Критическая ошибка active directory 4015

Event ID 4015 — DNS Server Active Directory Integration

Originally published: November 13, 2007 at: http://technet.microsoft.com/en-us/library/cc735674(WS.10).aspx 

Table of Contents

  • Applies To
  • Event Details
  • Resolve
    • Troubleshoot AD DS and restart the DNS Server service
  • Verify
  • Related Management Information

Applies To

Windows Server 2008

(This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.)  

You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration.

Event Details

Product:  Windows Operating System 
Event ID: 4015 
Source: Microsoft-Windows-DNS-Server-Service 
Version: 6.0 
Symbolic Name:  DNS_EVENT_DS_INTERFACE_ERROR 
Message: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "%1". The event data contains the error.

 

Resolve

Troubleshoot AD DS and restart the DNS Server service

The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.

For information about troubleshooting AD DS, see Active Directory Troubleshooting Topics  (http://go.microsoft.com/fwlink/?LinkId=95789).

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To restart the DNS Server service:

  1. On the DNS server, start Server Manager. To start Server Manager, click Start, click Administrative Tools, and then click Server Manager.
  2. In the console tree, expand Roles, expand DNS Server, and then expand DNS.
  3. Right-click the DNS server, click All Tasks, and then click Restart.

If the problem continues, restart the computer and then use Server Manager to confirm that the DNS Server service has started.

To restart the computer:

  • Click Start, click the arrow next to the Lock button, and then click Restart.

To confirm that the DNS Server service has started:

  1. On the DNS server, start Server Manager.
  2. In the console tree, expand Roles, and then click DNS Server.

The System Services list shows the state of the DNS Server service.

Verify

Ensure that Event IDs 4523 and 4524 are being logged and that no events in the range 4000 to 4019 appear in the Domain Name System (DNS) event log.

Related Management Information

DNS Server Active Directory Integration (TechNet Library)

DNS Infrastructure (TechNet Library)

I’ve recently installed a Windows Server 2012 domain controller in one of our branch offices; all seems to be running well but have noticed I keep getting a repeating DNS error which is very vague and I can’t find out what the problem is an how to fix:

«The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «». The event data contains the error.»

The domain is a mixture of 2003, 2008 & 2012 dc/dns.

Does anyone know what the issue could be?

Event 4015 when running DNS on RODC can be resolved with this handy guide from our experts. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Services.

Let’s take a look at how our Support Team is ready to help customers with Event 4015 when running DNS on RODC.

How to fix Event 4015 when running DNS on RODC

Event 4015 often occurs when we run the Domain Name Service role on an RODC (Read-Only Domain Controller) in addition to a writable Domain Controller (hosting DNS) being inaccessible.

According to our Support Team, we can see the event logged on the RODC as seen below:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: date time
Event ID: 4015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computer_name
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “00002095: SvcErr: DSID-03210A6A, problem 5012 (DIR_ERROR), data 16”. The event data contains the error.

After careful analysis, our Support Techs have come to the conclusion that when an RODC locates a writeable DNS server in order to perform ReplicateSingleObject (RSO), the DSGETDC function occurs with that the following flags:

DS_AVOID_SELF
DS_TRY_NEXTCLOSEST_SITE
DS_DIRECTORY_SERVICE_6_REQUIRED
DS_WRITEABLE_REQUIRED

Furthermore, after DC returns from the DSGETDC call, it utilizes the results to look for the NS record in DNS. In case DSGETDC call fails or is not able to locate the NS record of the DC from the DSGETDC, thereby logging error 4105. Additionally, here are two reasons, that may be the cause behind the 4105 error:

  • No accessible writeable DC or none returned after DSGETDC call.
  • A successful DSGETDC call, but the returned DC does not have the DNS Server Role installed or does not have an NS record in DNS.

Moreover, we can run the following command from RODC in order to check which DC comes back as a result of the DSGETDC call:

nltest /dsgetdc: DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE/DS_6

Here DOMAIN.COM is our domain name.

Fortunately, we can resolve this issue by ensuring there is a writeable DC accessible from the RODC, ensuring that the DNS Server role is installed on the DC in addition to the NS record in DNS for the writeable DC.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrated how to deal with Event 4015 when running DNS on RODC.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED


Event ID 4015 — DNS Server Active Directory Integration

Originally published: November 13, 2007 at: http://technet.microsoft.com/en-us/library/cc735674(WS.10).aspx 

Table of Contents

  • Applies To
  • Event Details
  • Resolve
    • Troubleshoot AD DS and restart the DNS Server service
  • Verify
  • Related Management Information

Applies To

Windows Server 2008

(This wiki page is part of a pilot program to remove topics such as this one from the TechNet and MSDN libraries and move them to the wiki.)  

