Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 12, 2018 2:06 PM
Hi
We have a 2008 functional level active drirectory running on two domain controllers - 2008 Standard and 2012 R2 Standard. DNS is active directory integrated and is installed on both DC's. DHCP was installed on the 2008 DC, but was migrated over to the 2012 DC a few weeks ago as per the instructions here: http://www.brycematheson.io/how-to-migrate-dhcp-from-windows-server-2008-to-2012-2016/
We have a mix of static IP's and dynamic IP's. DHCP lease length is set to 8 hours.
After the migration I disabled the DHCP service on the 2008 server. A few hiccups occurred with mismatched DNS A and PTR records during thre next few days. After I cleaned those up I removed the DHCP role from the 2008 server.
About a week ago I noticed that while domain joined computers' DNS records were fine, guest devices running Android and Apple OS, all of which were being assigned dynamic addresses had two PTR records - one current and one stale.
I deleted the stale records and did some research. I changed the DHCP IPv4 Advanced Properties so that conflict detection attempts was changed from 0 to 1, and created a dedicated AD account named DHCProtocol to use for DNS dynamic update registration credentials and set its password to never expire.
I was looking at the DNS logs yesterday and noticed many 4015 events. Note that these events only occurr on the 2012 server which hosts the DHCP role:
Log Name: DNS Server
Source: Microsoft-Windows-DNS-Server-Service
Date: 12/04/2018 13:14:04
Event ID: 4015
Task Category: None
Level: Error
Keywords: (131072)
User: HTLINCS\DHCProtocol
Computer: Atlas.htlincs.local
Description:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "0000051B: AtrErr: DSID-030F22B2, #1:
0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor)". The event data contains the error.
There are other accounts listed with 4051, but these are machine-name$ accounts. The majority of the entries reference the user as DHCProtocol.
More research led to this article: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032. I restarted all our servers to install the lastest round of Windows Updates and hoped the restart might resolve the issue but the 4015 events continued to be logged.
I set the diagnostic logging for Directory Access to 5 as per the hpe.com article. The next 4015 error (shown above) coincided with the following from the Directory Access log:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 12/04/2018 13:14:04
Event ID: 1175
Task Category: Directory Access
Level: Information
Keywords: Classic
User: SYSTEM
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.
Immediately followed by:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 12/04/2018 13:14:04
Event ID: 1174
Task Category: Directory Access
Level: Information
Keywords: Classic
User: HTLINCS\DHCProtocol
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) was successfully performed on object DC=152,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local.
Having got this far, I am not sure how to proceed. Can anyone help me with this, or to understand what is happening please?
Thanks.
All replies (25)
Friday, April 13, 2018 8:26 AM
Hi,
Thanks for your question.
The DNS Server service relies on Active Directory Domain Services (AD DS) to store and retrieve information for AD DS-integrated zones. This error indicates that AD DS is not responding to requests from the DNS Server service. Ensure that AD DS is functioning properly, troubleshoot any problems, and then restart the DNS Server service.
Please try the following article and the instruction’s steps to see if it helps.
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c03366032
1) Possibly it turned out this was a problem with a DNS Reverse lookup zone. Please Check if security permission for the Reverse lookup zone is configured correctly as below.
2)Clean DNS NAME SERVER list with correct available domain controllers.
3)Run netdiag /fix and netdiag /test:dns /debug on the server for the issue troubleshooting.
3)Check the permission set on every zone and the ownership of zone.
4)Check List NC Replicas DC=ForestDnsZones,DC=domain,DC=com and List NC Replicas DC=DomainDnsZones,DC=domain,DC=com using ntdsutil utility.
5)Check DNS records on each and every folder to check if there is any wrong record exist that might cause the issue.
Besides, the incident that Event ID 1175 occurred source AD DS and then Event ID 1174 followed was normally as the experience.
Hope above information can help you.
Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Friday, April 13, 2018 11:26 AM
Thank you for responding to my query.
in-addr.arpa properties are as shown.
DNS server lists in IPv4 config (I assume this is what you meant) are correct and reference the DNS servers.
