I'm running a new domain controller with a DNS server on it. The event log entries for the"Microsoft-Windows-DNS-Server-Service" all fail to load. I look at the "DNS Events" item in the "Global Logs" section of the DNS server in the DNS manager tool and every entry there has the generic "cannot be found" message.

How can I repair the event log messages for the Microsoft-Windows-DNS-Server-Service?

Event Type:    Information
Event Source:    Microsoft-Windows-DNS-Server-Service
Event Category:    None
Event ID:    4
Date:        9/21/2014
Time:        15:02:03
User:        NT AUTHORITY\SYSTEM
Computer:    server.domain.corp
Description:
The description for Event ID ( 4 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .

• Edited by MikeBlaszczak Sunday, September 28, 2014 3:54 PM

Start with dcdiag first. Share your findings here.

Rgds

Milos

As far as I know, dcdiag lets us know if the domain controller is correctly configured. The problem I'm having is with the event viewer; it's not finding the localized resource strings for the DNS server, and therefore can't format them for display. I've provided the output from DCDIAG on my server below, but I'd appreciate it of you could help me understand what it is you think DCDIAG would detect that would reveal a problem with the installation of (or location of) the resource strings. Can you explain your reasoning?



C:\>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = burst
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\BURST
      Starting test: Connectivity
         ......................... BURST passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\BURST
      Starting test: Advertising
         ......................... BURST passed test Advertising
      Starting test: FrsEvent
         ......................... BURST passed test FrsEvent
      Starting test: DFSREvent
         ......................... BURST passed test DFSREvent
      Starting test: SysVolCheck
         ......................... BURST passed test SysVolCheck
      Starting test: KccEvent
         ......................... BURST passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... BURST passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... BURST passed test MachineAccount
      Starting test: NCSecDesc
         ......................... BURST passed test NCSecDesc
      Starting test: NetLogons
         ......................... BURST passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... BURST passed test ObjectsReplicated
      Starting test: Replications
         ......................... BURST passed test Replications
      Starting test: RidManager
         ......................... BURST passed test RidManager
      Starting test: Services
         ......................... BURST passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x80000109
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device did not report a valid unit of angular measurement.
         A warning event occurred.  EventID: 0x80000101
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device reported a bad angular physical range.
         A warning event occurred.  EventID: 0x80000102
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device reported a bad angular logical range.
         A warning event occurred.  EventID: 0x80000109
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device did not report a valid unit of angular measurement.
         A warning event occurred.  EventID: 0x80000101
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device reported a bad angular physical range.
         A warning event occurred.  EventID: 0x80000102
            Time Generated: 09/28/2014   14:02:25
            Event String: A pointer device reported a bad angular logical range.
         ......................... BURST passed test SystemLog
      Starting test: VerifyReferences
         ......................... BURST passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : prozac
      Starting test: CheckSDRefDom
         ......................... prozac passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... prozac passed test CrossRefValidation

   Running enterprise tests on : prozac.corp
      Starting test: LocatorCheck
         ......................... prozac.corp passed test LocatorCheck
      Starting test: Intersite
         ......................... prozac.corp passed test Intersite

Hi Mike,

Have you tried to use sfc to fix this issue?

sfc /scannow

Beside, Event ID 4 is a DNS Server Service Status, which means that the DNS server has finished the background loading of zones.

For detailed information, please refer to the link below,

http://technet.microsoft.com/en-us/library/dd349715(v=WS.10).aspx

Best R

Thanks for the suggestion, Steven.  Unfortunately, sfc is no help; it says the system is clean. The output is below.  I'm convinced this is a bug in the OS -- or at least, in its setup. The two domain controllers I built last month both exhibit the problem.

C:\Users\Administrator.DOMAIN> sfc  /verifyonly

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

Hi Mike,

What's version of the OS installed on your server? All events of DNS server have this error or just this one?

Based on my research, when an application uses the RegisterEventSource or OpenEventLog function to get a handle to an event log, the event logging service searches for the specified event source in the registry.

