Event error 4015 on RODC on perimeter network
We have a pair of W2K12 RODC's on a perimeter network. They've been around for a while now. We recently discovered both are seeing the same DNS error on both of them. This error repeats every 5 minutes.
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 6/7/2021 9:36:13 PM
Event ID: 4015
Task Category: None
Level: Error
Keywords: (131072)
User: SYSTEM
Computer: RODC2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Event Xml:
I'm wondering if these errors are due to the network settings on each RODC, both of which point to 127.0.0.1 as its preferred DNS server, and the closest writable DC as its alternate DNS server. These settings are based on recommendations in Microsoft's article - Modify the DNS client settings of an RODC.
I ran a "dcdiag /test:dns" on the RODC and saw this :
DNS server: 10.2.##.xx (dc1.xxx.com.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.2.##.xx
DNS server: 10.2.##.yy (dc2.xxxx.com.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.2.##.yy
"dc1" and "dc2" are in the home "site" and are not directly accessible by the RODC (in the perimeter network). There are two writable DC's in a neighboring site to the perimeter network that did not generate any errors.
So is my problem in my network settings on the RODC's or is this a red herring I should just ignore.
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 6/7/2021 9:36:13 PM
Event ID: 4015
Task Category: None
Level: Error
Keywords: (131072)
User: SYSTEM
Computer: RODC2
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
Event Xml:
I'm wondering if these errors are due to the network settings on each RODC, both of which point to 127.0.0.1 as its preferred DNS server, and the closest writable DC as its alternate DNS server. These settings are based on recommendations in Microsoft's article - Modify the DNS client settings of an RODC.
I ran a "dcdiag /test:dns" on the RODC and saw this :
DNS server: 10.2.##.xx (dc1.xxx.com.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.2.##.xx
DNS server: 10.2.##.yy (dc2.xxxx.com.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.2.##.yy
"dc1" and "dc2" are in the home "site" and are not directly accessible by the RODC (in the perimeter network). There are two writable DC's in a neighboring site to the perimeter network that did not generate any errors.
So is my problem in my network settings on the RODC's or is this a red herring I should just ignore.
Last Comment
test your DNS
nslookup www.somedomain.com and see what it gets
nslookup -q=srv _ldap._tcp.dc._msdcs.youra
see what you get.
double check your AD/DNS replication is not having issues
.
See if the following matches the error code and possibly offer a solution to resolve it.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/rodc-logs-event-4015-error-00002095
nslookup www.somedomain.com and see what it gets
nslookup -q=srv _ldap._tcp.dc._msdcs.youra
see what you get.
double check your AD/DNS replication is not having issues
.
See if the following matches the error code and possibly offer a solution to resolve it.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/rodc-logs-event-4015-error-00002095
ASKER
The first nslookup command (run from the RODC) works. The second nslookup command lists all the writable DC's in my domain (across all sites), plus the two RODC's. But the odd thing is the RODC's are listed twice. Once with the NetBIOS name in small caps, and a second entry with just the NetBIOS name in ALL CAPS. The domain portion of the FQDN for the RODC's is all lowercase for both entries. So I see
rodc1.mydomain.com
RODC1.mydomain.com
Is this expected or an indicator of a fragment, even though I haven't touched RODC1. I've only experimented with RODC2.
rodc1.mydomain.com
RODC1.mydomain.com
Is this expected or an indicator of a fragment, even though I haven't touched RODC1. I've only experimented with RODC2.
the response is coming from the 127.0.0.1 server, correct?
The detail part of the error may help identify what the issue. is attiributed to.
not sure what it was looking up, or trying to do when this event occurred.
try this,
in an elevated command, run
ipconfig /registerdns to see whether the event will coinside with the attempt to register the IP in DNS?
Do you have a local host zone, 127.0.0?
1 IN PTR localhost.
it can be an AD integrated since it reflects the same thing on every system.
Is there a frequency at which this event shows up?
The detail part of the error may help identify what the issue. is attiributed to.
not sure what it was looking up, or trying to do when this event occurred.
try this,
in an elevated command, run
ipconfig /registerdns to see whether the event will coinside with the attempt to register the IP in DNS?
Do you have a local host zone, 127.0.0?
1 IN PTR localhost.
it can be an AD integrated since it reflects the same thing on every system.
Is there a frequency at which this event shows up?
As DNS is AD-integrated, the same records will be replicated across each server, unless you don't integrate the zone in DNS. This is completely pointless though as the server already knows that 127.0.0.1 it itself.
ASKER
Looking through my DNS, mainly at _msdcs.mydomain.com, I see duplicate "service location" records in the various "_tcp" folders under _msdcs.mydomain.com for both of my RODC's. I do NOT see duplicate records for any of our writable DCs.
The "rodc1.mydomain.com" records are all older (some from 2018, some from 2020, some from March of 2021).
The "RODC1.mydomain.com" records are from the past week.
Admittedly this may have nothing to do with my 4015 errors. But I certainly have additional DNS issues wrt our RODCs, correct?
In another discussion on this forum, we're trying to figure out why these RODCs will not connect to newer writable DCs. These 4015 errors, as well as these "extra" DNS records pre-date any of the site connections we started testing late last week.
The "rodc1.mydomain.com" records are all older (some from 2018, some from 2020, some from March of 2021).
The "RODC1.mydomain.com" records are from the past week.
Admittedly this may have nothing to do with my 4015 errors. But I certainly have additional DNS issues wrt our RODCs, correct?
In another discussion on this forum, we're trying to figure out why these RODCs will not connect to newer writable DCs. These 4015 errors, as well as these "extra" DNS records pre-date any of the site connections we started testing late last week.
ASKER
[update re: duplicate service records] It appears when we replaced our W2K12 PDC with a W2K19 DC, I checked the box for one of the scenarios in the following article - Windows DNS registers duplicate SRV records for a DC if its computer name has uppercase letters. The catch is it's only the W2K12 RODCs that are showing duplicate records.
The problem is while we're running a more recent CU on all our W2K19 DCs, they don't have the "Use lowercase DNS host names when registering domain controller SRV records" registry key mentioned in the article.
I'm starting to think I should replace these W2K19 RODCs as we've been doing with the writable DCs. I have no idea if it will solve any of our DNS issues.
The problem is while we're running a more recent CU on all our W2K19 DCs, they don't have the "Use lowercase DNS host names when registering domain controller SRV records" registry key mentioned in the article.
I'm starting to think I should replace these W2K19 RODCs as we've been doing with the writable DCs. I have no idea if it will solve any of our DNS issues.
ASKER
So I keep finding one thing after another with these W2K12 RODCs (replication, DNS errors, duplicate DNS service location records). I'm thinking the best thing would be to demote each RODC, make sure all fragments and DNS remnants are gone, and replace it with a new W2K19 server-core RODC.
That said, do you have a go-to doc on creating a RODC on W2K19 server-core? I have what I used to create these W2K12 server-core RODCs. But my references are a little dated at this point.
That said, do you have a go-to doc on creating a RODC on W2K19 server-core? I have what I used to create these W2K12 server-core RODCs. But my references are a little dated at this point.
There are several guides online
Have a look at
https://www.microsoft.com/en-us/windows-server/windows-admin-center
Have a look at
https://www.microsoft.com/en-us/windows-server/windows-admin-center
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
As long as your RODCs use themselves as primary DNS and a different box as secondary DNS you should be fine.