I have looked up the use of netdiag and have seen that it is not compatible with 2008 R2 onwards. Is there an alternative?
Permissions on all zones allow Authenticated Users to create child objects. The permissions on the in-addr.arpa show domain admins as the owner - should this be changed to System?
Records are fine.
Tuesday, April 17, 2018 10:56 AM
"... The permissions on the in-addr.arpa show domain admins as the owner - should this be changed to System?"
I compared the ownership of the in-addr.arpa folder with that on our second DNS server and saw that it's owner account was SYSTEM. I changed the ownership to SYSYTEM and have not had any 4015 errors for the last two hours.
Hopefully, this has resolved the issue!
Thanks again for your help.
Tuesday, April 17, 2018 1:15 PM
I spoke too soon :(
The interval at which the events are being logged has changed and is much less. But, I had not restarted the DNS Server service or the DHCP Server service. I have done so now and will report back tomorrow.
Tuesday, April 17, 2018 1:24 PM
Hi,
Sorry for my delay. Thanks for your detailed reply.
Changing the ownership of the in-addr.arpa to SYSTEM can resolve the issue?
Highly appreciate your successive effort and time.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, April 17, 2018 1:29 PM
OK. I will follow and look forward hearing your good news.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, April 18, 2018 8:32 AM
Hi
That does not appear to have worked.
This morning a member of staff (J) was covering for one of our office admins and working from the admin's machine. She usually uses remote desktop to connect to her own computer from the admin's machine when she provides this cover.
She was unable to connect. To summarise:
J's machine had address 192.168.0.138 from DHCP
DHCP console showed the same address
DNS console showed 192.168.0.139
I deleted the .139 A and PTR records from DNS and ran ipconfig release/renew on J. Same DHCP address was assigned, but was not registered in DNS.
I set a static address of 192.168.0.79 on J's computer. After a minute or so the entry was not registered with DNS. I tried to manually add an A record but was not allowed to (I did not write down the actual error - sorry).
I restarted J's computer and the A record was registered in DNS but not the PTR. I was able to manually add the PTR record.I checked the DNS Server event log and 4015 is back.
I checked the ownership of the in-addr.arpa zone and it is still SYSTEM.
[edit]
The first thing I did after I was asked to resolve this was to ping J's machine from the admin's machine. Ping stuttered and came back with values in the region of 28, 500, 28, 350.
Wednesday, April 18, 2018 1:22 PM
Hi,
Thanks for your update.
Please try the following suggestion to see if it helps.
1) Type the command services netlogon stop | start to register AD SRV records.
2) Restart DNS service and then reboot the DC.
3) Please delete previous J's records on DNS and reconfigure J's IP(Static or DHCP both OK). Thentype the command "ipconfig /registerdns" both on J's machine and DNS server after J's IP configuration.
If the issue persists after suggestions, please type the command "dcdiag /test:dns" on the DC to AD-Integrated DNS and post the result to me at your convenience.
Highly appreciate your successive effort and time.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, April 18, 2018 1:41 PM
Here is a link refer to DNS registration, it may be helpful.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, April 18, 2018 4:54 PM
Just to give you some more information maybe this link can help you :
https://blogs.technet.microsoft.com/stdqry/2012/04/03/dhcp-server-in-dcs-and-dns-registrations/
Regards,
Friday, April 20, 2018 1:37 AM
Hi,
How are things going on? Was your issue resolved?
Please let me know if you would like further assistance.
Wish you have a nice weekend!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Friday, April 20, 2018 10:14 AM
Hello, Michael
I won't be able to restart the DC until next week. I'll post back after I have done so. Thanks again for the suggestions so far.
Best regards
Mark
Friday, April 20, 2018 11:24 AM
Hi,
Thanks for reply. I'll follow and stand by with you.
Highly appreciate your effort and time.
Have a nice weekend!
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, April 24, 2018 9:29 AM
Hi, Michael
Last night I ran the command to stop/start the netlogon servoce, restarted the DNS service and then restarted the domain controller.
The 4015 events are still being logged. The screenshot shows the sequence of events after the server was restarted. After the initial events, the remainder comprise 4015.