You can configure the DNS Server service to use Active Directory Domain Services (AD DS) to store zone data. This makes it possible for the DNS server to rely on directory replication, which enhances security, reliability, and ease of administration.

Event Details

Product:  Windows Operating System 
Event ID: 4015 
Source: Microsoft-Windows-DNS-Server-Service 
Version: 6.0 
Symbolic Name:  DNS_EVENT_DS_INTERFACE_ERROR 
Message: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "%1". The event data contains the error.

Resolve

Troubleshoot AD DS and restart the DNS Server service

The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.

For information about troubleshooting AD DS, see Active Directory Troubleshooting Topics  (http://go.microsoft.com/fwlink/?LinkId=95789).

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To restart the DNS Server service:

  1. On the DNS server, start Server Manager. To start Server Manager, click Start, click Administrative Tools, and then click Server Manager.
  2. In the console tree, expand Roles, expand DNS Server, and then expand DNS.
  3. Right-click the DNS server, click All Tasks, and then click Restart.

If the problem continues, restart the computer and then use Server Manager to confirm that the DNS Server service has started.

To restart the computer:

  • Click Start, click the arrow next to the Lock button, and then click Restart.

To confirm that the DNS Server service has started:

  1. On the DNS server, start Server Manager.
  2. In the console tree, expand Roles, and then click DNS Server.

The System Services list shows the state of the DNS Server service.

Verify

Ensure that Event IDs 4523 and 4524 are being logged and that no events in the range 4000 to 4019 appear in the Domain Name System (DNS) event log.

Related Management Information

DNS Server Active Directory Integration (TechNet Library)

DNS Infrastructure (TechNet Library)

Hi

We have a 2008 functional level active drirectory running on two domain controllers — 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012
DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records — one current and one stale.

I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials
and set its password to never expire.

I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/04/2018 13:14:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      (131072)
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)». The event data contains the error.

There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued
to be logged.

I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

Immediately followed by:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1174
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

Thanks.

Hi

We have a 2008 functional level active drirectory running on two domain controllers — 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012
DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records — one current and one stale.

I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials
and set its password to never expire.

I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/04/2018 13:14:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      (131072)
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)». The event data contains the error.

There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued
to be logged.

I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

Immediately followed by:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1174
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

Thanks.

0 / 0 / 0

Регистрация: 07.06.2018

Сообщений: 33

1

10.08.2020, 05:56. Показов 7550. Ответов 9


привет форумчани, требуется ваша помощь.

Сервер физический.
Windows Server 2012r2

данная ошибка недавно появилась.

«DNS-сервер обнаружил критическую ошибку Active Directory. Проверьте работоспособность Active Directory. Дополнительная отладочная информация об ошибке: «0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
‘CN=HDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=viladm,DC=ru’» (может отсутствовать). Данные о событии содержат сведения об ошибке.»

Контроллер домена один.
DNS — Два.
AD -Один.

До этого была ошибка с временем на двух DNS серверах. (Было установлено разное время, исправлено).
Есть некое предположение, что один из DNS серверов не правильно назван (HDC и HDC2, но HDC (если открыть свойства или попробовать подключится удаленно, то он будет называться WIN-9Q8G3TR56K.)

__________________
Помощь в написании контрольных, курсовых и дипломных работ, диссертаций здесь

0

Programming

Эксперт

94731 / 64177 / 26122

Регистрация: 12.04.2006

Сообщений: 116,782

10.08.2020, 05:56

9

Эксперт по компьютерным сетям

10915 / 6775 / 1809

Регистрация: 25.12.2012

Сообщений: 28,683

10.08.2020, 09:52

2

AD на каком из них поднят?
Почему два DC не сделать?

0

0 / 0 / 0

Регистрация: 07.06.2018

Сообщений: 33

11.08.2020, 07:35

 [ТС]

3

HDC — главный (мастер схемы)
HDC2 — реплика

DC был один изначально, как я пришел на рабочее место и решил его не трогать, т.к с ним нареканий не было.

Добавлено через 2 часа 19 минут
и дополню.
Если зайти на HDC2 сервер и посмотреть «Диспетчер серверов-Все сервера» видно только сам HDC2.

