Troubleshoot DNS Event ID 4013 - Windows Server (2023)

  • Article
  • 15 minutes to read

This article resolves the event ID 4013 logged in the DNS event log of domain controllers that are hosting the DNS server role after Windows starts.

Applies to: Windows Server 2012 R2
Original KB number: 2001093

Symptoms

  • On a Windows-based computer that's hosting Active Directory domain controllers, the DNS server roles stop responding for 15 to 25 minutes. This issue occurs after the Preparing network connections message is displayed, and before the Windows logon prompt (Ctrl+Alt+Del) is displayed.

  • The following DNS Event ID 4013 is logged in the DNS event log of domain controllers that are hosting the DNS server role after Windows starts:

    Event Type: Warning Event Source: DNS Event Category: None Event ID: 4013 Date: Date Time: Time User: N/A Computer: ComputerName Description: The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp. Data: 0000: <%status code%>

    In this log entry, values of <%Status code%> may not be logged. Or, they include but aren't limited to the following values:

    HexByteDecimalSymbolicError String
    000025f5f5 25 00 009717DNS_ERROR_DS_UNAVAILABLEThe directory service is unavailable
    0000232d2d 23 00 009005DNS_ERROR_RCODE_REFUSEDDNS operation refused.
    0000232a2a 23 00 009002DNS_ERROR_RCODE_SERVER_FAILUREDNS server failure.

Example customer scenarios

  • Multiple domain controllers in an Active Directory site that are simultaneously rebooted.

    • A two-domain controller domain is deployed in the same data center.
    • The DNS server role is installed on both domain controllers, and it hosts AD-integrated copies of the _msdcs.<forest root domain> and Active Directory domain zones.
    • DC1 is configured to use DC2 for preferred DNS and itself for alternate DNS.
    • DC2 is configured to use DC1 for preferred DNS and itself for alternate DNS.
    • All domain controllers have uninterruptible power supplies (UPS) and electrical generator backups.
    • The data center experiences frequent power outages of 2 to 10 hours. UPS devices keep the domain controllers operating until generators supply power, but they can't run the HVAC system. Temperature protection built into server class computers shuts down the domain controllers when internal temperatures reach manufacturer limits.
    • When power is eventually restored, the domain controllers hang for 20 minutes. This issue occurs after Preparing network connections is displayed, and before the logon prompt is displayed.
    • DNS Event ID 4013 is logged in the DNS event log.

    Opening the DNS management console (DNSMGMT.MSC) fails and generates the following error message:

    The server <computername> could not be contacted. The error was: The server is unavailable. Would you like to add it anyway?

    Opening the Active Directory Users and Computers snap-in (DSA.MSC) generates the following error message:

    Naming information could not be located

  • Single domain controllers in an Active Directory site

    • One domain controller is deployed in a site.

    • The DNS Server role is installed, and it hosts AD-integrated copies of the _msdcs.<forest root domain> and Active Directory domain zones.

    • The domain controller points to itself for preferred DNS.

      (Video) Fix! Common DNS Server Errors, Troubleshoot DNS issue, Name Server issue, DNS Repair in Win 2019

    • The domain controller has no alternative DNS server specified or points to a domain controller over a wide-area network (WAN) link.

    • The domain controller is restarted because of a power outage.

    • During restart, the WAN link may not be operational.

    • When the domain controller is started, it may hang for 20 minutes. This issue occurs after Preparing network connections is displayed, and before the logon prompt is displayed.

    • DNS Event ID 4013 is logged in the DNS event log.

    • Opening the DNS management console (DNSMGMT.MSC) fails and generates the following error message:

      The server <computername> could not be contacted. The error was: The server is unavailable. Would you like to add it anyway?

    Opening the Active Directory Users and Computers snap-in (DSA.MSC) generates the following error message:

    Naming information could not be located.

Cause

The copy of Active Directory in some domain controllers contains references to other domain controllers in the forest. These domain controllers try to inbound replicate all locally held directory partitions during Windows startup, as part of an initial synchronization or init sync.

