Knowledge Base

Active Directory-integrated domain name is not displayed in DNS snap-in with Event ID 4000 and 4013 messages

Article ID: 316685

Article Last Modified on 3/12/2007

APPLIES TO

Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000 Service Pack 2

This article was previously published under Q316685

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

You may experience the following symptoms:

If you log on to an Active Directory-integrated domain controller, the logon process may be very slow.
After you start the DNS snap-in, the domain name may not be displayed under Forward Lookup Zone.
After you restart the server, only administrators may be able to gain access to the server.

In addition to these symptoms, the following event ID messages may be logged in the DNS event log:

Event ID 4000
Description: The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.

-and-

Event ID 4013
The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and cannot operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start.

Furthermore, if you try to add an Active Directory-integrated zone to DNS, you may receive the following error message:

DNS The zone cannot be created. The Active Directory service is not available.

When you try to force Active Directory replication by using Active Directory Sites and Services, you receive the following error message:

The following error occurred during the attempt to synchronize naming context NC DN from domain controller DC1 to domain controller DC2: Access is denied. The operation will not continue

CAUSE

This problem can occur if all of the following conditions are true:

The Security log has reached the maximum log size that you specify.
You set either of the following settings in the Security log:
- Overwrite events older than xx days (where xx is the number of days that you specify)
  
  -or-
- Do not overwrite events
You set the Shut down system immediately if unable to log security audits Group Policy setting.
You enable security auditing.

RESOLUTION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To resolve this issue:

Start Registry Editor (Regedt.32.exe).
Locate and click the following registry key for the domain controller:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
If the registry data type for CrashOnAuditFail is set to REG_NONE and the data value is set to 2, change the data type to REG_DWORD, and then set the data value to 0.

This step provides a temporary solution until you disable the Group Policy setting.
Disable the following Group Policy setting on either the default domain or the domain controller organizational unit:

Computer Configuration\Windows Settings\Security Settings\local Policies\Security Options\Shut down your system immediately if unable to log security audits

This policy can be found on the default domain policy, default domain controller policy, and local security policy.

NOTE: Even if you disable this policy setting, make the registry change that is described in step 2.
Disable security auditing.

If you cannot disable security auditing, archive the Security log and clear the log.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

If you set the Shut down system immediately if unable to log security audits Group Policy setting, the CrashOnAuditFail registry value is automatically set to 1. However, if you shut down the server and then restart it, the CrashOnAuditFail registry data type is set to REG_NONE and the data value is set to 2. If you change the CrashOnAuditFail data type to REG_DWORD and set the data value to 0, the DNS snap-in can gain access to the Active Directory-integrated DNS. If you set the CrashOnAuditFail data value to 0 (disable), after you reapply the Group Policy setting, the data value is set to 1 again.

Even if you set the Security log size to 4 gigabytes (GB), the symptoms that are described in the "Summary" section of this article can occur if the Security log size reaches 200 to 300 megabytes (MB).

For more information about the problem that is described in this article, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232564 STOP 0xC0000244 when security log full

140058 How to prevent auditable activities when security log is full

178208 CrashOnAuditFail with Logon/Logoff auditing causes blue screen

149393 CrashOnAuditFail activates on shutdown with ProcessTracking

160783 Error message: Users cannot log on to a workstation

312571 The event log stops logging events before reaching the maximum log size

Additional query words: missing disappear zone loaded

Keywords: kbenv kberrmsg kbprb KB316685

Microsoft KB Archive/316685

Contents