Share via

Microsft DNS 4000 and 4007 error

Anonymous
2025-02-03T16:13:12+00:00

Hello

im experiencing an issue related to my active directory

I have a 2022 windows server which i installed active directory service on it integrated with DNS.

yesterday when i restarted my server, i saw that my group policy on my own server wont apply due to transaction error and i saw that my domain caby be reachable.

I tried to open dns server but although its service was running, my dns consol gave me Access denied.

i saw the error and i want to resolve it with microsoft solution netdom resetpwd but it gave me internal error

Also i cant open my Active Directory Administrative Center due to unknown error(for real! it says unknown error)

i have additional Dc which i force fsmo rules to be on it and i successded but when i type netdom query famo on additional it says i am Master, but in the corupted dc it says im master.

Can you please help me.

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Anonymous
    2025-02-04T06:25:21+00:00

    Hello

    Thank you for posting in Microsoft Community.

    It sounds like you're dealing with several serious issues regarding your Active Directory and DNS setup on the server. Let’s try to break it down and troubleshoot step by step. Here are some potential causes and solutions to try:

    1. Active Directory and DNS Issues

    DNS Access Denied: When you say the DNS service is running but you're getting "Access Denied" in the DNS console, it's likely a permissions issue with the account you're using to manage DNS.

    Solution: Ensure that your account has the necessary permissions. If you're logged in as an Administrator, you should have the required rights. You might need to ensure that the DCOM and RPC services are running, as they are needed for access to DNS and other administrative tools.

    Transaction Error (Group Policy not applying): This could be a result of the AD replication issue or corruption in the SYSVOL. A typical cause of this could be a broken trust between the domain controllers or replication failure.

    Solution: Try running the following command to check the health of AD replication:

    repadmin /replsummary

    This will tell you if there are any issues with replication between your domain controllers. You can also use dcdiag for more detailed diagnostics.

    dcdiag /v

    1. Netdom Resetpwd Internal Error

    The netdom resetpwd command is used to reset the secure channel between the domain controller and the domain. If it’s throwing an “internal error,” it’s possible that your server is having trouble contacting the other domain controllers in the domain, likely due to replication issues or network connectivity problems.

    Solution: Verify network connectivity between the domain controllers and check for any firewalls blocking communication (e.g., port 389 for LDAP, 88 for Kerberos, etc.).

    If the issue persists, manually reset the secure channel with this command:
    nltest /sc_reset:<DomainName> <DCName>

    1. FSMO Role Confusion

    FSMO Role Master Issue: You mentioned that FSMO roles appear to be conflicting between the corrupt DC and the secondary DC. It seems like replication issues are causing some confusion regarding which server is the FSMO role holder.

    Solution: First, confirm the FSMO role holders with:
    netdom query fsmo

    You can use ntdsutil to transfer FSMO roles if needed. On the healthy domain controller (secondary DC), run:

    ntdsutil
    roles
    connections
    connect to server <SecondaryDCName>
    transfer <FSMORoleName>

    You can transfer the FSMO roles (like Schema Master, Domain Naming Master, PDC Emulator, etc.) to the working DC.

    1. Active Directory Administrative Center – Unknown Error

    The "Unknown Error" in Active Directory Administrative Center could indicate a corruption or misconfiguration in AD. Since you’ve already noticed the issues with DNS, I would suggest verifying the overall health of your AD database.

    Solution: Try running ntdsutil to check the integrity of the AD database:

    ntdsutil
    integrity

    If any issues are found, you might need to perform an authoritative restore or attempt a repair of your AD database.

    1. General Troubleshooting Steps

    Check DNS Health: Since your DNS is integrated with AD, it's critical to verify that both DNS and AD are functioning properly. Run the following:

    nslookup <yourDCName>

    Make sure that DNS can resolve the names correctly and there are no issues with the forwarders or the DNS zones.

    Event Logs: Review the Event Viewer for any specific errors related to Active Directory, DNS, or Group Policy. Focus on the logs under:

    Applications and Services Logs -> Microsoft -> Windows -> GroupPolicy

    Applications and Services Logs -> Microsoft -> Windows -> DNS

    Windows Logs -> System

    Windows Logs -> Directory Service

    1. Additional Tools

    Repadmin: Check the status of replication and any pending changes.

    repadmin /showrepl

    Dcdiag: Run a full diagnostic check on your domain controller.

    dcdiag /v

    I hope the above information is helpful to you.

    Best regards

    Runjie Zhai

    Was this answer helpful?

    0 comments