In an attempt to boot with the latest DNS zone contents, Microsoft DNS servers that host AD-integrated copies of DNS zones delay DNS service startup for several minutes after Windows startup. The delay won't occur if Active Directory has completed its initial synchronization during Windows startup. Meanwhile, Active Directory is delayed from inbound replicating directory partitions. Replication is delayed until it can resolve the CNAME GUID of its source domain controller to an IP address on the DNS servers used by the destination domain controller for name resolution. The duration of the hang while preparing network connections depends on the number of locally held directory partitions residing in a domain controller's copy of Active Directory. Most domain controllers have at least the following five partitions:

  • schema
  • configuration
  • domain
  • forest-wide DNS application partition
  • domain-wide DNS application partition

And these domain controllers can experience a 15-20 minute startup delay. The existence of extra partitions increases the startup delay.

DNS Event ID 4013 in the DNS event log indicates that DNS service startup was delayed. It's because inbound replication of Active Directory partitions hadn't occurred.

Multiple conditions can exacerbate the following issues:

  • slow Windows startup
  • the logging of DNS event 4013 on DNS servers that are configured to host AD-integrated zones, which implicitly reside on computers acting as domain controllers.

These conditions include:

(Video) How to troubleshoot DNS issues in an Active Directory domain controller

  • Configuring a DNS server hosting AD-integrated DNS zones. Its copy of Active Directory contains knowledge of other domain controllers in the forest to point to itself exclusively for DNS name resolution.
  • Configuring a DNS server hosting AD-integrated DNS zones. Its copy of Active Directory contains knowledge of other domain controllers in the forest to point DNS servers that either don't exist, are currently offline, aren't accessible on the network, or that don't host the required zones and records that are needed to inbound-replicate Active Directory. Examples include the domain controller CNAME GUID record and its corresponding host A or AAAA record of potential source domain controllers.
  • Booting a domain controller and DNS server hosting AD-integrated DNS zones. Its copy of Active Directory contains knowledge of other domain controllers on what is effectively an isolated network because:
    • The network adapter or network stack on the caller or target computer is either disabled or non-functional.
    • The domain controller has been booted on an isolated network.
    • The local domain controller's copy of Active Directory contains references to stale domain controllers that no longer exist on the network.
    • The local domain controller's copy of Active Directory contains references to other domain controllers who are currently turned off.
    • There's a problem on either the source domain controller, the destination domain controller, or the DNS or network infrastructure. So the local domain controller's copy of Active Directory contains references to other domain controllers that are online and accessible but can't be successfully replicated from.

In Windows Server 2003 and Windows 2000 Server SP3 or later, the domain controllers that host operations master roles must also successfully replicate inbound changes on the directory partition that maintains the operations master role's state. Successful replication must occur before FSMO-dependent operations can be performed. Such initial synchronizations were added to ensure domain controllers were in agreement about FSMO role ownership and role state. The initial sync requirements required for FSMO roles to become operational is different from the initial sync discussed in this article, where Active Directory must inbound replicate to start the DNS Server service immediately.

Resolution

Some Microsoft and external content have recommended setting the registry value Repl Perform Initial Synchronizations to 0 to bypass initial synchronization requirements in Active Directory. The specific registry subkey and the values for that setting are as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0

This configuration change isn't recommended for use in production environments, or in any environment on an ongoing basis. The use of Repl Perform Initial Synchronizations should be used only in critical situations to resolve temporary and specific problems. The default setting should be restored after such problems are resolved.

Other feasible options include:

  • Remove references to stale domain controllers.

  • Make offline or non-functioning domain controllers operational.

  • Domain controllers hosting AD-integrated DNS zones shouldn't point to a single domain controller and especially only to themselves as preferred DNS for name resolution.

    DNS name registration and name resolution for domain controllers is a relatively lightweight operation that's highly cached by DNS clients and servers.

    Configuring domain controllers to point to a single DNS server's IP address, including the 127.0.0.1 loopback address, represents a single point of failure. This setting is tolerable in a forest with only one domain controller, but not in forests with multiple domain controllers.

