Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4015 Source: DNS

The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The event data contains the error.
I got this error while troubleshooting event id 53258 on a fresh installation of Windows 2003 R2 Server SP2. I was applying the recommendations described in ME923977, but in the end of solving process I forgot to perform step 8 (uncheck the field back) and after that I got this error. Do not forget to uncheck the field as it was before.
ME969488 describes a situation when this event is recorded when running the Domain Name Service (DNS) role on a Read-Only Domain Controller (RODC) with the suggestion to move the DNS to a writable controller.
A combination of event 1030, 1058, and 4015 can occur when a NIC is replaced and the binding order is wrong. Go to Network Connections -> Advanced Settings. In the Advanced menu make sure that the most important NIC is on top at the Adapters and Bindings tab.
I receive this error every now and then on my Windows 2K3 DC along with a trap from my 3Com switch that the DNS response time is slow on the server. Both errors appear because the server is in the middle of being backed-up at that particular time.
I had this error on a Windows 2003 Domain Controller that was promoted to a new Child domain via DCPromo. DNS was installed prior to the installation and this error appeared in the event viewer after the install. The DNS zone was configured as a secondary zone but was out of synch with the primary AD Integrated zone running on the parent domain server. Comparing the SOAs (Start of Authority) on both machines, the child DC was not up to date and was displaying out of date information. I changed the SOA on the Primary DC incrementing it by 5 and forced an update. When both zones were in synch, this error message went away.

As per Microsoft: "This problem occurs because Active Directory has a limitation of approximately 800 values that can be associated with a single object. In an Active Directory-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.". The problem should be resolved by SP2. See ME267855 for more details.

This event has also been reported on DNS servers configured for Internet Connection Sharing (ICS). ICS installs its own DNS proxy service and that is in conflict with the DNS. ICS is not supposed to be used on servers thar run DNS or DHCP.

Some users reported this problem after upgrading Win2K DNS servers to Win2K3.

From a newsgroup post: "If you have installed AD using Dcprom , the dcpromo create the .(root) zone and when you need to use the forwords option as Microsoft recommendation for Internet names resolution you will always get the 4004 & 4015 errors in your log. To solve this problem and stop these events do the following:
1. Create a .(root) zone file
2. Right click the .(root) name and select Properties
3. Change the zone into a primary zone instead of the integrated AD zone type
4. Delete the .(root) zone"
See ME909249 for a hotfix applicable to Microsoft Windows Server 2003.

This event might occur if the value of a non-linked attribute is larger than 800 on a Windows Server 2003-based computer. See ME914036 for additional information about this issue.
This problem happened to me when I wanted to add on a site another Windows 2003 domain controller with DNS, DHCP, and WINS installed just after the DCPROMO procedure. For some reasons, even if the DCPROMO runs well, I have noticed that in AD Site and Services the server was listed without a NTDS link/setting. Running a DCPROMO to demote it, a reboot and DCPROMO again made the link appear so that AD replication can occur. After that, the DNS installation ran without any problems.
I received this event along with Event ID 4013 in the middle of trying to use dcpromo to demote a domain controller. I had problems with dcpromo not being able to stop netlogon and failing during demotion. I had 4 DCs with Active directory Integrated DNS servers set with as the preferred DNS server and no secondary in their local TCP\IP properties. When I changed the preferred to their actual IP and added a second domain DNS server as secondary, the problems went away. I did also make manual A records additions for the servers in _msdcs but it was not until I changed DNS servers that things started working.
More on Ionut Marin's post: We have 2 domain controllers with DNS and were experiencing the same issue. Microsoft support told me to add a registry entry (I am not advocating changing anything in the registry, particularly on a DC, this is merely a reference) under HKLM\System\CurrentControlSet\Services\NTDS\Parameters. Add a new DWORD value named “Repl Perform Initial Synchronizations”, with a decimal value of 0. Evidently, this keeps AD and DNS from querying each other at the same time after startup.
In my case, the root domain DNS zone did not have this server in the authoritative DNS servers list for this child domain. Besides adding that, I also added the root DNS zone here, as a secondary zone (DNS is AD-integrated in each domain). Now, the 4015 error is no more.
In my case, a Domain Controller W2K3 was upgraded from Windows 2000. After the upgrade, the domain rename tool was used to change the domain name, but the DNS still had some references to the old domain's zones. An uninstall and reinstall of the DNS service solved the issue.
In my case this was related to a missing FSMO role holder (domain controller). After I seized the role of the defunct server, the problem was solved.
As per Microsoft: "The DNS Server service uses Active Directory to store DNS data, and it encountered a Lightweight Directory Access Protocol (LDAP) error while querying the directory. This error could be caused by either a time-out or a temporary interruption of service". See MSW2KDB for information on this event.

From a newsgroup post: "If the 4004 and 4015 events only appear at start up, you get these events because your zones are stored in AD and you only have one Domain Controller. AD cannot start with DNS, and when DNS starts, because AD has not started, DNS cannot load the zones in AD. The error goes away if you have two or more DCs with DNS installed, or if you use standard primary zones".

In one case, this happened on a Windows 2003 SP1 computer, which was a domain controller with Active Directory integrated zones, where the DNS Server address had defaulted to Five of these Event IDs were preceded by EventID 4004 from source DNS.
Changing the DNS server address did not solve the problem. DNS was uninstalled and reinstalled (go to Control Panel -> Add/Remove Programs -> Add/Remove Windows Components -> Networking Services) without an intervening restart of the computer. The DNS Server was then checked and minor configuration changes made. The computer was restarted and EventID 4004 or 4015 did not reappear.
After creating a new sub domain this error occurred while Active Directory was not in sync on both sides. It stopped after running "repadmin /syncall dc=subdomain, dc=domain, dc=com /force".
I had this error message accompanied by a 4513 error stating that my DNS server was not in the replication scope of the ForestDNSZone application partition. After checking that zone, I saw in fact that an "A" record was missing for my DNS server. I added the record and restarted the DNS server. Errors are gone and the DNS server is replicating perfectly.
I had this problem on the second of two Windows Server 2003 Enterprise DC's hosting DNS for the same zone when I tried to point the secondary DC/DNS server to itself for resolution. I resolved the problem by changing it to point to the root DNS server's IP address.
I also got this error on a Win2k3 system. I was having trouble with allocation of IP addresses from the DHCP Server, and network connection problems (network not available). I found my problem to be caused by "routing and remote access". I did not need nor want remote access or routing, so I disabled the additional NIC in my system and removed "routing and remote access" from the system. This sorted out my problem.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.