Solved

Microsoft DNS Error 4015 on two new DCs

Posted on 2014-01-14
25
2,521 Views
Last Modified: 2014-01-25
I just installed two new Windows Server 2012 domain controllers in our environment.  They are clean installs as Hyper-V guest OSes.  They offer DHCP, DNS and are domain controllers.

I plan to decommission two existing Windows 2008 R2 DCs which are physical machines.   There are also two Windows Server 2012 DCs located across the VPN in another country. There are no DNS errors in the event logs of older servers.

On the new servers, I am getting repetitive 4015 event IDs.  Happens a few times per hour.  I am concerned that if I decommission the physical servers, I might have trouble.

Here is the error exactly:  The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

I am pretty confident in my ability to add new DCs with DNS to a network, but I'm unsure as to what's gone wrong here.

Any help would be greatly appreciated.
2014-01-15-Snag0006.png
2014-01-15-Snag0007.png
0
Comment
Question by:encoad
  • 12
  • 7
  • 5
  • +1
25 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39781483
1st off all point 2012 servers to itself in tcp/ip properties and then restart netlogon services on both DCs to reregister missing srv records if any
Also check in DNS specially for Host (A) and NS records if they are accurate for all present DCs on all Dcs in domain

http://social.technet.microsoft.com/Forums/windowsserver/en-US/d54fc56f-236b-4d81-a612-90c778cf2a3a/the-dns-server-has-encountered-a-critical-error-from-the-active-directoryv-event-id-4015?forum=winserverDS

Also check if AD replication ports are opended between all Dcs as appropriate and then run dcdiag /v /q and post errors here to troubleshoot further if required


Mahesh
0
 
LVL 5

Expert Comment

by:alicain
ID: 39781501
It is possible that these errors are occurring due to connectivity issues when communicating with the remote DNS server.  

The "Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003" http://support.microsoft.com/kb/825036
Discusses the pros and cons of using a local Vs remote DNS server for primary/secondary DNS client settings.  Given the errors you are seeing, switching to using the local DNS server as primary may prevent the errors.

Replacing the localhost 127.0.0.1 with the real ipaddress for the card listening for DNS has resolved oddities for me in the past and I now always recommend doing that when I see it.

While moving the DNS client settings for primary and secondary DNS server may stop the errors, it will not fix the root cause.  To address that, a network trace with netmon or wireshark at the time of an event being raised might give some insight.

Regards,
Alastair,
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39782016
You can test DNS for errors by running:
dcdiag /test:DNS on the servers giving you these errors and review the errors.

Also see solution to previously asked question which may be faster than posting your results here and waiting for a response.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2012/Q_28114482.html#a39127952
0
 

Author Comment

by:encoad
ID: 39785278
Hi All,

I've changed the network settings as you've suggested.

There are no restricted network ports locally or across the VPN.

dcdiag /v /q did not report any errors.

dcdiag /test:DNS reports the following:

Performing initial setup:
   Trying to find home server...
   Home Server = MSPV-DC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Dongguan\MSPV-DC1
      Starting test: Connectivity
         ......................... MSPV-DC1 passed test Connectivity

Doing primary tests

   Testing server: Dongguan\MSPV-DC1

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... MSPV-DC1 passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : Metro

   Running enterprise tests on : Metro.local
      Starting test: DNS
         Test results for domain controllers:

            DC: MSPV-DC1.Metro.local
            Domain: Metro.local


               TEST: Delegations (Del)
                  Error: DNS server: win-ydm3tgmz47v.metro.local. IP:<Unavailable> [Missing glue A record]

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: Metro.local
               MSPV-DC1                     PASS PASS PASS FAIL PASS PASS n/a

         ......................... Metro.local failed test DNS

Open in new window


I'm not sure what that server listed is or where to delete the references to it.
2014-01-16-Snag0010.png
2014-01-16-Snag0011.png
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39785318
That name "win-*" looks like an auto-generated name from an image/sysprep build.
I'd suggest checking your DNS server settings to ensure that that name is not listed a dns server.

It could have been setup during testing/erroneously and never cleaned up.

You can also check your DNS delegation using nslookup to find out more information.
http://technet.microsoft.com/en-us/library/cc759437(v=ws.10).aspx
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39786003
Is this DC is running with multiple Live IP NICs?

Check \ examine below places for a references of removed DC are below.

Each & every sub folder inside _msdcs folder in DNS

Name server tab in DNS

Host records in DNS

Server object under NTDS setting in AD sites & services.

Open ADSIEDIT.MSC, connect to configuration partition

CN=Configuration, DC=domain, DC=com > CN=Sites > locate DC to be removed from the sites

Mahesh
0
 

Author Comment

by:encoad
ID: 39787296
Ok, I've done a search throughout each folder in the DNS tree and delete all instances of the weird computer name.  In the _msdcs folder, I pointed the nameserver record to a valid name server.