The registry for DNS is at

1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\DNS Server\DNS
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnsapi
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnscache

In my lab server (Windows Server 2008 R2),

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\DNS Server\DNS\EventMessageFile is %SystemRoot%\System32\dns.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnsapi\EventMessageFile is %Systemroot%\system32\netevent.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnsapi\ParameterMessageFile is %Systemroot%\system32\kernel32.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnscache\EventMessageFile is %Systemroot%\system32\netevent.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System\Dnscache\ParameterMessageFile is %Systemroot%\system32\kernel32.dll

The type of all of these registry is REG_EXPAND_SZ.

For detailed information, please refer to the link below,

http://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx

Best Regards.

I'm using Windows 2012 R2 64-bit.  Standard Edition.

All of the messages for the DNS service have this problem. I haven't noticed problems with other services. All messages for the DNS service are not loadable.

I built two new machines on new hardware and replaced two old Windows 2008 machines for my domain controllers. After the upgrade, I demoted and removed the old Windows 2008 machines. Both of the Windows 2012 machines where this problem exists are very new, fresh installs. 

I'm familiar with how the APIs work. (I'm more of a developer than a sysadmin.) Registering the message DLLs can be pretty tricky, and can disrupt other message resource DLLs (if they're in common for multiple services). It seems remarkable that a clean install of Windows has a problem reading its own resource strings for event log messages; and more remarkable that both machines have the same problem.

Hi Mike,

I'm facing the same problem, I also had some dns problem with a domain attached RemoteDesktopServer, but not sure if it has anything to do with it or not, but I found out that this DNS error log event happend after installing Windows update KB2975719.
I will try to test and see what will happend if I uninstall this update and come back to you.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/93b685b9-2dc6-40ed-8f2f-845808943386/windows-server-2012-r2-dc-hyperv-guest-os-dns-error-event-id-4013-in-log-after-installing?forum=winserver8gen

Kind regards,

Steven

Thanks, Steven!  Both of the machines where I have this problem have KB2975719 installed.  That's not conclusive, but it's not exclusive, either ...

The same happened to me after installing KB2975719. Can't read logs directly from the DNS console or from the windows backup console, therefore I must use the event log viewer in order to read logs from the services.

Mike, 

  I am seeing what I think is the same issue on two newly built 2012 R2 DC/DNS servers. 

  Events viewed from within the "DNS Manager" application can't be parsed and return the "The description for Event ID ..." message.  However, if I view the same events in either Eventvwr or "Server Manager", they are parsed and formatted correctly.

  This leads me to believe my systems are healthy but that "DNS Manager" has a bug.  Hopefully, someone @ MS will look into this and issue a patch/hotfix.

We are experiencing this error on all 6 Domain controllers in one of our Domains that are 1) Running 2012R2 (all of them) and 2) have been updated with KB2975719 (6 of 9).  The three that do not have this update applied (albeit, it might not be this specific update causing the problem ... just following the other posts in this thread and also looking at our systems with problems) do not have this issue.

I don't understand the interest in dcdiag when this is obviously not related to replication.  It is saying "I cannot find the descriptors for this particular event id" - which, in our case, is EVERY SINGLE EVENT that is logged, regardless of it's classification (e.g. error, warning, info, etc.)

In fact, out of the thousands of logs on  each server, there are  less than 1% "Error" classification.  In addition, we very regularly monitor replication with both dcdiag, Microsoft Orchestrator Runbooks and the MS AD Replication Monitor tool (which is awesome!).  At any rate, we have note found solution yet and have run sfc with no error.

Thanks a lot for any help in advance.

Best,

Zac

I can confirm. And here is a little more information.

I have recently upgraded 15 remote Server 2012 AD Controllers to Server 2012 R2.

Upgrades were in-place

I noticed this problem around upgrade number 10.  The log in the DNS Manager mmc was not displaying the events correctly.

The DNS log in the Event View / Server Manager was displaying events correctly....And I might add, flooding the event log with ID 769 DNS errors.

