Microsoft DNS Error 4015 on two new DCs

I just installed two new Windows Server 2012 domain controllers in our environment.  They are clean installs as Hyper-V guest OSes.  They offer DHCP, DNS and are domain controllers.

I plan to decommission two existing Windows 2008 R2 DCs which are physical machines.   There are also two Windows Server 2012 DCs located across the VPN in another country. There are no DNS errors in the event logs of older servers.

On the new servers, I am getting repetitive 4015 event IDs.  Happens a few times per hour.  I am concerned that if I decommission the physical servers, I might have trouble.

Here is the error exactly:  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I am pretty confident in my ability to add new DCs with DNS to a network, but I'm unsure as to what's gone wrong here.

Any help would be greatly appreciated.
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
This is sounds like auto generated name may be you have promoted DC with default server name or some thing like syspreped machine.

If you are not able to view this name in Domain controllers OU, in Ad sites and services, probably you have already removed that server from active directory

Are you able to access \ reolve that name with IP, hostname \ RDP ?

I guess it will not.
Just run metadata clenup for that name in AD and if you find one matching, just delete itfrom metadata.
Also delete that entry from domain system Volume as well and force Ad replication so that it will get deleted from all domain controllers

Prbably you can try DFSR propogatin test to find out stale entry

Then you need to monitor for DNS 4015 event again.

1st off all point 2012 servers to itself in tcp/ip properties and then restart netlogon services on both DCs to reregister missing srv records if any
Also check in DNS specially for Host (A) and NS records if they are accurate for all present DCs on all Dcs in domain

Also check if AD replication ports are opended between all Dcs as appropriate and then run dcdiag /v /q and post errors here to troubleshoot further if required

It is possible that these errors are occurring due to connectivity issues when communicating with the remote DNS server.  

The "Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003"
Discusses the pros and cons of using a local Vs remote DNS server for primary/secondary DNS client settings.  Given the errors you are seeing, switching to using the local DNS server as primary may prevent the errors.

Replacing the localhost with the real ipaddress for the card listening for DNS has resolved oddities for me in the past and I now always recommend doing that when I see it.

While moving the DNS client settings for primary and secondary DNS server may stop the errors, it will not fix the root cause.  To address that, a network trace with netmon or wireshark at the time of an event being raised might give some insight.

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Leon FesterSenior Solutions ArchitectCommented:
You can test DNS for errors by running:
dcdiag /test:DNS on the servers giving you these errors and review the errors.

Also see solution to previously asked question which may be faster than posting your results here and waiting for a response.
encoadAuthor Commented:
Hi All,

I've changed the network settings as you've suggested.

There are no restricted network ports locally or across the VPN.

dcdiag /v /q did not report any errors.

dcdiag /test:DNS reports the following:

Performing initial setup:
   Trying to find home server...
   Home Server = MSPV-DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Dongguan\MSPV-DC1
      Starting test: Connectivity
         ......................... MSPV-DC1 passed test Connectivity

Doing primary tests

   Testing server: Dongguan\MSPV-DC1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... MSPV-DC1 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : Metro

   Running enterprise tests on : Metro.local
      Starting test: DNS
         Test results for domain controllers:

            DC: MSPV-DC1.Metro.local
            Domain: Metro.local

               TEST: Delegations (Del)
                  Error: DNS server: win-ydm3tgmz47v.metro.local. IP:<Unavailable> [Missing glue A record]

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: Metro.local
               MSPV-DC1                     PASS PASS PASS FAIL PASS PASS n/a

         ......................... Metro.local failed test DNS

Open in new window

I'm not sure what that server listed is or where to delete the references to it.
Leon FesterSenior Solutions ArchitectCommented:
That name "win-*" looks like an auto-generated name from an image/sysprep build.
I'd suggest checking your DNS server settings to ensure that that name is not listed a dns server.

It could have been setup during testing/erroneously and never cleaned up.

You can also check your DNS delegation using nslookup to find out more information.
Is this DC is running with multiple Live IP NICs?

Check \ examine below places for a references of removed DC are below.

Each & every sub folder inside _msdcs folder in DNS

Name server tab in DNS

Host records in DNS

Server object under NTDS setting in AD sites & services.

