Internal names resolve but external DNS names won’t resolve. The following error will also appear in the event log.

Event Type: Error
Source: DNS
Event ID: 4004
Description: The DNS server was unable to complete directory service enumeration of zone <domain.com>. This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of the zone.

More information:
The DNS Server service uses Active Directory to store DNS data, and it encountered a Lightweight Directory Access Protocol (LDAP) error while querying the directory. This error could be caused by either a high load on the domain controller or the failure of other domain controller services.


*** Resolution ***

1. DNS is listening on both the LAN and RRAS adapters. Configure DNS to listen only on the LAN adapter and then delete all records in forward lookup zone that reference the RRAS adapter address.

2. The DNS server may have a forward lookup zone called _msdcs.<forest_root_domain>
AND a subfolder under the <forest_root_domain> forward lookup zone call _msdcs. Remove the
_msdcs.<forest_root_domain>subfolder and then restart the DNS Server and Netlogon service. Also run ipconfig /flushdns and ipconfig /registerdns.

If you find a missing _msdcs delegation under <forest_root_domain> zone , create a new delegation by performing the following:

Right click on <forest_root_domain> zone, select new, then delegation, click next on the wizard, under delegated domain, type in _msdcs and click next, clck add and browse to the server's A record under forward lookup zones, domain.local, click ok and finish.

For Windows 2000 DNS, the separate zone for the _msdcs folder and delegation to it from the main forward lookup zone doesn’t exist. The _msdcs folder for Windows 2000 DNS servers will exist under the main forward lookup zone along with the _sites, _tcp and _udp SRV records. If there is a combination of the Windows 2000 and Windows 2003 DNS configuration, related to the _msdcs folder, then you must decide which is appropriate.

3. When a domain controller is demoted, the registry may still contain the Active Directory integrated zone names. This results in the server trying to load the zones. Since there is no Directory Service running, it causes the server to log the event id 4004 error.

To prevent the errors remove the old zones from the following registry location.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones

4. Make sure the Administrators and Enterprise Domain Controllers groups are added to the
“Enable Computer and User Accounts to be Trusted for Delegation" & “Access this computer from the network” right. The following steps will allow you to add these groups to the appropriate user rights assignement.

a) Open Domain Controller Security Policy.
b) In the console tree, click User Rights Assignment under:
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment
c) In the details pane, double-click the user right that you want to assign.
d) Click Add User or Group. If the button appears dimmed, select the Define these
policy settings check box.
e) Type the name of the group to which you want to assign this right.

5. Change the zone type for each of the AD integrated zones to a standard primary zone in the DNS manager console