Критическая ошибка active directory 4015

Event ID 4015 — DNS Server Active Directory Integration

Originally published: November 13, 2007 at: http://technet.microsoft.com/en-us/library/cc735674(WS.10).aspx 

Applies To

Windows Server 2008

(This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.)  

You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration.

Event Details

Resolve

Troubleshoot AD DS and restart the DNS Server service

The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.

For information about troubleshooting AD DS, see Active Directory Troubleshooting Topics  (http://go.microsoft.com/fwlink/?LinkId=95789).

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To restart the DNS Server service:

1. On the DNS server, start Server Manager. To start Server Manager, click Start, click Administrative Tools, and then click Server Manager.
2. In the console tree, expand Roles, expand DNS Server, and then expand DNS.
3. Right-click the DNS server, click All Tasks, and then click Restart.

If the problem continues, restart the computer and then use Server Manager to confirm that the DNS Server service has started.

To restart the computer:

• Click Start, click the arrow next to the Lock button, and then click Restart.

To confirm that the DNS Server service has started:

1. On the DNS server, start Server Manager.
2. In the console tree, expand Roles, and then click DNS Server.

The System Services list shows the state of the DNS Server service.

Verify

Ensure that Event IDs 4523 and 4524 are being logged and that no events in the range 4000 to 4019 appear in the Domain Name System (DNS) event log.

Related Management Information

DNS Server Active Directory Integration (TechNet Library)

DNS Infrastructure (TechNet Library)

Hi

We have a 2008 functional level active drirectory running on two domain controllers — 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012
DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records — one current and one stale.

I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials
and set its password to never expire.

I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/04/2018 13:14:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      (131072)
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)». The event data contains the error.

There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued
to be logged.

I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

Immediately followed by:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1174
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

Thanks.

Hi

We have a 2008 functional level active drirectory running on two domain controllers — 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012
DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records — one current and one stale.

I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials
and set its password to never expire.

I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/04/2018 13:14:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      (131072)
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)». The event data contains the error.

There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued
to be logged.

I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

Immediately followed by:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1174
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

Thanks.

Event 4015 when running DNS on RODC can be resolved with this handy guide from our experts. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Services.

Let’s take a look at how our Support Team is ready to help customers with Event 4015 when running DNS on RODC.

How to fix Event 4015 when running DNS on RODC

Event 4015 often occurs when we run the Domain Name Service role on an RODC (Read-Only Domain Controller) in addition to a writable Domain Controller (hosting DNS) being inaccessible.

According to our Support Team, we can see the event logged on the RODC as seen below:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: date time
Event ID: 4015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computer_name
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “00002095: SvcErr: DSID-03210A6A, problem 5012 (DIR_ERROR), data 16”. The event data contains the error.

After careful analysis, our Support Techs have come to the conclusion that when an RODC locates a writeable DNS server in order to perform ReplicateSingleObject (RSO), the DSGETDC function occurs with that the following flags:

DS_AVOID_SELF
DS_TRY_NEXTCLOSEST_SITE
DS_DIRECTORY_SERVICE_6_REQUIRED
DS_WRITEABLE_REQUIRED

Furthermore, after DC returns from the DSGETDC call, it utilizes the results to look for the NS record in DNS. In case DSGETDC call fails or is not able to locate the NS record of the DC from the DSGETDC, thereby logging error 4105. Additionally, here are two reasons, that may be the cause behind the 4105 error:

• No accessible writeable DC or none returned after DSGETDC call.
• A successful DSGETDC call, but the returned DC does not have the DNS Server Role installed or does not have an NS record in DNS.

Moreover, we can run the following command from RODC in order to check which DC comes back as a result of the DSGETDC call:

nltest /dsgetdc: DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE/DS_6

Here DOMAIN.COM is our domain name.

Fortunately, we can resolve this issue by ensuring there is a writeable DC accessible from the RODC, ensuring that the DNS Server role is installed on the DC in addition to the NS record in DNS for the writeable DC.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrated how to deal with Event 4015 when running DNS on RODC.