Open ADSIEDIT.MSC, connect to configuration partition

CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites

encoadAuthor Commented:
Ok, I've done a search throughout each folder in the DNS tree and delete all instances of the weird computer name.  In the _msdcs folder, I pointed the nameserver record to a valid name server.

I get no errors now for the dcdiag /test:DNS

I am getting an error for dcdiag /v /q now however.  The internet is spotty here in China, so this could be a contributing factor.

If anyone sees anything that I've done as bad, please let me know.  I'll watch it today and report back.
From DCDIAG errors its clear that public DNS server configured some where in dns which is not reachable \ working
There is a problem accessing the COM Service on a remote computer. To resolve this problem:
Ensure that the remote computer is online.
This problem may be the result of a firewall blocking the connection. For security, COM+ network access is not enabled by default. Check the system to determine whether the firewall is blocking the remote connection.
You can check presence of public DNS server from your network may be with telnetting it on TCP 53 port, just remove it from configuration if you are not using that or clear the port\firewall issues.

In case of second error related systemlog, If you have error events in  DC system log events, then DCDIAG systemlog test will fail.
If you clear those system logs from DC, then next DCDIAG run will not log errors for systemlog test

I don't think above errors are serious, just get rid of Public DNS server IP logged in DCDIAG

encoadAuthor Commented:
Thank you all for your help so far, but I am still stuck.

FYI, my DC's are Hyper-V guests, only one NIC.

I've removed the Forwarder.  My error is still appearing at random intervals.  The strange thing is that I have two other DCs with DNS in this same network, connected to the same switch and router and they are not experiencing any errors (they are Windows 2008 R2 however)

There is no firewall blocking any of the servers, they can all access port 53 to the internet and across the VPN.

I am receiving no errors with dcdiag /v /q

Any other suggestions?  Does 2012 DNS operate differently then 2008R2?  Could this account for the fact that 2x 2008 DNS have no errors but both 2012 have errors?
Leon FesterSenior Solutions ArchitectCommented:
Are you running DCDIAG from the 2008 machine against a 2012 machine?
I know that DCDIAG for 2008 generates errors when running against 2003 DC's.
This is because DCDIAG 2008 uses functions that don't exist on 2003 but I'm not sure about 2008 DCDIAG against 2012.

See discussion on another forum that says DCOM errors can be ignored.
encoadAuthor Commented:

I am running DCDIAG on the actual machines that I am diagnosing.

What are the impacts if I try the following:

1.  Uninstall/Reinstall the DNS Role
2.  Uninstall/Reinstall the DC role

Will anything bad happen if I try?  I have 3 other DCs in this network and 2 more across a VPN, but I need to avoid any downtime.

Thanks in advance.
Its not the good step to uninstall DNS and reinstall, since issue exists with just single DNS entry

Just check root hints, default forwarders and conditional forwarders, NS records, on all DNS server for presense of server address, if found just remove that.
Also ensure that entry is not there in DNS settings in TCP/IP settings of all servers as a DNS server

Then just restart DNS server service, run ipconfig /flushdns and dnscmd /clearcache and then try to run dcdiag.

Leon FesterSenior Solutions ArchitectCommented:

1.  Uninstall/Reinstall the DNS Role
2.  Uninstall/Reinstall the DC role

There are no guarantees that this would help to resolve your errors.

Check if this is a superfluous error:
DCDIAG /i /q
/i - Ignores superfluous error messages.
If the error does not appear then it means it is an error that can be safely ignored.

From other issues like this that I've seen on the WWW; they've suggested checking that IPv6 IS enabled on the NIC and that there is no WINS servers entered.
encoadAuthor Commented:
Hi Guys,

DCDIAG /i /q gave some errors, but I believe these were related to fact that I had one DC down as I was moving the VM from one server to another (as a test to see if the problem was hardware related. is not anywhere else as far as I can see.

I've enabled IPV6, this did not fix things.  No WINS is used.

I've run the flushdns and clearcache (then rebooted), waiting on the errors to appear again, or hopefully not.  I'll know in a couple of hours.

