So there is a reason that this occurs and I am one of the people responsible for the change in behavior, I did not write the code but did track down the cause and worked to rectify it after a customer took an outage because of it. As others have stated using that registry key can be dangerous and there is a reason that DNS now waits until initial sync before loading a zone and will continue to retry loading the zones after initial sync is performed. So why do we now check for initial sync. Well it turns out that there are situations where DNS will recreate containers and records when it does not find them locally. When this occurs these changes can replicate out and cause conflicts in the Directory which can cause the entire DNS structure to appear to go away and cause havoc in the environment. It is also the reason that we often see replication storms with respect to the SOA record. So in SP1 and actually a hotfix before SP1 we now require an initial sync to ensure that we have the up to date zone information before loading it. The errors are benign and are there to inform you why the zone/zones have not loaded but the DNS server will continue to wait and once the initial sync is complete will then load the zones. This is here to protect you and while it does slow down loading the zones is an important trade off for system stability. The following link has a description of the fix that made this change: http://support.microsoft.com/kb/836534/en-us.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y Sent: Sunday, March 19, 2006 9:32 PM To: [email protected] Subject: Re: [ActiveDir] DNS Server will not Start Ofcourse it is a work around to the real issue. I suppose I should have added that to my first email. Also, while digging it up my emails a little further, here is the snippet that I was given that: This registry key value controls if it should do initial synchronization with other domain controller when it starts up. If it is 0, it won't synchronize with other domain controllers during startup. ----- Now, if there are replication or other issues with the Domain Controller[s], ofcourse using the key will only take you as far as logging on to the machine, if at all, but not any further with resolving the real issues of the machine. So yes Joe, you are very correct that there are probably bigger issues with the environment and the domain controller itself to actually cause the problem, and definately something to be looked at. -Umer. On 3/19/06, joe <[EMAIL PROTECTED]> wrote: > I would have to agree with David's statement. > > Umer, if the DC is overly busy, it isn't a reason to start disabling > things that protect it so that it starts up. You get all of the stuff > off of it or build it up so that the crap doesn't slow it down so much. > > When a DC comes back up, it needs to figure out where it is at in > relation to everything else in its world in case someone asks it > something important that it is supposed to be relatively authoritive > for. This registry key says don't do that check, just assume > everything is fine. If you have one DC in your forest, this is safe, otherwise, it very well may not be. > > I don't think there is any public documentation for that key, at least > I don't recall seeing any. I also don't think I ever saw it up on > Premier. I would wonder how someone got ahold of it as it really > probably shouldn't be given out by PSS that much. The only time I > recall seeing it anywhere is in the source code file that documents > all of the NTDS registry keys. There are other publicly undocumented > keys that will work too but are also quite bad unless you really have a strong understanding of what it is they do and why. > > Overall it sounds like there are at least a baker's dozen of issues > with the configuration of the DCs at that location and they need to be > worked through and whomever has made the decisions to load the kitchen > sink needs to be sat down and had a discussion with concerning the > relative importance of DCs to everything else in the forest. > > joe > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Adner > Sent: Sunday, March 19, 2006 6:49 PM > To: [email protected] > Subject: RE: [ActiveDir] DNS Server will not Start > > Setting that Registry value is not the answer. You're disabling a > safety mechanism in AD. Don't change random Registry values in AD > unless you know what they're used for. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris > > Sent: Sunday, March 19, 2006 5:22 PM > > To: [email protected] > > Subject: RE: [ActiveDir] DNS Server will not Start > > > > Many thanks for this - I spent all weekend looking for a resolution > > and the PSS answer was ignore it or cross reference DNS > > > > I will give this a go. > > > > Mark > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Umer Y > > Sent: 19 March 2006 23:08 > > To: [email protected] > > Subject: Re: [ActiveDir] DNS Server will not Start > > > > Add the following key. > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters > > Type = DWORD > > Key = Repl Perform Initial Synchronizations Value = 0 > > > > This will take care of your issue. :) > > > > > > > > On 3/19/06, Mark Parris <[EMAIL PROTECTED]> wrote: > > > I have since discovered it is a 4015 error which is one of > > those catch > > > 22 errors. > > > > > > I (They) have AD integrated DNS zones - Active Directory needs to > > > start to load the zones but the zones don't start until DNS starts > > > which is after > > AD > > > - Bah!!!!. Eventually (With endured patience) DNS starts > > and the zones > > load > > > and normal service is resumed. > > > > > > On "most" servers I have ever encountered this is a non event as > > > the > > servers > > > are very fast and not over loaded and they never register a > > 4015 error > > > - > > but > > > each server that has this issue (they are not mine - I am > > just fixing > > > and > > > advising) runs > > > > > > 1, a domain controller > > > 2, DNS server > > > 3, DHCP Server > > > 4, RIS server > > > 5, Symantec AV (with no exclusions) 6, File and Print duties 7, > > > and some app called SQL 2000 hosting several databases > > > > > > They only have 1GB of RAM and I have seen cold honey run faster. > > > > > > I know to resolve the issue I can cross point DNS - I am > > just waiting > > > to > > see > > > what the company wants to do. > > > > > > I want to leave the DNS configuration as is - just as > > another example > > > of > > why > > > they should add more RAM and buy more servers. > > > > > > Many thanks > > > > > > Mark > > > > > > ________________________________________ > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Al > > > Mulnick > > > Sent: 19 March 2006 21:58 > > > To: [email protected] > > > Subject: [Norton AntiSpam] Re: [ActiveDir] DNS Server will not > > > Start > > > > > > Also, what's in the DNS, System, and Security event logs (assuming > > > auditing)? > > > On 3/18/06, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > > > MY first thought was missing service dependency of DNS on > > AD, but my > > > DCs don't have one either. > > > > > > Is there any commonality between the servers? > > > > > > -g > > > > > > ________________________________________ > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark > > > Parris > > > Sent: Saturday, March 18, 2006 7:39 AM > > > To: [email protected] > > > Subject: [ActiveDir] DNS Server will not Start > > > > > > All, > > > Another question from me, I have several Windows Server > > 2003 SP1 DC's > > > that all run AD integrated DNS when I reboot these servers the DNS > > > Server does not load the DNS zones - it just starts and > > then has a red > > > X in the server name when you check on it. I restart DNS and it > > > functions correctly > > loading > > > all zones and the DC can function. You cannot logon until > > DNS has been > > > restarted via another server. > > > Does anyone have any idea as to what could be causing this? > > The event > > > logs do not reveal much at all. > > > Mark > > > > > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > -- > > "Ambition is a dream with a V8 engine." ~ Elvis Presley > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > -- "Ambition is a dream with a V8 engine." ~ Elvis Presley List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