    Hub-site domain controllers should point to DNS servers in the same site as them for preferred and alternate DNS server and then finally to itself as another alternate DNS server.

    Branch site domain controllers should configure the preferred DNS server IP address to point to a hub-site DNS server, the alternate DNS server IP address to point to an in-site DNS server or one in the closest available site, and finally to itself using the 127.0.0.1 loopback address or current static IP address.

    Pointing to hub-site DNS servers reduces the number of hops required to get critical domain controller SRV and HOST records fully registered. Domain controllers within the hub site tend to get the most administrative attention, typically have the largest collection of domain controllers in the same site. Because they're in the same site, replicate changes between each other occur:

    • every 15 seconds in Windows Server 2003 or later
    • every five minutes in Windows 2000 Server

    This behavior makes such DNS records well known.

    Dynamic domain controller SRV and host A and AAAA record registrations may not make it off-box if the registering domain controller in a branch site is unable to outbound replicate.

    (Video) Event ID 4013: "The DNS server is waiting for Active Directory Domain Services (AD DS) to...

    Member computers and servers should continue to point to site-optimal DNS servers as preferred DNS. And they may point to off-site DNS servers for additional fault tolerance.

    Your ultimate goal is to prevent everything from causing a denial of service while balancing costs, risks, and network utilization, such as:

    • replication latency and replication failures
    • hardware failures, software failures
    • operational practices
    • short and long-term power outages
    • fire, theft, flood, and earthquakes
    • terrorist events
  • Make sure that destination domain controllers can resolve source domain controllers using DNS (for example, avoid fallback).

    You should ensure that domain controllers can successfully resolve the guided CNAME records to host records of current and potential source domain controllers. Doing so can avoid high latency that's introduced by name resolution fallback logic.

    Domain controllers should point to DNS servers that:

    • Are available at Windows startup.
    • Host, forward, or delegate the _msdcs.<forest root domain> and primary DNS suffix zones for current and potential source domain controllers.
    • Can resolve the current CNAME GUID records (for example, dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com) and host records of current and potential source domain controllers.

    Missing, duplicate, or stale CNAME and host records all contribute to this problem. Scavenging isn't enabled on Microsoft DNS servers by default, increasing the probability of stale host records. At the same time, DNS scavenging can be configured too aggressively, causing valid records to be prematurely purged from DNS zones.

  • Optimize domain controllers for name resolution fallback.

    The inability to configure DNS properly so that domain controllers could resolve the domain controller CNAME GUID records to host records in DNS was common. To ensure end-to-end replication of Active Directory partitions, Windows Server 2003 SP1 and later domain controllers were modified to perform name resolution fallback:

    • from domain controller CNAME GUID to fully qualified hostname.
    • from fully qualified hostname to NetBIOS computer name.

    The NTDS replication Event IDs 2087 and 2088 in the Directory Service event logs indicate that:

    • a destination domain controller couldn't resolve the domain controller CNAME GUID record to a host record.
    • name resolution fallback is occurring.

    WINS, HOST files, and LMHOST files can all be configured. So destination domain controllers can resolve the names of current and potential source domain controllers. Of the three solutions, the use of WINS is more scalable, because WINS supports dynamic updates.

    The IP addresses and names for computers inevitably become stale. This issue causes static entries in HOST and LMHOST files to become invalid over time. When this issue occurs, queries for one domain controller may be incorrectly resolved to another domain controller. And no name query is observed in a network trace.

  • Change the startup value for the DNS server service to manual if booting into a known bad configuration.

    If booting a domain controller in a known bad configuration that's discussed in this article, follow these steps:

    1. Set the DNS Server service startup value to manual.
    2. Reboot, wait for the domain controller to advertise.
    3. Restart the DNS Server service.

    If the service startup value for DNS Server service is set to manual, Active Directory doesn't wait for the DNS Server service to start.

Additional considerations

  • Avoid single points of failure.

    (Video) Fix 3 most popular problem in DNS(multiple ip addresses,nslookup)windows server 2012 ,2016 and 2019.

