Solved

Event ID 4015 -- functioning active directory

Posted on 2009-05-13
10
2,539 Views
Last Modified: 2012-05-06
Hello all, new user here, first post.

I have been banging my head against the wall on this one, can't find any information on this that makes sense to me.

We have 2 domain controllers, both Win2k3 with latest SP and security updates.  Recently, about a month ago, we started experiencing DNS/Active Directory issues with our Mac clients.  We found a work around but now our VPN uers are having errors that is leading me to believe our domain controllers/active directory is corrupt or not functioning properly.

I've gone into the event view and started noticing event id 4015 in the DNS Server and in Directory Service event ID 1168.

I'm fairly new to administering Active Directory and Domain Controllers, so any help would be greatly appreciated.

nix-IT
0
Comment
Question by:nix-IT
  • 5
  • 4
10 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24378172
What are the actual problems the VPN users are having.  Are they having issues access email or file shares?
Thanks
Mike
0
 

Author Comment

by:nix-IT
ID: 24378233
The users can't access their email or the file shares and the problem is intermittent.  I've been working with our VPN service provider for the past 2 weeks, and they claim nothing has changed.  The VPN service providers state that it could be a DNS issue.

The users can sometimes access the shares by share name, but when they can't, they can access them by IP address.

Today a user can't access any of the shares by IP or name.

nix-IT

0
 

Author Comment

by:nix-IT
ID: 24378834
more on this issue.  during my searching online, I found a microsoft article that stated to check the Active Directory database location with the following command:

ntdsutil files info

This returned the location of:

c:\windows\ntds and the database file.  I confirmed that the database file is in that location with a current date/time stamp.

not sure if this helps.

look forward to some responses.

nix-IT
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24379181
We have had something similar with users when they VPN in (outlook/mail issues).  What we are trying is forcing the clients to use TCP for kerberos (it is helping)

http://support.microsoft.com/kb/244474 
How to force Kerberos to use TCP instead of UDP in Windows

http://blogs.technet.com/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx

&A common problem is that routers will arbitrarily fragment UDP packets; when this happens the Kerberos ticket request packets are discarded by the KDC. Windows Vista and Windows Server 2008 now default to using TCP for Kerberos ticket requests&
 
May want to try that registy change on one or two test machines.
Thanks
Mike
0
 
LVL 3

Expert Comment

by:ISWSIMBX
ID: 24379359
Can you post the contents of the 4015 event?  Was anything changed with your Active Directory or DNS about a month ago?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:nix-IT
ID: 24379425
Here are the contents:

Event Type:      Error

Event Source:      DNS

Event Category:      None

Event ID:      4015

Date:            5/13/2009

Time:            12:35:54 PM

User:            N/A

Computer:      SRVPDC

Description:

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 00000051
------------------------------------------

In directory service, I also see event id: 1168, with the contents:

Event Type:      Error

Event Source:      NTDS General

Event Category:      Internal Processing

Event ID:      1168

Date:            5/13/2009

Time:            12:45:16 PM

User:            NT AUTHORITY\ANONYMOUS LOGON

Computer:      SRVPDC

Description:

Internal error: An Active Directory error has occurred.

 

Additional Data

Error value (decimal):

1053

Error value (hex):

41d

Internal ID:

3000502

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

----------------------

not sure if this helps.

Thanx all for your help.

nix-IT
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24379565
Does the 4015 event happen after a reboot/restart?  Are you pointing the boxes to themselves for primary DNS?
Thanks
Mike
0
 

Author Comment

by:nix-IT
ID: 24379598
yes, this happens after a reboot, and yes, they are pointing to themselves.

I want to clarify, I did not set up the domain controllers or these DNS servers.  :)

nix-IT

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24379646
Well setting them up to point to themselves is ok, but I've seen this 4015 before and you will hear it called the "race condition" problem.  So DNS and AD are both trying to start and they depend on each other and then they fail.
Try pointing to each other for primary and to themselves as secondary and then during your next maintenance cycle reboot one of the boxes and see if you get the 4015 errors still.
Then reboot the other and observe the results.
We have had luck with that configuration on our DCs that had this issue.
Thanks
Mike
0
 

Author Comment

by:nix-IT
ID: 24379661
Mike,

Thanks, I will give this a shot and report back in the AM.

nix-IT
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now