, or delegate the _msdcs.<forest root domain> and primary DNS suffix zones for current and potential source domain controllers.
    • Can resolve the current CNAME GUID records (for example, dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com) and host records of current and potential source domain controllers.
    • Then, make sure that destination domain controllers can resolve source domain controllers using DNS (for example, avoid fallback).
      Domain controllers should point to DNS servers that:
  • Optimize domain controllers for name resolution fallback.The inability to configure DNS properly so that domain controllers could resolve the domain controller CNAME GUID records to host records in DNS was common.
  • To ensure end-to-end replication of Active Directory partitions, Windows Server 2003 SP1 and later domain controllers were modify to perform name resolution fallback:
    • from domain controller CNAME GUID to fully qualify hostname.
    • Then, fully qualified hostname to NetBIOS computer name.

    The NTDS replication Event IDs 2087 and 2088 in the Directory Service event logs indicate that:

    • a destination domain controller couldn’t resolve the domain controller CNAME GUID record to a host record.
    • Then, name resolution fallback is occurring.

    WINS, HOST files, and LMHOST files can all configure.

  • Change the startup value for the DNS server service to manual if booting into a known bad configuration.If booting a domain controller in a known bad configuration that’s discussed in this article, follow these steps:
    1. Firstly, set the DNS Server service startup value to manual.
    2. Reboot, wait for the domain controller to advertise.
    3. Finally, restart the DNS Server service.

    If the service startup value for DNS Server service is set to manual, Active Directory doesn’t wait for the DNS Server service to start.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrate how to resolve DNS Event ID 4013

Sys-Admin Forum

Loading

Hi all

I need some major help. i have received the following error on my DNS. People on my network take ages to browse or connect as a result of this 

The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

The AD and the DNS are integrated under one DC and this is single point of failure setup and i want to get out of this. this error is like a deadlock and i do not know how to get the deadlock out. please find the attached setup on the server

Image: post content

i have also done a dx diag and attaching it as its just too huge. 

can i create another DNS zone within the same DC to try get AD to sync with the DNS then i setup a separate DNS on a member server on the domain 

What would happen if i reset the entire DNS again by removing the role and redoing it again.

i have a member server that i have only added DNS to but still i cant get them to work

Please i am newbie to this though i understand the concept. as i result i am having very many errors

attach_file
Attachment

dcdiag5.txt
104 KB

We have an issue that only occurs after we rebooting our secondary DC and DNS server/DHCP server. It is a 2008r2 x64 server, DC and DNS/DHCP server. Our main DC is 2003.

Event ID 4013:

“The DNS server is waiting for Active Directory Domain
Services (AD DS) to signal that the initial synchronization of the
directory has been completed. The DNS server service cannot start
until the initial synchronization is complete because critical DNS
data might not yet be replicated onto this domain controller. If
events in the AD DS event log indicate that there is a problem with
DNS name resolution, consider adding the IP address of another DNS
server for this domain to the DNS server list in the Internet Protocol
properties of this computer. This event will be logged every two
minutes until AD DS has signaled that the initial synchronization has
successfully completed.”

I found this solution:

  1. Log onto the First Domain Controller
  2. Open Regedit
  3. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
  4. Right-click Parameters, click New, and then click DWORD Value.
  5. Type “Allow Replication With Divergent and Corrupt Partner” and press enter.
  6. Open the entry and in the Value Data box type 0
  7. Reboot First DC wait for it to come back online and then repeat the above steps on the Second DC.

It doesn’t really apply to us, since after about 15 seconds, it syncs up. My question is this, what would happen once we decommission or main DC and make our secondary DC our main DC? Since the warning does not occur after the reboot (like I said, it actually syncs up after about 15 seconds), should I even be concerned about it now?

Thanks!

asked Jul 11, 2012 at 22:06

George's user avatar

GeorgeGeorge

5004 gold badges19 silver badges40 bronze badges

3

Since your DNS is almost certainly AD-integrated for you to be getting that error, it (DNS) will wait until AD DS has completed a synchronization. If you were to decommission the other server, as long as it was done properly, this DC would consider itself to be synchronized since it had no partners.

The registry fix you mentioned would get you around that check, but another option (assuming your other DC was gone) is to transfer all the FSMO roles to this DC. I have had to do this in a virtual lab before when restoring only a single secondary DC. By seizing all the FSMO roles, I was able to get DNS up and running.

answered Jul 12, 2012 at 17:16

Paul Kroon's user avatar

Paul KroonPaul Kroon

2,2501 gold badge16 silver badges20 bronze badges

You must log in to answer this question.

Not the answer you’re looking for? Browse other questions tagged

.

  • 4 запуск и переключение между запущенными задачами в ms windows основные сочетания клавиш windows
  • 70368744177664 2 ошибка windows 11
  • 7 zip org скачать бесплатно с официального сайта для windows 10
  • 4474419 windows 7 x32 скачать
  • 8004005 ошибка windows 10 не может получить доступ