Here are the results of the dcdiag /test:dns command:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = Atlas
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ATLAS
Starting test: Connectivity
......................... ATLAS passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ATLAS
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... ATLAS passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : htlincs
Running enterprise tests on : htlincs.local
Starting test: DNS
......................... htlincs.local passed test DNS
Thanks again for any help you can provide. Thank you also for the links. I had done a lot of research about this but had not seen the first link. It was very useful.
Cheers!
Mark
Tuesday, April 24, 2018 2:26 PM
Hello,
Do you use a service account to register DNS record ?
Is your DHCP server configured to "Always register A and PTR record" ?
Best Regards,
Wednesday, April 25, 2018 2:08 AM
Hi,
Thanks for your update.
The DNS test looks like to pass. I agree with Dokoh. Please check the option "Always register A and PTR record" on the DHCP properties as below.
Meanwhile, there are actually two ways to make a Windows Server DHCP server authorized to register A and PTR DNS records on behalf of its client:
**1)**By adding the DHCP server as member of DNSUpdateProxy AD group: Any authenticated user can take ownership of registered DNS records by the DHCP server as they have no security. This is a not recommended option.
**2)**By adding the DHCP server as member of DNSUpdateProxy AD group and using DNS dynamic update credentials: By using an AD account as DNS dynamic update credentials, DNS records registered by the DHCP server will be have this AD account as owner. This prevents having them updated by any authenticated user. This is the recommended option and is required to have secure dynamic updates working when your DHCP server is collocated on a domain controller.
Here are links refer to DNS update, please try the following articles to see if it works. I look forward hearing your good news.
How to Secure DNS Updates on Microsoft DNS Servers
DHCP, Dynamic DNS Updates, Scavenging, static entries & time stamps, the DnsUpdateProxy Group, and DHCP Name Protection
Highly appreciate your successive effort and time. If you have any questions and concerns, please feel free to let me know.
Best regards,
Michael
Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, April 26, 2018 10:38 AM
Thanks Michael and Dokoh for responding to my questions.
Both the DCHP IPv4 and Scope Properties DNS tabs are configured as shown in Michael's response. I have created an Active Directory account as per Microsoft's instructions and used this account in the credentials for DHCP.
I have been looking at the security info for the records. I can see that all the A records have SYSTEM as the owner, but that the PTR records have a mix of SYSTEM and the AD account as the owner.
However, reading the article that Michael linked to in his last response I have seen an explanation of name protection. I will enable name protection as this looks to do exactly what I need. I had skipped over it before because I had (wrongly) assumed it was a method for preventing rogue DHCP servers from providing addresses.
I have not added the DHCP server to the DNSProxy group because there is just one DHCP server. Do you think this is worth doing for a single server? Also, as stated above the DHCP lease time is 8 hrs. The reason I set it for this length of time was so that I had another method of identifying live or recent guest devices on our network, and assumed the old A and PTR records would be removed by the DHCP server after the lease expired if the client did not request a renewal. Is it worth changing this? I assume not.
Anyway, I will enable name protection on both the IPv4 and Scope DNS Properties and see what happens.
Thanks again!
Mark.
Thursday, April 26, 2018 1:43 PM
OK, I have done more reading on DNSupdateproxy and found this thread:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/5abcfde4-c483-46f5-a128-45b6eaf2346a/dns-update-error?forum=winservergen
As the 4015 events were still being logged I have added the DHCP server to the DNSUpdateProxy group, and have set the OpenACLOnProxyUpdates value to 0 (it was originally 1). I have also restarted the DNS and DHCP server services.
Fingers crossed!
Friday, April 27, 2018 10:10 AM
The 4015 events are still there and it looks like there is just one guest device (named huawei_gt3.htlincs.local) that consistently has two PTR records.
I will restart this DHCP/DNS server and the second server that also hosts DNS on Sunday as the leases should have expired (we rarely have anyone working in the office over a weekend. Anyone working at this time usually connects via a VPN connection from home, and they are assigned static IP's in their AD account properties).
I'll see how it goes on Monday and report back.
