f5 25 00 00
The directory service is unavailable
2d 23 00 00
DNS operation refused.
2a 23 00 00
DNS server failure.
Example customer scenarios
Domain controllers whose copy of Active Directory contains references to other domain controllers in the forest try to inbound replicate all locally held directory partitions during Windows startup as part of an initial synchronization or "init sync."
In an attempt to boot with the latest DNS zone contents, Microsoft DNS servers hosting AD-integrated copies of DNS zones delay DNS service startup for some number of minutes after Windows startup unless Active Directory has completed its initial synchronization during Windows startup. Meanwhile, Active Directory is delayed from inbound replicating directory partitions until it can resolve its source domain controller's CNAME GUID to an IP address on the DNS servers used by the destination domain controller for name resolution. The duration of the hang while preparing network connections depends on the number of locally held directory partitions residing in a domain controller's copy of Active Directory. Most domain controllers have at least five partitions (schema, configuration, domain, forest-wide DNS application partition, domain-wide DNS application partition) and can experience a 15-20 minute startup delay. The existence of additional partitions increases the startup delay.
DNS Event ID 4013 in the DNS event log indicates that DNS service startup was delayed because inbound replication of Active Directory partitions had not yet occurred.
There are multiple conditions that can exacerbate slow Windows startup and the logging of the DNS 4013 event on Microsoft DNS servers configured to host Active Directory integrated zones (which implicitly reside on computers acting as domain controllers). These include the following:
In Windows Server 2003 and in Windows 2000 Server SP3 or later, the domain controllers that host operations master roles must also successfully replicate inbound changes on the directory partition that maintains the operations master role's state. Successful replication must occur before FSMO-dependent operations can be performed. Such initial synchronizations were added to ensure that domain controllers were in agreement with regard to FSMO role ownership and role state. The initial sync requirements required for FSMO roles to become operational is different from the initial sync discussed in this article where Active Directory must inbound replicate in order for the DNS Server service to immediately startup.
Some Microsoft and external content have recommended setting the registry valueRepl Perform Initial Synchronizations to 0 in order to bypass initial synchronization requirements in Active Directory. The specific registry subkey and the values for that setting are as follows:
Value name: Repl Perform Initial Synchronizations
Value type: REG_DWORD
Value data: 0
This configuration change is not recommended for use in production environments or in any environment on an ongoing basis. The use ofRepl Perform Initial Synchronizations should be used only in critical situations to resolve temporary and specific problems. The default setting should be restored after such problems are resolved.
Viable alternatives include:
Missing, duplicate, or stale CNAME and host records all contribute to this problem. Scavenging is not enabled on Microsoft DNS servers by default, increasing the probability of stale host records. At the same time, DNS scavenging can be configured too aggressively, causing valid records to be prematurely purged from DNS zones.
Install enough DNS servers for local, regional and enterprise-wide redundancy performance but not so many that management becomes a burden. DNS istypically a lightweight operation that is highly cached by DNS clients and DNS servers.
Each Microsoft DNS server running on modern hardware can satisfy 10,000-20,000 clients per server. Installing the DNS role on every domain controller can lead to an excessive number of DNS servers in your enterprise that can increase cost.
If Windows Update or management software is installing software requiring reboots, stagger the installs on targeted domain controllers so that half the available DNS servers that domain controllers point to for name resolution reboot at the same time.
Article ID: 2001093 - Last Review: 06/21/2014 14:01:00 - Revision: 39.0