question

RSprott-2480 avatar image
0 Votes"
RSprott-2480 asked DaisyZhou-MSFT commented

DNS Event ID 4010 on child domian

I have a parent child domain setup. We tried to do an Exchange schema update last night and were seeing some possible issues with AD. After some reboots of all the data center DCs the event logs for both domains appear clear and the logs state all issues have been cleared but I noticed DNS Event ID 4010 on both our parent DC's pointing to the record for the child domain. The DNS server was unable to create a resource record for 997a6da4-64bb-4a34-a65d-6766a2d1834a._msdcs.na.int-bn.com. in zone int-bn.com. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error. I found a previous post stating to: Stop the netlogon service. Go to Windows\system32\config and rename the netlogon.dns and netlogon.dnb files to netlogon.dns_old and netlogon.dnb-old . From a command prompt type "ipconfig /flushdns" then run "ipconfig /registerdns" and then start netlogon again and check the event log if the error reoccurs. But their issue, it appears was for the primary domain and I'm curious if I should try the same steps for the my issue. Any help would be appreciated. I can't apply the Exchange patch until this is resolved.

windows-active-directorywindows-server-2016windows-dhcp-dns
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RSprott-2480,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @RSprott-2480,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

I thought I found the issue with an old DC still listed as a name server in DNS properties but after removing that I'm still getting the error.
I cannot find that record 997a6da4-64bb-4a34-a65d-6766a2d1834a anywhere in the areas you've pointed me to look.

0 Votes 0 ·

Hello @RSprott-2480,

Thank you for your update.

Please try to check it on all DCs in parent domain and all child domains.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered RSprott-2480 commented

Hello @RSprott-2480,

Thank you for posting here.

Based on the deascrition above, I understand you have one root domain and one child domain.

We can check as below:

1.You can check how many DCs in both root domain and child domain by running command nltest /dclist:root.domain and nltest /dclist:child.domain .

2.On all DCs, if there are only several DCs in the entire AD forest, we can check if there is the entry
"997a6da4-64bb-4a34-a65d-6766a2d1834a._msdcs.na.int-bn.com" on al DCs one by one.

For example:

76067-domain1.png

76108-domain2.png

3.Check if the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a of the DC is actually existing or not, I mean maybe we have removed it, but not clear it completely.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou



domain1.png (58.7 KiB)
domain2.png (13.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for this information...
I looked at every DC in my environment and cannot find that GUID listed in the _msdcs.int-bn.com forward lookup zone.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @hudsonhery-6063,

Thank you for your update.

Do you know the DC name corresponding to the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a?

We can check as below:

repadmin /showrepl * >C:\repl.txt.

Then check the information below.
76663-d1.png

For example:
Default-First-Site-Name\VCHZHO720VM via RPC
DSA object GUID: 42b23c41-9479-4d72-8667-5332444adacd

DC name:VCHZHO720VM
GUID: 42b23c41-9479-4d72-8667-5332444adacd
Site:Default-First-Site-Name


Best Regards,
Daisy Zhou


[2]: /answers/storage/attachments/76635-d1.png


d1.png (14.9 KiB)
d1.png (14.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


I ran showrepl * on the root dc and then searched for the string and it does not show up anywhere in the file.

Thanks for your assistance.

0 Votes 0 ·

Hello @hudsonhery-6063,

Thank you for your update.

So the DC corresponding to the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a is not existing in you AD domain now.

Maybe the DC corresponding to the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a used to be in your domain, now it is removed now, is that right?

Or do you know the DC name corresponding to the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a?

Check all Preferred DNS servers of all DCs, if they point to the IP address of machine corresponding to the GUID 997a6da4-64bb-4a34-a65d-6766a2d1834a?


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

0 Votes 0 ·