0

0 / 0 / 0

Регистрация: 07.06.2018

Сообщений: 33

13.08.2020, 03:21

 [ТС]

4

!up

0

174 / 166 / 28

Регистрация: 20.10.2014

Сообщений: 1,037

14.08.2020, 15:25

5

стесняюсь спросить, а эти сервера вообще друг-друга видят?
проверьте по ip и по имени.

и я не понял, почему AD не реплицировали?

Добавлено через 32 секунды
и диагностика AD и DNS скорее всего валит ошибками?

Добавлено через 1 минуту
и дайте netdom query fsmo
с обоих

0

0 / 0 / 0

Регистрация: 07.06.2018

Сообщений: 33

17.08.2020, 00:56

 [ТС]

6

Цитата
Сообщение от CHESTER-ART
Посмотреть сообщение

стесняюсь спросить, а эти сервера вообще друг-друга видят?
проверьте по ip и по имени.

и я не понял, почему AD не реплицировали?

Добавлено через 32 секунды
и диагностика AD и DNS скорее всего валит ошибками?

Добавлено через 1 минуту
и дайте netdom query fsmo
с обоих

1. Пинги проходят по имени и по ip
2. AD реплицирован (Видимо не правильно описал, извиняюсь.)
3. Во вложение. (на HDC2 «192.168.2.2 ошибок больше в двое, пример ошибок во вложение.)
4. Во вложение.

0

0 / 0 / 0

Регистрация: 07.06.2018

Сообщений: 33

20.08.2020, 00:13

 [ТС]

7

!up

0

174 / 166 / 28

Регистрация: 20.10.2014

Сообщений: 1,037

20.08.2020, 14:51

8

ikaruskam,
repadmin /showrepl
с обоих плиз
я не забыл про вас, просто очень занят.

У меня есть два предположения:
1. у вас не совпадают логин или пароль администратора службы каталогов

2. по какой-то причине новый КД выпал из домена, или нарушена настройкасвязь между ними
убедитесь, что по пути от DC к DC2 не теряются пакеты по сети.
проверьте настройки по мануалу ввода DC.

Добавлено через 2 минуты
default-first-site-name и прочие настройки AD сайты и службы. домены и доверие.
repadmin /showrepl не забудьте

Добавлено через 3 минуты
WIN-9Q8G3TR56K — походу старое имя сервра, и переименовали его уже после создания КД.
соответсвенно все службы и керберос привязку имеют к имени… я подумаю…

Добавлено через 3 минуты
проверьте записи ДНС. Где-то скорее всего еще болтается запись WIN-9Q8G3TR56K
если такое есть, то может помочь банальное переименование, или создание отсутствующей записи в разделе DNS

Добавлено через 1 минуту

Не по теме:

был у меня один случАй… когда один комп имел аж 3 DNS имени в записях АД.

0

174 / 166 / 28

Регистрация: 20.10.2014

Сообщений: 1,037

21.08.2020, 09:27

9

1. Проверьте в DNS записи в зоне _msdsc.viladm.ru (или как-то так)
здесь должны быть
1.1. начальная запись зоны (soa) ваш хозяин схемы, как папка верхнего уровня — статический
1.2. как папка верхнего уровня — NS — оба сервера — статический
1.3. два псевдонима CNAME — оба сервера — с отметками времени. Основной (ХОЗЯИН СХЕМЫ время может не меняться, у реплики время должно меняться на последнее время запуска сервера и соответсвующих служб)
2. dcdiag /fix на обоих хостах
3. dcdiag /test:dns

4. лезем в зоны прямого и обратного просмотра
там проверяем соответствие имени и IP адреса в обоих разделах.
при этом, в зоне обратного и прямого просмотра имена могут отличаться. например
зона прямого comp1 — 192.168.0.1
зона обратного comp1.home.loc — 192.168.0.1
но эти имена должны соотвествовать ip адресу хостов.
скорее всего, где-то будет запись о старом КД по старому имени.
далее проверить _sites _tcp _udp и другие разделы на наличие правильных записей соответствующих имени и ip

Добавлено через 58 секунд
ну и далее repadmin /showrepl
для того, что бы посмотреть как проходит репликация

0

174 / 166 / 28

Регистрация: 20.10.2014

Сообщений: 1,037

01.09.2020, 12:53

10

есть новости?