Monday, April 30, 2018 3:19 PM
Update:
The DNS/DHCP servers (domain controllers) were restarted Sunday evening.
Since enabling name protection and making the DHCP server a member of the DNSUpdateProxy Group I am seeing the expected DCHID records for some, but not all non-Windows hosts on the network. However, I am still seeing two PTR records - for some domain-joined hosts as well as some Android/iOS devices, but not all of either have two PTR's, and some non-Windows devices have no PTR at all.
--
Also, the 4015 events are still being logged:
DNS Log:
Event Type: Error
Event Source: Microsoft-Windows-DNS-Server-Service
Event Category: None
Event ID: 4015
Date: 30/04/2018
Time: 16:01:36
User: HTLINCS\DHCProtocol
Computer: Atlas.htlincs.local
Description:
The description for Event ID ( 4015 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s 0000051B: AtrErr: DSID-030F22B2, #1:
0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).
Data:
0000: 13 00 00 00 ....
Directory Services:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 30/04/2018 16:01:36
Event ID: 1175
Task Category: Directory Access
Level: Information
Keywords: Classic
User: SYSTEM
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=117,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local failed because a non-security related error occurred.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="16384">1175</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-04-30T15:01:36.770908700Z" />
<EventRecordID>33801</EventRecordID>
<Correlation />
<Execution ProcessID="532" ThreadID="1348" />
<Channel>Directory Service</Channel>
<Computer>Atlas.htlincs.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>
</Data>
<Data>DC=117,DC=0.168.192.in-addr.arpa,cn=MicrosoftDNS,DC=ForestDnsZones,DC=htlincs,DC=local</Data>
</EventData>
</Event>
Is it possible to completely reset DNS/DHCP? Luckily, I have a small network with ~40 clients so hopefully this can be easily achieved. Swap the domain-joined clients over to static addressing, then slowly change them back to DHCP? Would this help?
Thanks.
Tuesday, May 1, 2018 9:09 AM
Hello,
What you can do is separate the DHCP from the domain controller and see if it solve your issue.
If not the last thing you can do is delete the reverse lookup zone and recreate it
Best Regards,
Tuesday, May 1, 2018 11:08 AM
Hi, Dokoh
Thanks very much for the suggestion.
I will setup a DHCP server on a member server in the domain, then export/import the settings as described in my first post.
I will do this out-of-hours so will post back during the next couple of days with an update.
Cheers!
Mark
Thursday, May 3, 2018 3:25 PM
I installed the DHCP role on a member server running 2012 Standard and removed the DHCP role from the 2012 R2 two nights ago. I created the scope and set the options.
The clients got IP addreesses from the new DHCP installation, but 4015 events still being logged.
Configuration as it stands at present:
DHCP server (\Janus) is a member of the DNSUpdateProxy group. DHCP server settings: IPv4 > Properties >
DNS Tab: Enable DNS dynamic updates according to the settings below: Always dynamically update DNS A and PTR Records Discard A and PTR records when lease is deleted Name protection is enabled (which greys out the settings beneath 'Enable DNS dynamic updates according to the settings below')
Advanced Tab:
Conflict detection attempts = 1
DNS dynamic update registration credentials: were configured with the user account DHCProtocol, but still got 4015 events logged for that account. Removed those credentials and 4015 events are logged for the computer account Janus$ instead.
DNS Server > Reverse Lookup Zones > 0.168.192.in-addr.arpa > Properties >
Security Tab > Advanced > Permissions Tab > 'Principle' > Edit:
Everyone:
Permissions: List contents, Read all properties, Read permissions
Properties: All 'Read ****' entries, no 'Write ****' entries
Authenticated Users:
Permissions: Create all child objects only
Properties: None
SYSTEM:
Permissions: Everything
Properties: Everything
4015:
Event Type: Error
Event Source: Microsoft-Windows-DNS-Server-Service
Event Category: None
Event ID: 4015
Date: 03/05/2018
Time: 12:09:35
User: HTLINCS\JANUS$
Computer: Atlas.htlincs.local
Description:
The description for Event ID ( 4015 ) in Source ( Microsoft-Windows-DNS-Server-Service ) cannot be found. Either the component that raises this event is not installed on your local computer, or the installation is corrupted. You can install or repair the component on the local computer, or contact the component manufacturer for a newer version.
