DNS error 4015

Hello,

I have been having lingering problems for some time that i can not seem to figure out. I have DNS errors on my child DC. The error is 4015 "Microsoft-Windows-Dns-Server-Service" with the message "The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error."

I do not see any errors, either DNS or Replication errors on the Parent DC. The Parent and Child dcs are on dis-similar networks, i.e parents (2) on 10.10.10.xx and the Child (1) 172.17.84.xx. Allservers are Windows Server 2012 R2.

I have been plagued by these errors for quite sometime and can't seem to get past them so any insight would be incredibly helpful. This is my first time posting to this site as i am a new member so i am sorry if i have not attached all the information that you require but let me know anything that you all would want to see.

Thanks,
Brad
LVL 2
Bradley BishopAssociate Product DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
run the command dcdiag from child dc , post any errors you receive, look at the event logs again not just the application and system logs.

what operating systems are the domain controllers? when you say child dc what does this mean? is child dc a full domain controller or read only what do you mean by child?

run the dcdiag command from the primary dc and post any errors too btw.
Bradley BishopAssociate Product DeveloperAuthor Commented:
The Domain controllers are all Windows Server 2012 R2. There 3 domain controllers all in all. 2 as parents- Servername.xxx.com and then one Child Servername.yyy.xxx.com (Sorry i dont know how this works with that everyone can see). It is a Full DC
Parentdc.txt
childdc.txt
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
it says in childdc that there are replication failures.

you need to follow the steps in this article, this will require troubleshooting, i will help you how i can.
https://support.microsoft.com/en-us/kb/2200187

View repadmin /showreps or /showrepl output on the destination DC
a. Identify Source DC in the output and list all win32 status messages per partition
b. The win32 status that is listed that is not a 1256 should be the focus of troubleshooting efforts
2. Using repadmin /showrepl * /csv output:
a. Filter column K, Last Failure Status: Deselect 0 and (Blanks)
b. Filter column C, Destination DSA: Deselect (Select All) and select just the DC where the 1256 status is logged
c. If 1256 is logged on more than one Source DC, Filter column F, Source DSA: Deselect (Select All) and Select just one DC to narrow the focus.
d. Column K, Last Failure Status will list the 1256’s along with the real win32 error that led to the RPC bind failure.
In the following example, win32 error 1722 is logged for the Configuration and Schema partitions and should be the focus of troubleshooting.

these steps are from the article, if you want my assistance on this issue post the output of this commands.
if you need to get this issue resolved ASAP and I am not here do not hesitate to contact MS support.

Also ensure the time and date are correct on all 3 domain controllers and confirm the Windows Time Service is started and running on all 3 servers, restart this service on all 3 servers too. This will ensure the actual service is running properly and not crashed.

Thanks
M
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Bradley BishopAssociate Product DeveloperAuthor Commented:
Ok i will go through the troubleshooting you recommended. Quick question, our Child DC has 2 nics. One of which feeds some Hyper-V vm's and the other is the primary adapter. The Hyper-v does not share its Nic with the host OS. What should the DNS settings of the Primary nic be?
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
NIC1 = your lan nic. the DNS settings for this NIC should be your Active Directory DNS Server as primary and no external dns servers like google or anything thats not an Active Directory DNS server.

When you say child dc has a nic that feeds vm's what does this mean, what server is the hyper v host?

Are these 3 domain controllers physical or virtual? what is the host server? hyper v or vmware?
Bradley BishopAssociate Product DeveloperAuthor Commented:
On the Child DC should it be the Active Directory DNS Server on the Child or the Parent?

The Child DC is a physical server and (out of necessity) has Hyper-V installed on it and is currently running 2 VM's but now that we have extra hardware we are migrating some things off of them. The Parent DC's are Virtual on VMware.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
1. Its Microsoft recommended not to have the Hyper V role installed on a DC.  

2. Child DC or lets just call it DC3 as per diagram below should have a dns setup like below. Primary DNS should be DC1 IP and secondary DNS should be DC2 IP.  DC1 and DC2 should forward external dns queries through root hints this is microsoft recomended again.

DC1 PDC and all role holders. DC1 runs DNS.
DC2 runs DNS and DHCP
DC3

Is "Child DC" a global catalog server? does it hold any fsmo roles? which domain controller hosts the 5 FSMO roles? have we checked the steps i outlined above?

