Need help resolving DNS Event ID 4515

[Thraxen]

I've been doing some reading on this event ID, but I'm a bit confused on how
to go about resolving this. I want to make sure I'm deleting the correct
zone.

We have a couple of different sites connected via VPN (24/7). Each site has
its own DC running DNS. Each site is part of the same domain, just on
different subnets. The domain is Windows Server 2003 native.

When I check the replication of the DNS zones I'm not sure it is set up
correctly. Here is what I see:

On both DCs...
-The _msdcs.example.com zone is set to replicate to "All DNS Servers in the
AD Forest."
-The example.com zone is set to replicate to "All DCs in the AD domain."
-The 0.x Subnet (under reverse lookup) is set to replicate to "All DCs in
the AD domain."
-The 2.x Subnet is set to replicate to "All DNS servers in the AD domain".

So there is at least one zone that has one of the 3 replications options
selected. That doesn't seem correct. Should they all have the same
option selected? Is this where the warning is coming from? Will changing
the replication options fix the errors or will I need to also manually delete
the old zones too?

Thanks!

 

[Thraxen]

What, no DNS/Server 03 gurus here?

 

[stash]

So there is at least one zone that has one of the 3 replications options selected. That doesn't seem correct. Should they all have the same option selected?

The replication options are set correctly. The _msdcs zone is delegated out of the main zone and replicated forest wide to eliminate DNS islanding. It takes advantage of the ForestDNSZones application partition, which means your DCs need to be running 2003.

You didn't post the verbatim from the error, but I assume you're seeing something about a critical error. Are you only seeing this when the machine is booted, or all the time? How many DCs do you have? How are they configured for DNS, meaning, what are each of the DCs using for primary and secondary DNS (all DCs should point to themselves for primary and another DC for secondary...if you have them pointing to themselves for primary and secondary is blank, that can cause this issue).

 

[hboogz]

Have you looked at this ?

http://tinyurl.com/25naqz

There different schools of thought on how your DNS settings should be applied. But the simpler the setup the better and easier troubleshooting should be. ALthough ad is a multi-master setup your DNS infrastructure doesn't have to follow the same school of thought. I usually create one "primary" dns server that will authoritative for my dns domain and have all the rest of the DC's holding DNS pointing to this box as their primary dns and secondary would themselves. Since all your zones will be ad-integrated all you really have to do is allow secure zone transfers from each of the DNS servers to this primary and the primary to all other dns servers.

I've ran this setup without any problems.

 

[stash]

There different schools of thought on how your DNS settings should be applied. But the simpler the setup the better and easier troubleshooting should be. ALthough ad is a multi-master setup your DNS infrastructure doesn't have to follow the same school of thought. I usually create one "primary" dns server that will authoritative for my dns domain and have all the rest of the DC's holding DNS pointing to this box as their primary dns and secondary would themselves. Since all your zones will be ad-integrated all you really have to do is allow secure zone transfers from each of the DNS servers to this primary and the primary to all other dns servers.

There are so many inaccuracies in this I'm not sure where to begin...

For starters, if your zones are AD integrated, you don't need to enable zone transfers at all. DNS will just ignore that setting if all you have is AD integrated zones.

Pointing all DCs to the same server for DNS is also a really bad idea if you have more than one site. Having all the DNS traffic going across various WAN links is bad design.

A better comment would be that there have been many schools of thought for DNS in a AD domain. But the general recommendation these days is to point all DCs to the loopback for primary (if they are running DNS, which there's no reason not to) and another DC in the same site for secondary.

 

[hboogz]

You mean to tell me the only way to set dns server settings is to ALWAYS point a dc that's hosting dns to itself ? you are mistaken, look it up. I agree that if you do use ad-integrated, in principle you don't need to setup zone transfers - I should have mentioned that if you wanted to revert to non ad-int zones, this would need to be done.

bad design ? then explain the purpose of conditional forwarding and stub zones ? I've seen organizations with less than 5 dns servers deployed across the world that have no issues with zone transfers hogging a WAN pipe -- you have to be getting me. conditional forwarding and the right implmentation of stub zones prevent you from having to transmit full zone transfers thus reduce incremental zone transfers to less than nothing.

your implementation methods are sound and by the book, but microsoft DNS like most microsoft products have a funny way of working a little differently in a production environment -- ask anyone who has managed a MS network/environment through the years.

