After demoting a Server 2008 R2 domain controller, renaming it, and then creating and promoting a new Server 2012 Domain Controller with the same name (DC6) I am seeing this error intermittently on the new DC.
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 4/16/2013 6:58:37 PM
Event ID: 4015
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: DC6.MyDomain.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
There does not appear to be any actual problem otherwise however. DNS can be restarted on the new DC without issue or error message. Replication seems to be working everywhere. Repadmin /replsummary results are:
Beginning data collection for replication summary, this may take awhile:
...........
Source DSA largest delta fails/total %% error
DC1 10m:07s 0 / 20 0
DC2 11m:49s 0 / 20 0
DC3 10m:08s 0 / 20 0
DC4 11m:50s 0 / 20 0
DC5 11m:50s 0 / 20 0
DC6 10m:08s 0 / 5 0
DC7 10m:09s 0 / 20 0
DC8 11m:50s 0 / 20 0
Destination DSA largest delta fails/total %% error
DC1 09m:13s 0 / 20 0
DC2 07m:54s 0 / 15 0
DC3 09m:59s 0 / 20 0
DC4 08m:48s 0 / 15 0
DC5 10m:10s 0 / 20 0
DC6 11m:57s 0 / 20 0
DC7 10m:03s 0 / 20 0
DC8 02m:33s 0 / 15 0
There are two DC’s at each of 4 sites. The local site replication partner for this DC is DC5 and there are no errors on DC5 although there is an informational event related to the old DC which is logged intermittently:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 4/16/2013 9:28:15 AM
Event ID: 1104
Task Category: Knowledge Consistency Checker
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC5.MyDomain.local
Description:
The Knowledge Consistency Checker (KCC) successfully terminated the following change notifications.
Directory partition:
DC=MyDomain,DC=local
Destination network address:
963562c1-fc7d-41e7-bbf9-4acc2f02b2d5._msdcs.PBJFS.local
Destination directory service (if available):
CN=NTDS Settings\0ADEL:963562c1-fc7d-41e7-bbf9-4acc2f02b2d5,CN=DC6\0ADEL:6753a055-0c0f-42de-819f-e267d9e34601,CN=Servers,CN=MySiteName,CN=Sites,CN=Configuration,DC=MyDomain,DC=local
This event can occur if either this directory service or the destination directory service has been moved to another site.
My understanding is that this can be ignored and will go away. There is no correlation between these events on DC5 and the problematic error logged on DC6 but I mention them just in case.
The final piece of information I will provide is that I have an issue with non-domain joined computers being unable to register in DNS if they get their DHCP address from Server 2008 R2 DC’s. (The DC’s all run DHCP and DNS and DNS is AD integrated.) Two of my 8 DC’s are Server 2008 R1 including DC5. Non-domain computers that get DHCP from the Server 2008 R1 servers have their addresses registered in DNS just fine. All domain computers get their addresses registered regardless of the operating system of the DHCP server which they connect to and only non-domain computers are affected by that issue. In an attempt to remedy that situation I had recently changed my Dynamic Updates in DNS from ‘Secure Only’ to both ‘Non-Secure and Secure’ but it did not help.
I would like to rebuild DC5 as a Server 2012 DC here pretty soon but I want to first see if I can eliminate this DNS error message from DC6. The error is logged irregularly and averages about once every 24 hours but can sometimes happen twice in a day or not at all for two days. The original DC6 is still in use under another name and it has registered in DNS under the new name already. I also did, in-between the demotion and promotion of the replacement DC, make sure the old DC6 had all of it's DNS entries removed and that replication had finished amongst all my DC's. The old DC6 computer object under it's new name is no-longer in the domain controllers group and the new DC6 computer object is, just as expected.
I did try changing the DNS server IP entries for the network configuration on the DC itself but this did not help. Currently DC6 is setup to use DC5 as primary and itself by IP as secondary (these were originally reversed but changing them has not eliminated the error). The loopback is listed as the third DNS entry for the network config.