If the event was saved from another computer or forwarded from a remote computer, you might have to include display information with the events when saving them or when setting up the forwarding s 0000051B: AtrErr: DSID-030F22B2, #1:
0: 0000051B: DSID-030F22B2, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 20119 (nTSecurityDescriptor).
Data:
0000: 13 00 00 00 ....
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 03/05/2018 12:09:35
Event ID: 1175
Task Category: Directory Access
Level: Information
Keywords: Classic
User: SYSTEM
Computer: Atlas.htlincs.local
Description:
Internal event: A privileged operation (rights required = 0x) on object DC=HUAWEI_GT3,DC=htlincs.local,cn=MicrosoftDNS,cn=System,DC=htlincs,DC=local failed because a non-security related error occurred.
The DNS records are seriously out of whack. For example:
DHCP: Assigned Jim-PC 192.168.0.144
DNS: Jim-PC A and PTR = 145. .144 PTR = Layers01
DHCP: HOD-PC was .145. Renamed computer to Lydia, after restart it kept same DHCP assigned IP, but no PTR exists for Lydia (record creation failure presumably recorded by the 1175 and 4015 events)
Jim-PC: ran ipconfig /registerdns. No errors reported after 15mins. However, the DHCP Client log contains:
Error 21/03/2018 08:44
Microsoft-Windows-Dhcp-Client
1001
Address Configuration State Event
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0xF8B156CC3B93. The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
I looked up the 0x79 and found it translates to 'The semaphore timeout period has expired.' After a little research I discovered that updating the NIC driver may help. I did this for Jim-PC. Deleted the wrong Jim-PC A and PTR records. Ipconfig release/renew (grabbed the same .144 address). The A and PTR records were not populated in DNS. Then ran ipconfig /registerdns but even after an hour the A/PTR records are not present for either the name or the IP in either zone.
I've switched the machine off. The lease will expire before it is switched back on tomorrow when it will be forced to ask for an address.
If the driver update has not worked for this PC I will wait until after the Bank Holiday. Most of the computers will be switched off from tomorrow (Fri) evening until Tuesday morning.
If things are no better I will look at deleting and recreating the PTR zone as suggested by Dokoh.
If anyone else has any suggestions in the meantime, please post.
Thanks!
Mark
Friday, May 11, 2018 11:06 AM
I am still seeing DNS 4015 errors. Also, since enabling Name Protection I am seeing DHCP 1340 events.
Log Name: System
Source: Microsoft-Windows-DHCP-Server
Date: 11/05/2018 11:41:23
Event ID: 1340
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: Janus.htlincs.local
Description:
The DNS registration for DHCPv4 Client IP address 192.168.0.117 , FQDN android-a0d596d6d4e1a655.htlincs.local and DHCID AAEBxbItXBRgTHnLEN5BTVKLE6jW2PGpVqSoncfpodfrbno= has been denied as there is probably an existing client with same FQDN already registered with DNS.
I understand these events can be ignored (according to other Q's about this event), but to be honest I really can do without it.
I am also still seeing duplicate A and PTR records.
I am creating DHCP reservations for all clients as they come online. After all the clients are reserved and their records are in DNS I will remove the dross. This seems to be the only way to fix this. I assume there is something wrong with the configuration of DNS and/or DHCP, or that something at the system level has gone wonky to cause this.
Thank you to both Michael and Dokoh for taking the time to help me with this. It really is appreciated. If I see further issues with this I will post back.
Thanks :)
Wednesday, June 20, 2018 2:33 PM
I removed the DHCP Name Protection. The reason being this gave me another record - DHCID - to worry about and which added to the confusion over duplicate records.
Soon after my previous post I extended the lease time from 8hrs to 8 days.
After a couple of weeks I removed the duplicates. Since that time everything has been humming along quite nicely. DNS A and PTR records are OK - no duplicates. I'm still seeing the 4015 events but as the clients have been fine I'm not worrying about it.