Again why are we calling it Child DC?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bradley BishopAssociate Product DeveloperAuthor Commented:
1. Yes i am aware and was not to excited when i started here and found this. We are in the process of migrating everything off and i will then remove the hyper-v role.

2. Ok that is what i thought but got some different feed back from another guy so just wanted to be sure.

DC3 is a Global Catalog server. I know that DC1 holds fsmo roles but im not sure if this one does or not how do i check this? I am running through the steps now.

Our infrastructure is set up as follows.

DC1 and DC1 on XXX.com domain have ip of 10.10.10.ppp (host in NJ by separate company) and support our application servers and a few other things that are connected to that domain. DC3 on internal.xxx.com domain has ip of 172.17.84.xxx (host internally by myself and team) has all of our user computers connected to it.

The networks are joined and can talk to one another.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
run the following command

netdom query fsmo
Bradley BishopAssociate Product DeveloperAuthor Commented:
Ran the command and the results are:

Schema master - DC1
Domain naming master - DC1
PDC - DC3
RID pool Manager - DC3
Infrastructure master - DC3
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
ok can we ensure the time is correct to the minute on all 3 DC, lets not worry about DC3 having access to 2 X networks for now.

once weve verified the time on the three DC is correct to the minute and the time service is running and started id like you to go through the steps to check the repadmin links in the MS support article above, we need more information on these errors, find the corresponding technet articles when you investigate the errors more.
Bradley BishopAssociate Product DeveloperAuthor Commented:
All times were correct but i did restart the time services on all servers as you requested. I also switched the DNS settings on the Primary nic.

I ran your steps above and have attached the result.
repadmin.csv
Bradley BishopAssociate Product DeveloperAuthor Commented:
I re-ran the DCDiag and everything looks to be passing now. I have attached it below
childdc.txt
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
please paste the info up here, i am not opening this file.
Bradley BishopAssociate Product DeveloperAuthor Commented:
showrepl_COLUMNS      Destination DSA Site      Destination DSA      Naming Context      Source DSA Site      Source DSA      Transport Type      Number of Failures      Last Failure Time      Last Success Time      Last Failure Status
showrepl_INFO      Default-First-Site-Name      DC3      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC3      DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 12:15      0
showrepl_INFO      Default-First-Site-Name      DC3      DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 12:15      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 12:15      0
showrepl_INFO      Default-First-Site-Name      DC2      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=DomainDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=internal,DC=xxx,DC=com      Default-First-Site-Name      DC1      RPC      0      0      6/19/2015 11:55      0
showrepl_INFO      Default-First-Site-Name      DC2      DC=internal,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 12:15      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 12:15      0
showrepl_INFO      Default-First-Site-Name      DC1      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      CN=Schema,CN=Configuration,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=DomainDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=ForestDnsZones,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=internal,DC=xxx,DC=com      Default-First-Site-Name      DC2      RPC      0      0      6/19/2015 11:45      0
showrepl_INFO      Default-First-Site-Name      DC1      DC=internal,DC=xxx,DC=com      Default-First-Site-Name      DC3      RPC      0      0      6/19/2015 12:16      0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
ok good, i cant see any failures there its hard to read but it looks like changing the dns resolved this one.

the dcdiag errors are gone. good stuff.

I do need you to confirm though all the errors are resolved.

I would wait 24 hours check it again and they are still resolved that is good.

also unless you have a trust to another AD forest id have all 5 FSMO roles on DC1. Be careful doing this though. If your company has money use MS support once of incident.
Bradley BishopAssociate Product DeveloperAuthor Commented:
Its all in one forest. What implications could it bring transfering all FSMO roles to DC1?
Bradley BishopAssociate Product DeveloperAuthor Commented:
If i run the fsmo command you gave me on DC1 it says that it holds all the fsmo roles? Is it possible they are conflicting?
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
sounds like the replication issue is resolved from the dcdiag sounds like the dns and replication are interlinked too.

your now running a correct primary and secondary dns configuration on all 3 dcs. just ensure the 2 dcs your using as dns servers are actually running the dns service.

regarding fsmo roles they should be all on dc1 unless your running forest trusts then ms recommend you host infrastructure role on a non gc dc.
Bradley BishopAssociate Product DeveloperAuthor Commented:
Very helpful and took the time to explain everything thoroughly
Bradley BishopAssociate Product DeveloperAuthor Commented:
Thank you, I will definitely keep that handy and i will see how things go on this and let you know!
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
np I should have known apols. I have hire me enabled.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.