I get no errors now for the dcdiag /test:DNS

I am getting an error for dcdiag /v /q now however.  The internet is spotty here in China, so this could be a contributing factor.

If anyone sees anything that I've done as bad, please let me know.  I'll watch it today and report back.
2014-01-17-Snag0012.png
2014-01-17-Snag0013.png
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39787627
From DCDIAG errors its clear that public DNS server configured some where in dns which is not reachable \ working
There is a problem accessing the COM Service on a remote computer. To resolve this problem:
Ensure that the remote computer is online.
This problem may be the result of a firewall blocking the connection. For security, COM+ network access is not enabled by default. Check the system to determine whether the firewall is blocking the remote connection.
You can check presence of public DNS server from your network may be with telnetting it on TCP 53 port, just remove it from configuration if you are not using that or clear the port\firewall issues.

In case of second error related systemlog, If you have error events in  DC system log events, then DCDIAG systemlog test will fail.
If you clear those system logs from DC, then next DCDIAG run will not log errors for systemlog test

I don't think above errors are serious, just get rid of Public DNS server IP logged in DCDIAG

Mahesh
0
 

Author Comment

by:encoad
ID: 39787842
Thank you all for your help so far, but I am still stuck.

FYI, my DC's are Hyper-V guests, only one NIC.

I've removed the 4.2.2.2 Forwarder.  My error is still appearing at random intervals.  The strange thing is that I have two other DCs with DNS in this same network, connected to the same switch and router and they are not experiencing any errors (they are Windows 2008 R2 however)

There is no firewall blocking any of the servers, they can all access port 53 to the internet and across the VPN.

I am receiving no errors with dcdiag /v /q

Any other suggestions?  Does 2012 DNS operate differently then 2008R2?  Could this account for the fact that 2x 2008 DNS have no errors but both 2012 have errors?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39787889
Are you running DCDIAG from the 2008 machine against a 2012 machine?
I know that DCDIAG for 2008 generates errors when running against 2003 DC's.
This is because DCDIAG 2008 uses functions that don't exist on 2003 but I'm not sure about 2008 DCDIAG against 2012.

See discussion on another forum that says DCOM errors can be ignored.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/caf4676f-d5ab-4443-9add-37d7bfb6b049/dcdiag-errors
0
 

Author Comment

by:encoad
ID: 39787939
Hello,

I am running DCDIAG on the actual machines that I am diagnosing.

What are the impacts if I try the following:

1.  Uninstall/Reinstall the DNS Role
2.  Uninstall/Reinstall the DC role

Will anything bad happen if I try?  I have 3 other DCs in this network and 2 more across a VPN, but I need to avoid any downtime.

Thanks in advance.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39788175
Its not the good step to uninstall DNS and reinstall, since issue exists with just single DNS entry

Just check root hints, default forwarders and conditional forwarders, NS records, on all DNS server for presense of 4.2.2.2 server address, if found just remove that.
Also ensure that 4.2.2.2 entry is not there in DNS settings in TCP/IP settings of all servers as a DNS server

Then just restart DNS server service, run ipconfig /flushdns and dnscmd /clearcache and then try to run dcdiag.

Mahesh
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:Leon Fester
ID: 39788190

1.  Uninstall/Reinstall the DNS Role
2.  Uninstall/Reinstall the DC role

There are no guarantees that this would help to resolve your errors.

Check if this is a superfluous error:
DCDIAG /i /q
/i - Ignores superfluous error messages.
If the error does not appear then it means it is an error that can be safely ignored.

From other issues like this that I've seen on the WWW; they've suggested checking that IPv6 IS enabled on the NIC and that there is no WINS servers entered.
0
 

Author Comment

by:encoad
ID: 39790151
Hi Guys,

DCDIAG /i /q gave some errors, but I believe these were related to fact that I had one DC down as I was moving the VM from one server to another (as a test to see if the problem was hardware related.

4.2.2.2 is not anywhere else as far as I can see.

I've enabled IPV6, this did not fix things.  No WINS is used.

I've run the flushdns and clearcache (then rebooted), waiting on the errors to appear again, or hopefully not.  I'll know in a couple of hours.

I reran DCDIAG /I /Q after the reboot and got the following messages:

PS C:\Users\spvadmin> dcdiag /i /q
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/18/2014   09:54:19
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/18/2014   09:54:19
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         An error event occurred.  EventID: 0x00000416
            Time Generated: 01/18/2014   09:55:17
            Event String:
            The DHCP/BINL service on the local machine, belonging to the Windows Administrative domain Metro.local, has
determined that it is not authorized to start.  It has stopped servicing clients.  The following are some possible reaso
ns for this:
         ......................... MSPV-DC1 failed test SystemLog

Open in new window


Not sure what this means or if it is important.

Thanks for all your help so far!
0
 

Author Comment

by:encoad
ID: 39790180
Just got another 4015...  No clue what else to try.
0
 

Author Comment

by:encoad
ID: 39790206
So I'd like to try DNS reinstall, any harm in that?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39790307
Check if DHCP is authorized by account having Enterprise admins right.
If yes, the try to start DHCP service and let me know what happens ?

