DNS-Active Directory Issues-Windows 2016?

WarKraft · 2025-04-27T16:04:46.669Z

We have a client that has a windows 2016 server for Active Directory and DNS DHCP is being handled by the Firewall.

Simple setup only 1 DC here

They have been having networking and internet issues verified Comcast is working through my process found out DNS was showing a red line like this?

dbsissue21387×789 119 KB

dubedns11260×649 47.4 KB

Event Viewer say its been like this for about 3 1/2 weeks ??? Gives this error 4015 repeatedly

Event ID 4000:
The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

Event ID 4007
The DNS server was unable to open zone _msdcs.NA.local in the Active Directory from the application directory partition ForestDnsZones.NA.local. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

ActiveDirectory Event ID 1126
Active Directory Domain Services was unable to establish a connection with the global catalog.

How do I fix this ???
Thanks in advance

kevinhsieh · 2025-04-27T16:22:29.235Z

Your firewall doesn’t have a DNS zone for your domain. Point the DNS of the DC to itself. Point all Windows domain devices to your DCs for DNS.

WarKraft · 2025-04-27T16:29:16.296Z

@kevinhsieh

The Meraki Firewall dns configs have the server IP address and also open dns

On the server the dns configs in nic are pointing to the server ip and secondary to opendns ip ?

Am I still missing something ?

How do I get back into DNS on the server?

Rod-IT · 2025-04-27T17:15:56.417Z

When AD is configured, it should be the ONLY DNS servers clients (including servers, printers etc) should use, the DC can use forwarders, but the client devices should only use the DC for DNS. Even if the firewall does have a pointer back to the DC, this is wrong.

WarKraft:

The Meraki Firewall dns configs have the server IP address and also open dns

DNS should not be mixed either, internal devices should use the DC and nothing else. Never mix internal DNS and external DNS, even on a firewall.

First lets confirm what the DC uses for it’s DNS, if there is only one DC, it should be 127.0.0.1 and nothing else. If it’s any different, change it and give it 10 minutes.

WarKraft:

On the server the dns configs in nic are pointing to the server ip and secondary to opendns ip ?

Undo this, your DNS server should never have external DNS configured here, if it must be used it needs to be as a forwarder.

Your DC should be set to 127.0.0.1 and nothing else, unless there is a second DC, the secondary DNS needs to be blank.

PatrickFarrell · 2025-04-28T00:20:31.617Z

Out of town at the moment but I will drop this here.

Active Directory DNS Refresher Windows

It’s DNS. It’s always DNS. No, DNS is fine, it’s not DNS, trust me. It was DNS. I’m posting because in the last few weeks we’ve had a few posts that turned out to be misconfigurations with DNS in a domain environment. Things like Domain controllers pointing at themself first for DNS, or having a public DNS server on the NIC of the Domain Controller or the clients. Hopefully this will help some people get out in front of potential issues. The general rules for DNS in an AD E…

If you want the firewall to be the entry point for DNS to your network then the AD DNS forwarder would point at your firewall. Not the tcp/ip config on the server or clients. Clients only point at domain controllers.

adrian_ych · 2025-04-28T05:55:18.468Z

WarKraft:

Am I still missing something ?

How many DCs are there ??

If an appliance is both the DHCP & DNS server, then that appliance’s DNS server IPs in IP address config would also follow like the DCs, Primary & secondary DNS server IP are the DC’s and 3rd is 127.0.0.1
On the DCs, Primary DNS server IP is the appliance, secondary is other DC and 3rd is 127.0.0.1

Then on the DC’s DNS, create a DNZ zone for your Domain.

WarKraft · 2025-04-28T11:07:12.544Z

@PatrickFarrell

No we just want DNS to run from the AD server like its supposed to be and it having the IP of the AD server in the primary dns slot then it should work and not have the red mark. We added the DNS in the firewall temporarily?

WarKraft · 2025-04-28T11:42:30.338Z

@Rod-IT

I change the dns put it back to primary as the ip of the AD server and nothing in the secondary.

DNS still red mark ? We added the firewall DNS after this happen

WarKraft · 2025-04-28T11:45:11.837Z

I agree it should not be a mix and want to get it back to just running on the AD how do I do this I put in loopback ip rebooted waited 30 mins still not working ?

Put in AD server ip rebooted waited and DNS still wont pull up?

Rod-IT · 2025-04-28T11:47:28.549Z

What is in the event log?

WarKraft · 2025-04-28T11:58:57.154Z

In the past 24 hours its still the same DNS Event ID I posted above 4000?

Thank you sir

matt7863 · 2025-04-28T13:08:28.158Z

with just the loopback IP configured for DNS server on the AD server, check the status of the DNS server service. restart if necessary and then check the logs.

WarKraft · 2025-04-28T13:36:47.569Z

@matt7863
Ok I did this DNS service is started and on server I restarted it with loop back ip configured still giving Event ID or 4000 and 4007?

And the dns comes up with the red line and I cannot get into it

Any other thoughts?

Thanks

fallen-it · 2025-04-28T13:45:05.269Z

I’ll share an issue I had that may help point you in the direction (if anything seems familiar).

When I setup my AD + DNS, I originally used forwarders. But I also had IPv6 enabled.
I disabled IPv6 and removed the forwarders and I wasn’t getting any routing.

When I looked at the RootHints they were all IPv6.
I would change them according to Root Servers and then I got my routing back.
Once I rebooted though, they reverted back to IPv6.
What I neglected to do was “Clear Cache”, and “Update server data files” in the DNS.
After doing that it helped.

The primary DNS on my AD is 127.0.0.1 (as it should be) and secondary is blank, unless you have another DC point it to that.

NOTE: this how I resolved my issue, I don’t necessarily suggest changing things without a good understanding / backup + restore process

Rod-IT · 2025-04-28T13:45:06.165Z

Are you running MMC on the server or from a remote device?

From a client

netdom /query fsmo

nslookup clientsdomain.domain.com

What do these show?

WarKraft · 2025-04-28T14:30:43.377Z

@fallen-it Thank you for the info I want to do and check all this but cannot get into DNS its got the red line ?

Any hints on getting that going to then do your steps?

WarKraft · 2025-04-28T14:32:05.209Z

Rod-IT:

Are you running MMC on the server or from a remote device?

From a client

netdom /query fsmo

nslookup clientsdomain.domain.com

What do these show?

I am on the server?

I will get on a client and run the cmds and post back…

adrian_ych · 2025-04-28T14:39:12.108Z

WarKraft:

I am on the server?

Is the DNS service running ? Or try restarting the DNS service on the DCs ?

WarKraft · 2025-04-28T15:08:36.766Z

@fallen-it Thank you for the info I want to do and check all this but cannot get into DNS its got the red line ?

DNS Service is running but not the dns part like in pictures above

Any hints on getting that going to then do your steps?

matt7863 · 2025-04-28T15:23:09.213Z

Hopefully the netdom command will confirm that this is the only DC and it holds the fmso roles.
If so then you can follow this Microsoft article to resolve the dns issue:

learn.microsoft.com

DNS zones don't load with event 4000 and 4007 - Windows Server

DNS zones aren't loaded on the DNS console. Provides a resolution.