Hi All,
I have a forest with only one domain with 3 DCs which are all Windows Server 2008 R2 Std Full Install.
Previously, this domain had 2 DCs with Windows Server 2003 R2 Std. We added the new DCs with Win 2008 and removed the DCs with Win 2003.
All seemed to be working fine, but I encountered a problem with our DNS.
The DNS zone of our domain in AD integrated with a scope of All DC in the domain.
I can delete a record, modify a record, create a sub-domain or delete a sub-domain. I cannot create a new DNS record. When I try to do so, I have an error saying : The host record myhost.mydomain.qc.ca cannot be created. Refused.
I also have ar error logged in the DNS Event Log :
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 6/4/2010
Time: 2:05:16 PM
User: N/A
Computer: myDC.mydomain.qc.ca
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 13 00 00 00 ....
I have the same problem on all of my DC. I have the same problem if I try to create it directly on my server or from wy admin workstation. DNSCMD give me the same error.
If I set the Dynamic updates on my DNS zone at "nonsecure and secure" instead of "Secure only", it works.
If I try to change le replication scope to All DNS servers in forest or All DNS servers in domain, I have an error :
The replication scope could not be set. For more information, see "DNS zone replication in Active Directory" in Help and Support. The error was : There was a server failure.
I searched on the web and found two things :
- Someone rebooted the server and it was ok. Didin't work for me.
- Verify Administrators group has the right Manage auditing and security log through Default Domain Controllers Policy. It is set correctly. I verified with RSOP.
At this point, I don't have a clue, any help would be appreciated.
Thank you,
Dominic Cadorette
I have a forest with only one domain with 3 DCs which are all Windows Server 2008 R2 Std Full Install.
Previously, this domain had 2 DCs with Windows Server 2003 R2 Std. We added the new DCs with Win 2008 and removed the DCs with Win 2003.
All seemed to be working fine, but I encountered a problem with our DNS.
The DNS zone of our domain in AD integrated with a scope of All DC in the domain.
I can delete a record, modify a record, create a sub-domain or delete a sub-domain. I cannot create a new DNS record. When I try to do so, I have an error saying : The host record myhost.mydomain.qc.ca cannot be created. Refused.
I also have ar error logged in the DNS Event Log :
Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 6/4/2010
Time: 2:05:16 PM
User: N/A
Computer: myDC.mydomain.qc.ca
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F1F8D, #1:
0: 0000051B: DSID-030F1F8D, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 13 00 00 00 ....
I have the same problem on all of my DC. I have the same problem if I try to create it directly on my server or from wy admin workstation. DNSCMD give me the same error.
If I set the Dynamic updates on my DNS zone at "nonsecure and secure" instead of "Secure only", it works.
If I try to change le replication scope to All DNS servers in forest or All DNS servers in domain, I have an error :
The replication scope could not be set. For more information, see "DNS zone replication in Active Directory" in Help and Support. The error was : There was a server failure.
I searched on the web and found two things :
- Someone rebooted the server and it was ok. Didin't work for me.
- Verify Administrators group has the right Manage auditing and security log through Default Domain Controllers Policy. It is set correctly. I verified with RSOP.
At this point, I don't have a clue, any help would be appreciated.
Thank you,
Dominic Cadorette