The problem DID NOT begin to occur until after I applied Updates using SCCM.

On the last five upgrades, before the 2012 R2 updates were applied.  I was able to confirm that DNS Manager log was displaying events correctly.

Let me reiterate.  My issue did not start until after I applied updates to the cleanly in-place upgraded 2012 R2 servers.

The updates applied were those listed below.

I have to assume that one of those is the culprit. I have not narrowed it down to which one, yet here is the list.  Maybe someone will figure it out.

KB2975719
KB2920189
KB2918614
KB2956575
KB2998174
KB2957189
KB2973201
KB2967917
KB2979576
KB2959626
KB2928120
KB2976897
KB2993651
KB2998527
KB2976627
KB2975719
KB3000988
KB2988948
KB3000061
KB2919355
KB2939087
KB2920189
KB3000869
KB2987107
KB2973351
KB2955164
KB2977765
KB2995388
KB2938066
KB2978668
KB2896496
KB2926765
KB2962409
KB2954879
KB2984006
KB2961072
KB2964718
KB2950153
KB2989542
KB2917500
KB2977292
KB2958262
KB2978041
KB2894856

• Edited by JCimarex Saturday, December 20, 2014 6:39 PM spelling

I can reproduce this problem at will.

Server 2012r2 all updates installed as of today.

When viewing DNS events in the Event Viewer below "DNS" in the DNS Snap In, all messages show the condition:

• The description for Event ID ( nnnn ) in Source (Microsoft-Windows-DNS-Server-Service ) cannot be found.  Where nnnn varies by the event being reported.

to wit:

Event Type: Information
Event Source: Microsoft-Windows-DNS-Server-Service
Event Category: None
Event ID: 769
Date:  12/23/2014
Time:  1:46:49 PM
User:  NT AUTHORITY\SYSTEM
Computer: ComputerName
Description:
The description for Event ID ( 769 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s TrustAnchors, TrustAnchors.dns, ComputerName

When viewing in the Computer Management SnapIn

/System Tools  /Event Viewer  /Applications and Services Logs /DNS Server

the correct description shows up.

As follows:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/23/2014 1:46:49 PM
Event ID:      769
Task Category: None
Level:         Information
Keywords:      (16)
User:          SYSTEM
Computer:     ComputerName
Description:
The DNS server has loaded the zone TrustAnchors from file TrustAnchors.dns on server ComputerName

Case opened at MSFT this looks to be a bug.

WORKAROUND

View the DNS EV Log in the Computer Mgmt Console, instead of the DNS Console.

• Edited by Tom Acker x-msft Tuesday, December 23, 2014 10:28 PM

That work-around did not work for me.

I have the same issue no matter which viewer I choose.

I have the same problem. I cannot view the events in mmc or in the DNS manager. I can, however, view them in the good ole fashion event viewer. Admin tools/event viewer/ applications and services logs/ dns server. For some reason it has no problem loading the DNS events there.

Seeing same thing here. Have to use Event viewer. Hopefully hotfix to fix the problem soon.

Don't Install the KBs: KB2975719 and/or KB2995388

#This kb generates the corruption of the base dns console logs
PS C:\Users\Administrator> wmic qfe list | findstr "KB2995388"
http://support.microsoft.com/?kbid=2995388  SN1-SNT04-DC-01  Update  KB2995388               DomainLocal\Administrator  3/5/2015

##########
The description for Event ID ( 4013 ) in Source ( DNS ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .
###########
The description for Event ID ( 2 ) in Source ( DNS ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .
###########
The description for Event ID ( 4 ) in Source ( DNS ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.

If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s .

SO: Windows Server 2012 R2 Std

Platform Virtualization:Vmware Esxi 5.5 CU2

• Edited by EvandroMalmsteen Thursday, March 05, 2015 6:20 PM

Same thing here on both a physical and a virtual Server 2012 R2, freshly set up as DC with DNS and fully patched.

Running into this too on a friend's server 2012 R2...

So, what is the fix? Will uninstalling KB2975719 and/or KB2995388 resolve the problem?