Regarding dcom errors, you can clear system logs on server and check if still you receive errors in systemlog DCdiag test

Is your replication is working properly ?

Mahesh
0
 

Author Comment

by:encoad
ID: 39790352
Hello Mahesh,

I've moved over my DHCP to this server, and deauthorized the DHCP on the other server.  We'll see if this has any impact.

I'll report back.
0
 

Author Comment

by:encoad
ID: 39791767
Ok, so I've deauthorized the DHCP server on the old working DC and I've authorized the new DCs as DHCP servers.  Same results.

Replication appears to be working correctly, but if you have some commands to run, I would appreciate it.

Thanks again.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39791838
Just goto adsiedit.msc, connect to configuration container and navigate to path
CN=NetServices,CN=Services,CN=Configuration,DC=yourdomain,DC=com and see any authorized servers there listing or not.

Logon to DHCP server with account having domain admins and enterprise admins right and
Please follow steps in below blog for step by step
http://djadwinsvr.blogspot.in/2013/04/managing-dhcp-servers-active-directory.html

This will hopefully resolve your DHCP issue

In order to check replication use below commands through elevated command prompt
Repadmin /syncall
Repadmin /showrepl

repadmin /replsum * /bysrc /bydest /sort:delta > C:\replsummary.txt
Above command will give you idea about replication status in entire domain \ forest

Also you may go to AD sites and services and trigger replication manually and check if its working properly

Also go to DNS _msdcs.domain.com zone and ping all CNAME records you found for domain controllers
It should resolves to domain controllers IP address. If here you get errors, then probably you need to restart netlogon service on respective DNS server
OR
go to AD sites and services\sites\servers\serverhostname\ntds settings properties, on general tab you will find DNS alias, just copy that and check if you are able to ping it
Hopefully you should, but if here you get error, then probably host (A) record is missing
Once its started resolving, replace _msdcs CNAME record with that find on ntds settings tab.

Also check there is no stale server object exists in AD sites and services
I am assuming that you are using File replication services for Sysvol replication.
Go to dsa.msc \ system \ file replication service or DFS depending upon your Sysvol replication engine and drill down to Domain System volume and in right side pen check name and computer fields are pointing to same server and if it is exists (valid) in AD as domain controller
If there is mismatch between both, you need go to that object properties and need to check below attributes:
1  check frsComputerReference attribute is pointing correct DN of domain controller, correct it if you found wrong.You will found that in DC properties in Domain Controllers OU

2  Check ServerReference attribute, if its pointing to wrong DC, then you need correct that entry.
In order to correct that entry, just go to ntds setings properties of affected DC in sites and services and copy DN attribute from there.
Replace ServerReference attribute value with copied ones

Also check if all NS records are correct in that zone and domain.com zone

I think rest of the things you already had checked

Mahesh
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39793503
The DCOM errors could just be permissions issues
http://technet.microsoft.com/en-us/library/cc774175(v=ws.10).aspx

Basic permissions required:
Under "Access Permissions" tab:
Everyone should have local and remote access
Anonymous should have local and remote access

Under "Launch and Activition Permissions" tab:
Everyone should have Local Launch and Local Activation
Administrators and Distributed COM Users should have all
0
 

Author Comment

by:encoad
ID: 39793522
Hi Mahesh, thank you for your continued support.

I do not see anything strange in ADSIEDIT.

repadmin commands do not give any errors at all.

I've triggered replication without improvement.

I am able to ping all the CNAMEs.

I am seeing something weird in Active Directory.  The weird computer name is present, and one of the DCs that I plan to decommission is missing (MSPV-S1).  I am unclear what I should do to clean this up.  I've tried renaming the weird name to the missing one, but I do not know if this is my problem or even a viable solution.

All NS records appear to be correct.

Thanks.
2014-01-20-Snag0019.png
0
 

Author Comment

by:encoad
ID: 39793566
I've checked the COM permissions, they are ok.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39793598
This is sounds like auto generated name may be you have promoted DC with default server name or some thing like syspreped machine.

If you are not able to view this name in Domain controllers OU, in Ad sites and services, probably you have already removed that server from active directory

Are you able to access \ reolve that name with IP, hostname \ RDP ?

I guess it will not.
Just run metadata clenup for that name in AD and if you find one matching, just delete itfrom metadata.
Also delete that entry from domain system Volume as well and force Ad replication so that it will get deleted from all domain controllers

Prbably you can try DFSR propogatin test to find out stale entry

http://www.adshotgyan.com/2010/12/dfsr-propagation-test-in-windows-2008.html

Then you need to monitor for DNS 4015 event again.

Mahesh
0
 

Author Closing Comment

by:encoad
ID: 39809716
I'm awarding the points to Mahesh because he's been so helpful, but my 4015 errors seem to persist.  I even called Microsoft and they were unable to figure it out.

Thanks
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now