    Examples of single points of failure include:

    • Configuring a DC to point to a single-DNS Server IP
    • Placing all DNS servers on guest virtual machines on the same physical host computer
    • Placing all DNS servers in the same physical site
    • Limiting network connectivity such that destination domain controllers have only a single network path to access a KDC or DNS Server

    Install enough DNS servers for local, regional, and enterprise-wide redundancy performance but not so many that management becomes a burden. DNS is typically a lightweight operation that is highly cached by DNS clients and DNS servers.

    Each Microsoft DNS server running on modern hardware can satisfy 10,000-20,000 clients per server. Installing the DNS role on every domain controller can lead to an excessive number of DNS servers in your enterprise. And doing so will increase cost.

  • Stagger the reboots of DNS servers in your enterprise when possible.

    • The installation of some hotfixes, service packs, and applications may require a reboot.
    • Some customers reboot domain controllers on a scheduled basis (every seven days, every 30 days).
    • Schedule reboots, and the installation of software that requires a reboot, in a smart way. Doing so to prevent the only DNS server, or potential source replication partner that a destination domain controller points to for name resolution, from being rebooted at the same time.

    If Windows Update or management software is installing software that requires reboot, stagger the installs on targeted domain controllers so that half the available DNS servers that domain controllers point to for name resolution reboot at the same time.

  • Install UPS devices in strategic places to ensure DNS availability during short-term power outages.

  • Augment your UPS-backed DNS servers with on-site generators.

    To deal with extended outages, some customers have deployed on-site electrical generators to keep key servers online. Some customers have found that generators can power servers in the data center but not the on-site HVAC. The lack of air conditioning may cause local servers to shut down when internal computer temperatures reach a certain threshold.

More information

May 10, 2010 testing by the Active Directory development team:

DNS waits for NTDS and it can't start until the initial replication of the directory has been completed. It's because up-to-date DNS data might not be replicated onto the domain controller yet. On the other hand, NTDS needs DNS to resolve the IP address of the source domain controller for the replication. Assume that DC1 points to DC2 as its DNS server, and DC2 points to DC1 as its DNS server. When both DC1 and DC2 reboot simultaneously, there will be a slow startup because of this mutual dependency. The root cause of this slow startup is DNSQueryTimeouts.

If the DNS Server service runs well when NTDS starts, NTDS takes only two DNS queries to resolve the IP address of the source domain controller:

  • one for IPv4
  • the other for IPv6

And these DNS queries return almost instantaneously.

If the DNS Server service isn't available when NTDS starts, NTDS will need to send out 10 DNS queries to resolve the IP address:

  • four for GUID-based name
  • four for fully qualified name
  • two for single-label name

Latency for each DNS query is controlled by DNSQueryTimeouts. By default, DNSQueryTimeouts is set to 1 1 2 4 4. It means that DNS client will wait 12 (1 + 1 + 2 + 4 + 4) seconds for the DNS server response. Each naming context source takes 120 seconds to resolve the IP address. Assume that there are five naming contexts (Configuration, Schema, domain, ForestDnsZones, DomainDnsZones), and one single replication source. In this scenario, it will take 850 (170 X 5) seconds, or greater than 14 minutes, for NTDS to finish initial replication.

Several tests were done to validate the above behavior.

(Video) Events ID 4013 For DNS and 1844 for Active Directory

  • Reboot domain controller when DNS server is a third domain controller that is online. For each naming context each source, we have two DNS queries and they finished almost instantaneously:

    in I_DRSGetNCChanges, NC = CN=Configuration,DC=contoso,DC=comin getContextBindingHelper, pszAddress = dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com in resolveDnsAddressWithFallback GUID based DNS name in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:31:40.534 end GetAddrInfoW: 22:31:40.534 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:31:40.534 end GetAddrInfoW: 22:31:40.534
  • Reboot DC1 and DC2 simultaneously. DC1 is using DC2 for DNS DC2 is using DC1 for DNS. For each naming context each source, we have 10 DNS queries and each query takes about 12 seconds:

    in I_DRSGetNCChanges, NC = CN=Configuration,DC=contoso,DC=com in getContextBindingHelper, pszAddress = dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.microsoft.com in resolveDnsAddressWithFallback GUID based DNS name in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:37:43.066 end GetAddrInfoW: 22:37:55.113 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:37:55.113 end GetAddrInfoW: 22:38:07.131 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:38:07.131 end GetAddrInfoW: 22:38:19.161 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:38:19.176 end GetAddrInfoW: 22:38:31.185 FQDN in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:38:31.200 end GetAddrInfoW: 22:38:43.182 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:38:43.182 end GetAddrInfoW: 22:38:55.191 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:38:55.191 end GetAddrInfoW: 22:39:07.216 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:39:07.216 end GetAddrInfoW: 22:39:19.286 NetBios in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:39:19.286 end GetAddrInfoW: 22:39:31.308d in GetIpAddrByDnsNameHelper start GetAddrInfoW: 22:39:31.308 end GetAddrInfoW: 22:39:43.324
  • To further study the relationship between DNSQueryTimeouts and the slow startup, DNSQueryTimeouts were set to 1 1 2 4 4 to make DNS client wait for 31 (1 + 1 + 2 + 4 + 4) seconds. In this test, 31 seconds were spent waiting:

    in I_DRSGetNCChanges, NC = CN=Configuration,DC=contoso,DC=com in getContextBindingHelper, pszAddress = dded5a29-fc25-4fd8-aa98-7f472fc6f09b._msdcs.contoso.com in resolveDnsAddressWithFallback GUID based DNS name in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:06:48.143 end GetAddrInfoW: 18:07:19.158 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:07:19.158 end GetAddrInfoW: 18:07:50.162 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:07:50.162 end GetAddrInfoW: 18:08:21.161 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:08:21.161 end GetAddrInfoW: 18:08:52.158 FQDN in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:08:52.221 end GetAddrInfoW: 18:09:23.231 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:09:23.231 end GetAddrInfoW: 18:09:54.243 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:09:54.243 end GetAddrInfoW: 18:10:25.239 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:10:25.239 end GetAddrInfoW: 18:10:56.243 NetBios in GetIpVxAddrByDnsNameW in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:10:56.243 end GetAddrInfoW: 18:11:27.244 in GetIpAddrByDnsNameHelper start GetAddrInfoW: 18:11:27.244 end GetAddrInfoW: 18:11:58.265

FAQs

How do I test DNS with dcdiag? ›

To verify dynamic update
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. ...
  2. At the command prompt, type the following command, and then press ENTER: dcdiag /test:dns /v /s:<DCName> /DnsDynamicUpdate.
8 Oct 2021

How do I remove an orphaned domain controller? ›

Step 1: Removing metadata via Active Directory Users and Computers
  1. Log in to DC server as Domain/Enterprise administrator and navigate to Server Manager > Tools > Active Directory Users and Computers.
  2. Expand the Domain > Domain Controllers.
  3. Right click on the Domain Controller you need to manually remove and click Delete.
31 Oct 2018

Why does nslookup show server unknown? ›

If nslookup displays “Server: Unknown” in the query, the issue is often that the reverse lookup zone is incorrectly configured. In this case, a “non-authoritative answer” notification is given, as the local DNS server was unable to answer the query itself, and instead had to contact one or more other name servers.

How do I check my DNS server Windows? ›

Run ipconfig /all at a command prompt, and verify the IP address, subnet mask, and default gateway. Check whether the DNS server is authoritative for the name that is being looked up. If so, see Checking for problems with authoritative data.

How do I troubleshoot an Active Directory issue? ›

Techniques to troubleshoot Active Directory issues
  1. Run diagnostics on domain controllers. When you install the Windows Server Active Directory Domain Services role, Windows also installs a command-line tool named dcdiag. ...
  2. Test DNS for signs of trouble. ...
  3. Run checks on Kerberos. ...
  4. Examine the domain controllers.
7 Aug 2020

How do I clean dead domain controller? ›

Remove dead domain controller
  1. Active Directory Users and Computers > Domain Controllers > select the dead server.
  2. Right click and Delete.
  3. Click Yes to confirm.

