Domain controller wigged out and now I get a event 4515 in DNS

Posted on 2009-04-17
Last Modified: 2012-05-06
I host a domain controller in VMWare ESX 3.5u2.  After deleting a VMware snapshot of my domain controller, my DC hasn't been right since.  The DC wigged out and no longer responeded to network requests.  I had to go to Virtual Center and hard reboot the DC to get the network working again.  Since then, I get a funky event in DNS:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4515
Date:            4/17/2009
Time:            1:34:34 PM
User:            N/A
Computer:      DC01
The zone was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible. If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.
To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

For more information, see Help and Support Center at

I did a little research and found this KB article:

The article basically shows you how to use ADSIEdit to connect to the various AD partitions.  According to the article, option 3 is only for a doman that has Windows 2000 DCs.  My domain runs all 2003 servers, but is running in 2000 native mode.  

I've used ADSIEdit to view the partitions, but I'm not 100% comfortable in removing the 'bad' zone.  My DCs are all DNS servers and the DNS zone (for my domain) is configured for AD replication "to all domain controllers in the Active Directory domain".  I see all my zones in DC=mydomain,DC=com,CN=System,CN=microsoftDNS (along with all the other DNS zones that are AD integrated but not related to my domain).  I do see what I believe to be the "bad" zone in DC=DomainDNSZones,DC=mydomain,DC=com,CN=MicrosoftDNS,  No other of the AD integrated DNS zones are in this partition.

A. How can I be sure which Zone to delete?
B. Suppose I'm wrong -  how can I get it back up quickly in the case of a catastrophe?!
C. What else am I not asking or documenting here that I should be concerned with?
D. Although sloppy, is there any harm in leaving the "bad" zone where it is?

Any help would be greatly appreciated.



A. How can I be sure that this is te
Question by:fedsig
    LVL 7

    Accepted Solution

    1. Stop DNS Server service on all servers except one.
    2. On that one, turn off AD integration for all forward or reverse zones for which EventID 4515 appears (we had several).
    3. Restart the DNS Server service on the one server.
    4. Check the DNS log - all occurrences of EventID 4515 should be gone. If not make sure AD Integration is off and restart the service again until it starts without any 4515 warnings.
    5. Enable AD integration. Remember to set the replication scope (Win2003 and higher) and turn on secure updates.
    6. If there are other zones on other DNS servers that are not replicated to the server you chose in step 1, stop the DNS Server service on the machine you've been working on, then repeat steps 1 through 5 for zones on a DNS server that hosts the remaining, conflicting zones.
    5. Force AD replication to all DCs running DNS.
    6. Start DNS Server service on the other DNS servers. Once the replication is complete, the 4515 warnings will be gone.
    LVL 15

    Expert Comment

    Also, you say you deleted a snapshot.  That in and of itself shouldn't have done anything.  However, if you have more than one DC, and you restored a DC from a snapshot, essentially just turned it on, that could mess up your AD significantly.

    Domain Controllers should not be restored from an image.  You need to either build and promote a new DC after demoting the old one (or removing its metadata using NTDSUTIL) or restore it from a backup either as an authoritative or non-authoritative restore, depending upon whether or not you want to restore the current version of AD that's running on the DCs that are still up.

    Author Comment


         I'm aware that deleting a snapshot shouldn't have affected this, but I may have an issue w/either my filer or my ESX rig.  Basically I used SMVI (snap manager for Virtual Infrastructure) to do a hot backup.  It quiesced the VM image, took a snapshot, then deleted the snap (thus committing the deltas back to the original image).  I think that that may have been the problem.  After the backup, the DC got stupid and wouldn't respond to pings or anything.  After hard-booting the DC, the dialogue box that appears before you can hit ctrl-alt-del said "rebuilding active directory indeces".  I never even heard of that?!  I think something got hosed on that DC and it replicated to the other DCs.
    LVL 15

    Expert Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now