Event 4015 AD issue DNS/DHCP

Home Forums Microsoft Networking and Management Services DNS Event 4015 AD issue DNS/DHCP

This topic contains 4 replies, has 2 voices, and was last updated by Blood Blood 1 year ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Blood
    Blood
    Moderator
    April 12, 2018 at 8:17 am #167499

    Hi

    I’ve just posted this on Microsoft’s forums but am posting here as well in case anyone has had this issue and has resolved it.

    We have a 2008 functional level active drirectory running on two domain controllers – 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012 DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/

    We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.

    After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.

    About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records – one current and one stale.

    I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials and set its password to never expire.

    I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:

    Log Name: DNS Server
    Source: Microsoft-Windows-DNS-Server-Service
    Date: 12/04/2018 13:14:04
    Event ID: 4015
    Task Category: None
    Level: Error
    Keywords: (131072)
    User: HTLINCSDHCProtocol
    Computer: Atlas.htlincs.local
    Description:
    The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “0000051B: AtrErr: DSID-030F22B2, #1:
    0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)”. The event data contains the error.

    There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.

    More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued to be logged.

    I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:

    Log Name: Directory Service
    Source: Microsoft-Windows-ActiveDirectory_DomainService
    Date: 12/04/2018 13:14:04
    Event ID: 1175
    Task Category: Directory Access
    Level: Information
    Keywords: Classic
    User: SYSTEM
    Computer: Atlas.htlincs.local
    Description:
    Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.

    Immediately followed by:

    Log Name: Directory Service
    Source: Microsoft-Windows-ActiveDirectory_DomainService
    Date: 12/04/2018 13:14:04
    Event ID: 1174
    Task Category: Directory Access
    Level: Information
    Keywords: Classic
    User: HTLINCSDHCProtocol
    Computer: Atlas.htlincs.local
    Description:
    Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.

    Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?

    Thanks.

    Avatar
    biggles77
    Spectator
    April 12, 2018 at 1:17 pm #214395

    Yes, the link following doesn’t relate to your operating systems but this is Microsoft…. :shock: https://support.microsoft.com/en-us/…ns-application

    I don’t know if you have seen these links but better to post them than to ass me me. https://docs.microsoft.com/en-us/pre…735674(v=ws.10)

    https://support.microsoft.com/en-us/…-event-logging

    [QUOTE= Aaron Tomosky] at Experts Exchange]
    First off I’ll give my opinion on why a servers first dns entry should not be itself: Personally I use one DC as my main dc where I make all changes including dns additions. This main dc is the primary for dns for all my other dcs. This allows them to pick up that information faster than if they used themselves. That said, you never know when a computer will switch to using the secondary so it’s not really a foolproof method. There was a time where I had to set all dc dns to a single dc with no secondary so that netlogin would register the dc dns records correctly and it was nice and easy to just blank out the secondary. Also some commands like nslookup use the primary dns entry by default, even when the server has switched over to the secondary if the primary was unavailable. There could be other commands or services that do the same.

    This brings me to my question, perhaps you have the same issue: I was working with a domain that was originally win2k (I didn’t know this but it’s the only explanation) and it was missing the top level _msdcs zone.[/QUOTE]
    He fixed his problem using the first link in my post,[URL=”http://https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application”] KB 841470[/URL]

    Don’t know if the following helps but it did for the OP of the thread on Experts Exchange. I’ve included this in case I have missed something during the read. ([SIZE=9px]I really do need to go to Specsavers[/SIZE])

    [QUOTE=mcburn13 on Experts Exchange]
    I changed all my DNS servers to point to others first (unless they were in a site by themselves), enabled IPv6 and rebuilt the _msdcs zone (did the same as in that article). We only see the error now once and it is WAY after hours I am 99.99999% certain it is because Veeam is running a backup of the VM (takes snapshot) and the PDC becomes unavailable for a few seconds to minutes. In addition to moving the backup window later we staggered the DCs so no two are backing up at the same time. Still would love for Microsoft to BUCK UP and figure out how to give admins errors that actually mean something instead of “”. Perhaps something like “there was an issue with SERVERA communicating with the PDC Emulator THAT’s why we threw this error” Just saying..[/QUOTE]

    If none of this helps it may lead you to other links that do.

    Blood
    Blood
    Moderator
    April 13, 2018 at 4:25 am #337373

    Hey, Biggles, many thanks for the response.

    I checked the first link. _msdcs is fully populated, AD integrated and is set to replicate to all DNS servers in the forest.

    I get a 404 on the second and fourth links.

    Link 3 – this is the article I used to set up Directory Access logging.

    And the great debate on the order of DNS server addresses and loopback vs assigned IP address. Ours (we have two), are configured with the other’s address as the primary, and their own IP (not loopback) as the secondary.

    Compare the DNS logs from the servers. The first one is the 2012 R2 server that also hosts DHCP. The second is the 2008 server. The errors on the 2008 server are from when the MS Update hosed the IPv4 properties and configured IPv4 for DHCP. The warnings are after restarts when DNS is started but is waiting for AD to load.

    2012 R2:
    [ATTACH=JSON]{“data-align”:”none”,”data-size”:”full”,”title”:”4015 errors.jpg”,”data-attachmentid”:516760}[/ATTACH]

    2008:
    [ATTACH=JSON]{“data-align”:”none”,”data-size”:”full”,”title”:”No 4015 errors.jpg”,”data-attachmentid”:516761}[/ATTACH]

    Blood
    Blood
    Moderator
    April 17, 2018 at 9:22 am #337375

    A respondent on the MS forum suggested looking at the Owners of the folders. When I checked the in-addr.arpa folder on the 2012 R2 machine the owner was Domain Admins. When I checked it on the 2008 machine, the owner was SYSTEM. I have changed the ownership on the 2012 R2 to SYSTEM and, after restarting both the DNS and DHCP server services I’ve not seen any more 4015 events logged. But, let’s wait and see what tomorrow brings :-P

    Blood
    Blood
    Moderator
    April 26, 2018 at 8:43 am #337378

    Update:

    Have tried various things. The latest is to add the DHCP server to the dnsupdateproxy group and set the OpenACLOnProxyUpdates value to 0.

    Will check the state of DNS tomorrow.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.