How do I remove old DNS records from a domain controller? ›

Remove DNS Entries:

Right click a Zone in DNS console and go to properties, Under Name server tab delete the entries that are related to decommissioned DC. 2. Open DNS Console (dnsmgmt. msc) and expand the zone that is related to the domain from where the server has been removed, Remove the CNAME record in the _msdcs.

How do I force DC to remove a domain? ›

Removing the DC server instance from the Active Directory Sites and Services
  1. Go to Server manager > Tools > Active Directory Sites and Services.
  2. Expand the Sites and go to the server which need to remove.
  3. Right click on the server you which to remove and click Delete.
  4. Click Yes to confirm.
23 Feb 2022

How do I fix nslookup unknown server? ›

How to fix NSLookup error Default Server Unknown in ... - YouTube

What is the default server in nslookup? ›

When you start nslookup it tells you the name/IP of the server it will be using for your queries (so long as you don't change that). This is the "default" DNS server that you currently have configured in the properties of your network interface.

How do I change my default DNS server nslookup? ›

Change the default server by typing "server" and the server's name or IP address. For example, to change the default server to a Google public DNS server, type "server 8.8. 8.8" and press "Enter."

How do I resolve a DNS server problem? ›

Here are eight ways to do it.
  1. Try using another web browser or device. ...
  2. Get closer to your internet router. ...
  3. Restart your devices. ...
  4. Change your DNS settings. ...
  5. Flush your DNS cache. ...
  6. Update your network drivers, router, and modem. ...
  7. Turn off your VPN and firewall.
22 Apr 2022

How do I fix a DNS problem? ›

8 Strategies for Troubleshooting a DNS Failure
  1. Restart Your Software or Device. Sometimes simply exiting the browser completely for a few minutes will solve the problem. ...
  2. Restart the Modem or Router. ...
  3. Switch Browsers. ...
  4. Pause Your Firewall. ...
  5. Clear Your Cache. ...
  6. Disable Extra Connections. ...
  7. Keep Everything Updated. ...
  8. Check DNS Settings.
28 Mar 2022

How do I fix Windows DNS? ›

How To Fix 'DNS Server Not Responding' Error On Windows 10
  1. Method 1: Switch To Different Browser.
  2. Method 2: Disable Antivirus Firewall.
  3. Method 3: Restart Router.
  4. Method 4: Change DNS Server.
  5. Method 5: By Clearing DNS Cache.
5 Sept 2022

How can I tell if Active Directory is working? ›

The best way to verify the operation of Active Directory is to run the console utility Dcdiag (Domain Controller Diagnosis). Dcdiag executes several tests to verify that AD is working correctly. If Dcdiag reports a failed test you will need to troubleshoot your domain controller to find the cause.

What are the tools used to check and troubleshoot replication of Active Directory? ›

The Repadmin tool and other diagnostic tools also provide information that can help you resolve replication failures. For detailed information about using Repadmin for troubleshooting replication problems, see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.

How do I check Active Directory credentials? ›

To test a username and password against the Active Directory, run the ad auth command in the Policy Manager CLI. This command manually checks against Active Directory to indicate whether or not a username and password are valid.

What happens when primary domain controller goes down? ›

If the Domain Controller (DC) goes offline, Authentication Services will automatically failover to another available DC.

How do I delete a stale DNS record? ›

Right-click the selected records, and then click Delete DNS resource record. The Delete DNS Resource Record dialog box opens. Verify that the correct DNS server is selected. If it is not, click DNS server and select the server from which you want to delete the resource records.

How do you force domain replication? ›

Solution
  1. Open the Active Directory Sites and Services snap-in.
  2. Browse to the NTDS Setting object for the domain controller you want to replicate to.
  3. In the right pane, right-click on the connection object to the domain controller you want to replicate from and select Replicate Now.

