Troubleshooting Error 4521 in the DNS Event Log of a Domain Controller

Troubleshooting Error 4521 in the DNS Event Log of a Domain Controller

This article provides information on troubleshooting DNS error 4521 on a Windows Server domain controller

You may encounter error 4521 (source: Microsoft-Windows-DNS-Server-Service) in the DNS Server event log of a Windows Server domain controller (DC) that is also a DNS server. The text of the error description is similar to the following:

The DNS server encountered error <error_code> attempting to load zone <zone_name> from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

The error code may vary, and <zone_name> will be the name of an Active Directory-integrated DNS zone hosted on the server that generated the error. The following are a few steps to take when troubleshooting this particular error:

  1. Determine how frequently the error appears in the DNS event log. If it only occurs rarely, it may not indicate a problem but merely a transient condition as stated in the error description. This is especially true if the error only appears during or immediately after a reboot of the DC. Active Directory is often particularly busy immediately after a reboot, especially on a DC that holds one or more FSMO roles, so loading of the zone in the error may have simply been preempted by other tasks.
  2. If the error occurs fairly frequently and not only around the time of a reboot, check the DNS console to see whether the zone in the error can be viewed and/or modified. If the zone and its contents appear normal and you are able to create and delete a test record within it, the error is still likely not indicative of a serious problem, though it may indicate that a particular DC is overburdened.
  3. Determine whether the zone mentioned in the error is still in use in the environment. If the zone is no longer needed, it is possible that an Active Directory replication issue or improper domain-controller demotion, which may have since been resolved, has left a remnant of the zone in Active Directory. If this is the case, see Deleting the Zone using ADSI Edit below for instructions on removing the zone from Active Directory.
  4. If the zone mentioned in the error is still in use in the environment and you are not able to access the zone in the DNS console, it may be possible to back up the zone, delete it from Active Directory, and restore it. You can use the dnscmd /zoneexport <zone> <file> command to back up a DNS zone:

    After the zone has been backed up to a file, use the procedure shown below in Deleting the Zone Using ADSI Edit to delete it from Active Directory. You can then use the DNS Manager console to create the zone as a standard primary zone, specifying the existing file during the creation process:

Note: The file must be located in the Windows\System32\dns directory. The zone must be created as a standard primary (non-AD-integrated) zone but can be converted to an AD-integrated zone after creation.

Deleting the Zone Using ADSI Edit

If you have determined that the zone is no longer in use, it (or what remains of it) can be removed from Active Directory using the ADSI Edit utility. To do this, perform the following steps:

  1. On an affected DC, run adsiedit.msc from an elevated command prompt to open ADSI Edit.
  2. Right-click ADSI Edit in the left pane and select Connect to...
  3. Type a name to identify the connection in the Name field, if desired. This is optional but may simplify things if you wish to reconnect to the same location in the future.
  4. Select the radio button labeled Select or type a Distinguished Name or Naming Context.
  5. If you know which directory partition the zone is stored in, type its distinguished name (DN) in the field provided. For example, the DN of the DomainDnsZones directory partition, which gets replicated to every DC in the domain which is also a DNS server, is DC=DomainDnsZones,DC=domain,DC=suffix in an Active Directory domain named domain.suffix. If you are unsure where the zone is stored, it is likely to be in either the DomainDnsZones or ForestDnsZones partition.

  6. Click OK to connect to the specified location in Active Directory.
  7. In the left pane, expand the connection you just created, then expand the DN beneath it. Click MicrosoftDNS. The right pane should show folders corresponding to the zones stored in the specified directory partition. You can view the contents of zone if you wish by selecting it in the left pane.

  8. If the zone in the error message is present, right-click it and select Delete to remove it from Active Directory. ADSI Edit does not forgive accidental deletions (objects deleted in ADSI Edit will bypass the Active Directory Recycle Bin, for example), so only click Yes to confirm the deletion after making sure you are deleting the correct object.

  9. You may see a second confirmation prompt. Again, click Yes.

  10. Force replication of the change to other domain controllers or wait for it to occur. The zone has now been removed from Active Directory, and error 4521 should not reappear.

In the event that the error description shows code 9002 and that the affected zone is the root (.) zone, please refer to the following site for instructions for resolving the issue: How to Correct DNS Event ID 9002

Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

Article ID: SLN291033

Last Date Modified: 10/26/2015 08:55 AM

Rate this article

Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.