I'm surprised this is still a problem after ... what ... 5 months now?

Same thing here, JCimarex.  Funny you mentioned SCCM because that didn't cross my mind until you mentioned it.  That's how, via WSUS, our updates are pushed.  The only fix (scratch that, preventive measure) is to wait until this is acknowledged by Microsoft and, until then, not to apply any updates that may cause this issue.  We have determined the most likely culprit to be KB2975719.  That was through using WSUS reporting to create reports on the updates applied to servers which were and were not experiencing the problem.  In separate, mutually trusted forests, we have another 43 DC's - all of which run the DNS Server role (obviously).  Out of those, and the 9 other ones (52 total that we have investigated), the one commonality is KB2975719.  That isn't to say that is the actual culprit, but we have declined these updates until a fix is released for this issue.

I am going to be getting in touch with enterprise support this week regarding this and a few other issues we have seen with recent updates (including hangs at starup with "Please wait for the XXX service" - typically XXX is Desktop Service or Local Session Manager).  Again only recently updated servers have this problem (and the boot problem is not limited to domain controllers).

So, the main advice I can give to hopefully help someone out is to fully vet the KB articles on all updates that you approve for installation on several factors. 

1) Is it critical for security and does it even apply to our environment? If so, we typically approve it (again, critical meaning truly critical - not a "this might happen in rare circumstances" type of thing). 

2) Is it isn't critical, does it fix some other issue we are having?  If so then we look at possible side-effects of the update and, if ( benefit > risk ) install the update. 

3)  If it is a generic "This update fixes issues with Windows" type of thing, barring no additional information available, we decline it until further notice.

4) All other, low importance updates are declined.

Again, this is just our current work around, and I'm only referring to installing updates on servers that are critical in our environment. The biggest saving grace for us is, on virtual machines, to take a full (e.g. including RAM) snapshot while it is running IMMEDIATELY prior to installing the updates.  Then, thoroughly check it out after the updates have completed.  If there is a major problem, try to identify the problem quickly (we just export all the logs to a network share for offline viewing) and revert as soon as possible to the running state snapshot.  Then, unselect the updates which may have caused the problems and take another snapshot and repeat.  Don't get into an infinite-loop, though! :)

I mention doing the process quickly particularly for Domain Controllers.  While new versions of Server 2012 and R2 handle snapshot pretty well, there still exists potential for causing replication failures when reverting a domain controller from a snapshot (because the KCC doesn't know what to do with the old data that is trying to be replicated).  That is also why it's important to take the snapshot in a running state and to include a quiesced filesystem and the contents of the RAM.

I hope this helps someone and I certainly hope MS comes out with a fix for this soon.

Zac

I opened a case with Microsoft support and they said that the August 2014 update caused this issue.  The tech stated that it should be fixed in the new release of Windows server.  He also said that Microsoft would not fix the issue since there was a work around by viewing the DNS events in the server's event viewer. 

If I wanted to pursue the issue, I would have to fill out a form and justify why I needed this by saying how many users were affected and if the company would lose money.  I will not be filling it out since it doesn't impact the customer base.  The tech found this information during ad-hoc conversations and there was no KB article that he could reference.  I just wanted to let everyone know what I discovered.

Thanks

There are 2 variants of this DNS event text problem

Symptom	Resolution
Text for DNS events is not rendered in the Windows Server 2012 R2 DNS Manager after installing August 2014 or later monthly updates	No resolution currently exits. Workaround: View DNS events in the Event Viewer and Computer   Management snap-ins.
Text for DNS events is not rendered in the Windows Server 2012 R2 Computer Management and Event Viewer snap-ins if the December 2014 monthly   update is installed but the October 2014 monthly update is not installed.	Install October 2014 Rollup KB 3995388.   Installing October Update KB 3995388 before   installing December 2014 rollup KB 3013769 prevents   DNS event text from being renders in the Computer Management (COMPMGMT.MSC) and Event Viewer (eventvwr.msc) snap-ins.