Should I delete old DNS records? ›

First, you should always delete stale DNS records. If you stop controlling the resource your domain name points to, you should remove the record. In addition, you might want to enable a service like Google Search Console across your domains to be alerted as soon as something happens.

How do I find stale DNS records? ›

Right-click the domain folder, choose Properties, and click Aging on the General tab. Again, select the Scavenge stale resource records check box and click OK, then click OK again.

What happens if I delete a DNS record? ›

Delete a DNS record from your domain that's no longer needed. Deleting records will completely remove them from your zone file. Changes to your DNS may interrupt how your domain works, such as your email and website.

How do I find my primary and secondary domain controller in CMD? ›

To check which server is the PDC start MMC with the Active Directory Users and Computers.
  1. Right click on the domain.
  2. Click Operations Masters.
  3. All three tabs (RID, PDC, Infrastructure) should show the same server as the Operations Master.
27 Apr 2012

How do I remove DC offline from Active Directory? ›

Remove DC from Users and Computers

From a working DC in the forest, open Active Directory Users and Computers, navigate to the Domain Controllers container, right-click on the non-functional domain controller and click Delete. Click the Yes button to confirm deletion.

How do I list all domain controllers in a domain? ›

To find all the domain controllers in a domain: DsQuery Server -domain domain_name.com.

What is nslookup command in CMD? ›

The nslookup command queries internet domain name servers in two modes. Interactive mode allows you to query name servers for information about various hosts and domains, or to print a list of the hosts in a domain. In noninteractive mode, the names and requested information are printed for a specified host or domain.

How do I use nslookup with different DNS servers? ›

  1. To use a specific DNS server for the query, add the server name or IP address to the end of the command. For example, the following command performs a DNS lookup on the example.com domain using an OpenDNS server (which has IP address 208.67.222.222): ...
  2. By default, nslookup looks up the A record for a domain.
9 Jan 2014

What is the default server? ›

A default server is the server that you want to use when a project has more than one server defined.

How do I test nslookup? ›

Go to Start and type cmd in the search field to open the command prompt. Alternatively, go to Start > Run > type cmd or command. Type nslookup and hit Enter. The displayed information will be your local DNS server and its IP address.

How do I query DNS? ›

Access your command prompt. Use the command nslookup (this stands for Name Server Lookup) followed by the domain name or IP address you want to trace. Press enter. This command will simply query the Name Service for information about the specified IP address or domain name.

Which command is used to manually query a DNS? ›

Which command is used to manually query a DNS server to resolve a specific hostname? Explanation: The nslookup command was created to allow a user to manually query a DNS server to resolve a given host name.

How do I find a hostname from an IP address? ›

Querying DNS

Click the Windows Start button, then "All Programs" and "Accessories." Right-click on "Command Prompt" and choose "Run as Administrator." Type "nslookup %ipaddress%" in the black box that appears on the screen, substituting %ipaddress% with the IP address for which you want to find the hostname.

How do I run Dcgpofix? ›

The command to restore the GPO's to default is as simple as running the “DCGPOFIX.exe” from a command line and press “Y” twice when prompted. Now you are done. You will notice any changes to the GPO have now been removed or reverted back to the default settings.

How can I tell if a domain controller is replicated? ›

To diagnose replication errors, users can run the AD status replication tool that is available on DCs or read the replication status by running repadmin /showrepl.

What does dcdiag fix do? ›

Dcdiag is an often overlooked tool that can discover problems in a domain controller's configuration. If client computers can't locate a domain controller or if domain controllers can't replicate Active Directory, you can run tests with Dcdiag to look for a solution.

What is Nltest command? ›

Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

How do I restore default domain policy? ›

Open up a Command Prompt as administrator. To restore the default domain policies, just simply run the command “DCGPOFIX” and press Y in all the prompts it asks after carefully reading and understanding what is about to happen.

How do I find my default domain policy? ›

To set security policies in a domain, edit the default domain policy as follows:
  1. Select Start | All Programs | Administrative Tools | Active Directory Users and Computers.
  2. Right-click the domain node in the left pane and click Properties.
  3. Choose the Group Policy tab.
  4. Select the Default Domain Policy and click Edit.

