Event 4015 AD issue DNS/DHCP
This topic contains 4 replies, has 2 voices, and was last updated by 
Blood 1 year, 6 months ago.
-
Posts
-
Hi
I’ve just posted this on Microsoft’s forums but am posting here as well in case anyone has had this issue and has resolved it.
We have a 2008 functional level active drirectory running on two domain controllers – 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC’s. DHCP was installed on the 2008 DC, but was migrated over to the 2012 DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/
We have a mix of static IP’s and dynamic IP’s. DHCP lease length is set to 8 hours.
After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.
About a week ago I noticed that while domain joined computers’ DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records – one current and one stale.
I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials and set its password to never expire.
I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 12/04/2018 13:14:04
Event ID: 4015
Task Category: None
Level: Error
Keywords: (131072)
User: HTLINCSDHCProtocol
Computer: Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is “0000051B: AtrErr: DSID-030F22B2, #1:
0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)”. The event data contains the error.There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.
More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued to be logged.
I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 12/04/2018 13:14:04
Event ID: 1175
Task Category: Directory Access
Level: Information
Keywords: Classic
User: SYSTEM
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.Immediately followed by:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 12/04/2018 13:14:04
Event ID: 1174
Task Category: Directory Access
Level: Information
Keywords: Classic
User: HTLINCSDHCProtocol
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?
Thanks.
Yes, the link following doesn’t relate to your operating systems but this is Microsoft…. :shock: https://support.microsoft.com/en-us/…ns-application
I don’t know if you have seen these links but better to post them than to ass me me. https://docs.microsoft.com/en-us/pre…735674(v=ws.10)
https://support.microsoft.com/en-us/…-event-logging
[QUOTE= Aaron Tomosky] at Experts Exchange]
First off I’ll give my opinion on why a servers first dns entry should not be itself: Personally I use one DC as my main dc where I make all changes including dns additions. This main dc is the primary for dns for all my other dcs. This allows them to pick up that information faster than if they used themselves. That said, you never know when a computer will switch to using the secondary so it’s not really a foolproof method. There was a time where I had to set all dc dns to a single dc with no secondary so that netlogin would register the dc dns records correctly and it was nice and easy to just blank out the secondary. Also some commands like nslookup use the primary dns entry by default, even when the server has switched over to the secondary if the primary was unavailable. There could be other commands or services that do the same.This brings me to my question, perhaps you have the same issue: I was working with a domain that was originally win2k (I didn’t know this but it’s the only explanation) and it was missing the top level _msdcs zone.[/QUOTE]
He fixed his problem using the first link in my post,[URL=”http://https://support.microsoft.com/en-us/help/817470/how-to-reconfigure-an-msdcs-subdomain-to-a-forest-wide-dns-application”] KB 841470[/URL]Don’t know if the following helps but it did for the OP of the thread on Experts Exchange. I’ve included this in case I have missed something during the read. ([SIZE=9px]I really do need to go to Specsavers[/SIZE])
[QUOTE=mcburn13 on Experts Exchange]
I changed all my DNS servers to point to others first (unless they were in a site by themselves), enabled IPv6 and rebuilt the _msdcs zone (did the same as in that article). We only see the error now once and it is WAY after hours I am 99.99999% certain it is because Veeam is running a backup of the VM (takes snapshot) and the PDC becomes unavailable for a few seconds to minutes. In addition to moving the backup window later we staggered the DCs so no two are backing up at the same time. Still would love for Microsoft to BUCK UP and figure out how to give admins errors that actually mean something instead of “”. Perhaps something like “there was an issue with SERVERA communicating with the PDC Emulator THAT’s why we threw this error” Just saying..[/QUOTE]If none of this helps it may lead you to other links that do.
Hey, Biggles, many thanks for the response.
I checked the first link. _msdcs is fully populated, AD integrated and is set to replicate to all DNS servers in the forest.
I get a 404 on the second and fourth links.
Link 3 – this is the article I used to set up Directory Access logging.
And the great debate on the order of DNS server addresses and loopback vs assigned IP address. Ours (we have two), are configured with the other’s address as the primary, and their own IP (not loopback) as the secondary.
Compare the DNS logs from the servers. The first one is the 2012 R2 server that also hosts DHCP. The second is the 2008 server. The errors on the 2008 server are from when the MS Update hosed the IPv4 properties and configured IPv4 for DHCP. The warnings are after restarts when DNS is started but is waiting for AD to load.
2012 R2:
[ATTACH=JSON]{“data-align”:”none”,”data-size”:”full”,”title”:”4015 errors.jpg”,”data-attachmentid”:516760}[/ATTACH]2008:
[ATTACH=JSON]{“data-align”:”none”,”data-size”:”full”,”title”:”No 4015 errors.jpg”,”data-attachmentid”:516761}[/ATTACH]A respondent on the MS forum suggested looking at the Owners of the folders. When I checked the in-addr.arpa folder on the 2012 R2 machine the owner was Domain Admins. When I checked it on the 2008 machine, the owner was SYSTEM. I have changed the ownership on the 2012 R2 to SYSTEM and, after restarting both the DNS and DHCP server services I’ve not seen any more 4015 events logged. But, let’s wait and see what tomorrow brings :-P
Update:
Have tried various things. The latest is to add the DHCP server to the dnsupdateproxy group and set the OpenACLOnProxyUpdates value to 0.
Will check the state of DNS tomorrow.
You must be logged in to reply to this topic.