I reran DCDIAG /I /Q after the reboot and got the following messages:

PS C:\Users\spvadmin> dcdiag /i /q
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/18/2014   09:54:19
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/18/2014   09:54:19
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 01/18/2014   09:55:17
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain Metro.local, has
determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reaso
ns for this:
         ......................... MSPV-DC1 failed test SystemLog

Open in new window

Not sure what this means or if it is important.

Thanks for all your help so far!
encoadAuthor Commented:
Just got another 4015...  No clue what else to try.
encoadAuthor Commented:
So I'd like to try DNS reinstall, any harm in that?
Check if DHCP is authorized by account having Enterprise admins right.
If yes, the try to start DHCP service and let me know what happens ?

Regarding dcom errors, you can clear system logs on server and check if still you receive errors in systemlog DCdiag test

Is your replication is working properly ?

encoadAuthor Commented:
Hello Mahesh,

I've moved over my DHCP to this server, and deauthorized the DHCP on the other server.  We'll see if this has any impact.

I'll report back.
encoadAuthor Commented:
Ok, so I've deauthorized the DHCP server on the old working DC and I've authorized the new DCs as DHCP servers.  Same results.

Replication appears to be working correctly, but if you have some commands to run, I would appreciate it.

Thanks again.
Just goto adsiedit.msc, connect to configuration container and navigate to path
CN=NetServices,CN=Services,CN=Configuration,DC=yourdomain,DC=com and see any authorized servers there listing or not.

Logon to DHCP server with account having domain admins and enterprise admins right and
Please follow steps in below blog for step by step

This will hopefully resolve your DHCP issue

In order to check replication use below commands through elevated command prompt
Repadmin /syncall
Repadmin /showrepl

repadmin /replsum * /bysrc /bydest /sort:delta > C:\replsummary.txt
Above command will give you idea about replication status in entire domain \ forest

Also you may go to AD sites and services and trigger replication manually and check if its working properly

Also go to DNS zone and ping all CNAME records you found for domain controllers
It should resolves to domain controllers IP address. If here you get errors, then probably you need to restart netlogon service on respective DNS server
go to AD sites and services\sites\servers\serverhostname\ntds settings properties, on general tab you will find DNS alias, just copy that and check if you are able to ping it
Hopefully you should, but if here you get error, then probably host (A) record is missing
Once its started resolving, replace _msdcs CNAME record with that find on ntds settings tab.

Also check there is no stale server object exists in AD sites and services
I am assuming that you are using File replication services for Sysvol replication.
Go to dsa.msc \ system \ file replication service or DFS depending upon your Sysvol replication engine and drill down to Domain System volume and in right side pen check name and computer fields are pointing to same server and if it is exists (valid) in AD as domain controller
If there is mismatch between both, you need go to that object properties and need to check below attributes:
1  check frsComputerReference attribute is pointing correct DN of domain controller, correct it if you found wrong.You will found that in DC properties in Domain Controllers OU

2  Check ServerReference attribute, if its pointing to wrong DC, then you need correct that entry.
In order to correct that entry, just go to ntds setings properties of affected DC in sites and services and copy DN attribute from there.
Replace ServerReference attribute value with copied ones

Also check if all NS records are correct in that zone and zone

I think rest of the things you already had checked

Leon FesterSenior Solutions ArchitectCommented:
The DCOM errors could just be permissions issues

Basic permissions required:
Under "Access Permissions" tab:
Everyone should have local and remote access
Anonymous should have local and remote access

Under "Launch and Activition Permissions" tab:
Everyone should have Local Launch and Local Activation
Administrators and Distributed COM Users should have all
encoadAuthor Commented:
Hi Mahesh, thank you for your continued support.

I do not see anything strange in ADSIEDIT.

repadmin commands do not give any errors at all.

I've triggered replication without improvement.

I am able to ping all the CNAMEs.

I am seeing something weird in Active Directory.  The weird computer name is present, and one of the DCs that I plan to decommission is missing (MSPV-S1).  I am unclear what I should do to clean this up.  I've tried renaming the weird name to the missing one, but I do not know if this is my problem or even a viable solution.

All NS records appear to be correct.

encoadAuthor Commented:
I've checked the COM permissions, they are ok.
encoadAuthor Commented:
I'm awarding the points to Mahesh because he's been so helpful, but my 4015 errors seem to persist.  I even called Microsoft and they were unable to figure it out.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.