0

IT_Exp

Эксперт

87844 / 49110 / 22898

Регистрация: 17.06.2006

Сообщений: 92,604

01.09.2020, 12:53

Помогаю со студенческими работами здесь

Error displaying the error page: Application Instantiation Error
Добрый вечер, друзья!
Нужна помощь. Перенес свой сайт с локалки на masterhost.ru
при помощи…

Error displaying the error page: Application Instantiation Error
после того, как залил на хостинг стала выходить ошибка Your host needs to use PHP 5.3.1 or higher…

Ошибка в тестовом примере: «Error 1 error C2143: syntax error : missing ‘;’ before ‘if’»
#include<iostream>
using namespace std;
int main(){
int x, a = 0, b = 10;
(cin >> x).get();

Ошибка «Error displaying the error page: Application Instantiation Error»
Доброго времени суток. Подскажите пожалуйста кто сталкивался с данной проблемой. У меня завис…

Исправить ошибку Parse error: syntax error, unexpected T_VARIABLE, expecting ‘,’ or ‘;’
Ошибка:Parse error: syntax error, unexpected T_VARIABLE, expecting ‘,’ or ‘;’ in…

Ошибка: Fatal error: Uncaught Error: Call to undefined function mysql_num_rows() in
Пытаюсь вывести картинку из базы данных.
Код PHP:

<?php

Искать еще темы с ответами

Или воспользуйтесь поиском по форуму:

10

Event 4015 when running DNS on RODC can be resolved with this handy guide from our experts. 

At Bobcares, we offer solutions for every query, big and small, as a part of our Server Management Services.

Let’s take a look at how our Support Team is ready to help customers with Event 4015 when running DNS on RODC.

How to fix Event 4015 when running DNS on RODC

Event 4015 often occurs when we run the Domain Name Service role on an RODC (Read-Only Domain Controller) in addition to a writable Domain Controller (hosting DNS) being inaccessible.

According to our Support Team, we can see the event logged on the RODC as seen below:

Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: date time
Event ID: 4015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: computer_name
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “00002095: SvcErr: DSID-03210A6A, problem 5012 (DIR_ERROR), data 16”. The event data contains the error.

After careful analysis, our Support Techs have come to the conclusion that when an RODC locates a writeable DNS server in order to perform ReplicateSingleObject (RSO), the DSGETDC function occurs with that the following flags:

DS_AVOID_SELF
DS_TRY_NEXTCLOSEST_SITE
DS_DIRECTORY_SERVICE_6_REQUIRED
DS_WRITEABLE_REQUIRED

Furthermore, after DC returns from the DSGETDC call, it utilizes the results to look for the NS record in DNS. In case DSGETDC call fails or is not able to locate the NS record of the DC from the DSGETDC, thereby logging error 4105. Additionally, here are two reasons, that may be the cause behind the 4105 error:

  • No accessible writeable DC or none returned after DSGETDC call.
  • A successful DSGETDC call, but the returned DC does not have the DNS Server Role installed or does not have an NS record in DNS.

Moreover, we can run the following command from RODC in order to check which DC comes back as a result of the DSGETDC call:

nltest /dsgetdc: DOMAIN.COM /WRITABLE /AVOIDSELF /TRY_NEXT_CLOSEST_SITE/DS_6

Here DOMAIN.COM is our domain name.

Fortunately, we can resolve this issue by ensuring there is a writeable DC accessible from the RODC, ensuring that the DNS Server role is installed on the DC in addition to the NS record in DNS for the writeable DC.

[Looking for a solution to another query? We are just a click away.]

Conclusion

In brief, our skilled Support Engineers at Bobcares demonstrated how to deal with Event 4015 when running DNS on RODC.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED


Hi

We have a 2008 functional level active drirectory running on two domain controllers — 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012
DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records — one current and one stale.

I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials
and set its password to never expire.

I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

Log Name:      DNS Server
Source:        Microsoft-Windows-DNS-Server-Service
Date:          12/04/2018 13:14:04
Event ID:      4015
Task Category: None
Level:         Error
Keywords:      (131072)
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)». The event data contains the error.

There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued
to be logged.

I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1175
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

Immediately followed by:

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          12/04/2018 13:14:04
Event ID:      1174
Task Category: Directory Access
Level:         Information
Keywords:      Classic
User:          HTLINCSDHCProtocol
Computer:      Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

Thanks.

Понравилась статья? Поделить с друзьями:
  • Криптопро ошибка 500
  • Критическая ошибка 74 параметры 2 поврежден реестр
  • Криптопро ошибка 25002
  • Критическая ошибка 3d3 gta 4
  • Криптопро ошибка 1603 windows 10