How do I find the default domain controller policy? ›

If you are using the GPMC, you'll see the Default Domain Controllers Policy GPO when you click the Domain Controllers node in the console tree. Then right-click the Default Domain Controllers Policy and select Edit to get full access to the Default Domain Controllers Policy GPO.

How do I force sync a domain controller? ›

In order to force Active Directory replication, issue the command 'repadmin /syncall /AeD' on the domain controller. Run this command on the domain controller in which you wish to update the Active Directory database for. For example if DC2 is out of Sync, run the command on DC2.

How do you test replication between servers? ›

Use either of the following methods to view replications errors:
  1. Download and run the Microsoft Support and Recovery Assistant tool OR Run AD Status Replication Tool on the DCs.
  2. Read the replication status in the repadmin /showrepl output. Repadmin is part of Remote Server Administrator Tools (RSAT).
24 Sept 2021

How do I replicate DNS between domain controllers? ›

Solution
  1. Open the Active Directory Sites and Services snap-in.
  2. Browse to the NTDS Setting object for the domain controller you want to replicate to.
  3. In the right pane, right-click on the connection object to the domain controller you want to replicate from and select Replicate Now.

How do I fix a corrupted DNS? ›

Let's take a look at ten potential ways you can fix “DNS Server Not Responding” on Windows and Mac devices.
  1. Switch to a Different Browser. ...
  2. Start Your Computer in Safe Mode. ...
  3. Temporarily Disable Your Antivirus Software and Firewall. ...
  4. Disable Secondary Connections. ...
  5. Disable the Windows Peer-to-Peer Feature. ...
  6. Restart Your Router.
15 Sept 2022

Is dcdiag safe to run? ›

2 Answers. Show activity on this post. didiag.exe is safe to run on a production machine. It's a reporting tool only and doesn't attempt to take corrective actions (stopping / starting services, making configuration changes, etc).

How can I tell if Active Directory is functioning correctly? ›

The best way to verify the operation of Active Directory is to run the console utility Dcdiag (Domain Controller Diagnosis). Dcdiag executes several tests to verify that AD is working correctly. If Dcdiag reports a failed test you will need to troubleshoot your domain controller to find the cause.

What is Nltest Dsgetsite? ›

What is nltest? Nltest, or Network Location Test, is a command-line tool used in Windows Server and Windows 10. Some examples of when you can use the tool: Find which site your machine belongs to. Retrieve a list of domain controllers.

What is Nltest Sc_query? ›

The nltest /sc_query command can query a computer to verify its secure channel is working.

What is Certutil command? ›

Certutil is a command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists and much more.

Videos

1. SID 2014 - Windows Server 2012 R2: Troubleshooting DNS
(SID Conference)
2. HOW TO FIX Event ID 2213 FOR DFSR?
(NUAA-TECH Videos)
3. How to troubleshoot and fix Active Directory replication issues on Windows Server 2012 R2
(NLB Solutions)
4. DevOps & SysAdmins: Can Event ID 4013 be ignored if it only shows up once? (2 Solutions!!)
(Roel Van de Paar)
5. How To Fix DNS Server Problem ◄◄ works 100%
(aba tada)
6. 2213 AD event ID error and solution
(IT Infra)
Top Articles
Latest Posts
Article information

Author: Kimberely Baumbach CPA

Last Updated: 10/22/2022

Views: 6190

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Kimberely Baumbach CPA

Birthday: 1996-01-14

Address: 8381 Boyce Course, Imeldachester, ND 74681

Phone: +3571286597580

Job: Product Banking Analyst

Hobby: Cosplaying, Inline skating, Amateur radio, Baton twirling, Mountaineering, Flying, Archery

Introduction: My name is Kimberely Baumbach CPA, I am a gorgeous, bright, charming, encouraging, zealous, lively, good person who loves writing and wants to share my knowledge and understanding with you.