This happened recently to me – I had two Active Directory servers that couldn’t communicate with each other, I wanted to remove one as it was no longer being used and it was a very simple setup with about 10 users and the environment was being wound down to be removed, so I tried to take over the roles from the server I wanted to remove to the preferred server.

When I went into Active Directory Users and Computers and selected “Operations Masters” all three Operations Master sections said “ERROR” so I couldn’t transfer roles by the GUI.

Not good.

OK so I turned off the VM with the previous “PDC” and seized the roles to the old “BDC”.

Open up a command prompt:




connect to server MyDomainController*


seize RID Master

seize PDC

seize infrastructure master

seize naming master

seize schema master


 – *Where I put MyDomainController is substituted my actual Domain controller’s name.

So far, so good. I now have a singular Domain Controller with all roles.

I try to open DNS Server and I get Access denied. The error logs say:

DNS Error ID 4000 “The DNS server was unable to open Active Directory

I removed the DNS server and then re-added it but to no avail.


This is the Fix:

Stop the KDC service and set it to manual.

then in powershell run:


netdom resetpwd /s:server /ud:domain\User /pd:*

In my case:

netdom resetpwd /s:cmcis-dc /ud:cmc-is\administrator /pd:*

This will ask you for the administrator password.

Then reboot the server, Set the KDC server to automatic and then start it and it should automatically repopulate all the DNS records.

Further Reading:

Error 4000 and resolution –

Ntdsutil –

Configuring Apache to authenticate against Active Directory

Read More