 

[Thraxen]

Originally posted by: stash
The replication options are set correctly. The _msdcs zone is delegated out of the main zone and replicated forest wide to eliminate DNS islanding. It takes advantage of the ForestDNSZones application partition, which means your DCs need to be running 2003.

You didn't post the verbatim from the error, but I assume you're seeing something about a critical error. Are you only seeing this when the machine is booted, or all the time? How many DCs do you have? How are they configured for DNS, meaning, what are each of the DCs using for primary and secondary DNS (all DCs should point to themselves for primary and another DC for secondary...if you have them pointing to themselves for primary and secondary is blank, that can cause this issue).

Thanks for the reply. I'm actually not seeing any critical errors, just periodic warnings in the Event Viewer. The warning seems to appear every couple of days, though sometimes it will go a week without a new one. It doesn't seem to be tied to reboots. DNS seems to be working fine in the domain, I was just wanting to clear this warning out mostly because I'm tired of looking at it.

There are 3 domain controllers, each one at a different remote site. All 3 sites are part of the same domain, connected via VPN tunnels, and are on different subnets. The DC that has the most warnings in the DNS Event Viewer is the PDC emulator at the primary site. This DC is only pointed at itself for DNS.

One of the remote DCs has nothing at all logged in the DNS Event Viewer. Any ideas why? Is there an option somewhere to enable/disable DNS logs? This one too is only pointed at itself.

The third DC is pointed at itself as the primary and the PDC as the secondary. But it too has the 4515 warning. But the warning is very infrequent. It has only appeared one time this year... back in mid-February. Before that it happened only 3 other times between September and the new year.

Here is the warning verbatim:

The zone example.com was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.example.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.

If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.

If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.

To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

 

[stash]

You mean to tell me the only way to set dns server settings is to ALWAYS point a dc that's hosting dns to itself ? you are mistaken, look it up

I didn't say always. I said the general recommendation is to do that: http://support.microsoft.com/kb/825036

Yes, you can use a central server for primary DNS or a combination of the two designs, but do so puts a lot of emphasis on the WAN links. If you lose a link to your primary server, you're SOL unless the secondary is pointing to itself or another DC in the site. Which is fine. My main point was having all DCs going across the WAN for all their lookups (not just zone transfers, which are using AD replication anyway) can cause significant problems. I've worked on environments where people have hundreds of DCs around the world, many in sites with extremely slow links (think ships at sea).

So yes, you can have other designs that will work. But if you going to point to a central server for primary and use local DNS for secondary, the only thing you gain is the possibility of less lag in record updates, since you don't have to wait for replication. If you have fast WAN links, this might be ok, otherwise the risk of saturating a slow link with queries outweighs any benefits of decreased lag in updates.

 

[stash]

Here is the warning verbatim

Ah this is a different warning than what I was thinking. It looks like the domain was probably upgraded from 2000 to 2003 at some point, and the zone info is now stored in two places. MicrosoftDNS is where 2000 DCs would store AD integrated zones, it's just a container in the domain partition. This is equivalent to the "All domain controllers in the AD domain" replication option.

2003 will store zones in the two application partitions that I referred to above, so the same zone that is in MicrosoftDNS in the domain partition is also in the DomainDNSZones application partition.

Have you seen the following article on resolving this issue? http://support.microsoft.com/default.aspx?scid=kb;en-us;867464

Basically you will most likely want to stop DNS on all servers except one, and then convert your example.com (don't touch _msdcs) zone to a standard primary and restart DNS on that one server. This will delete it from MicrosoftDNS and store it in a file and should get rid of the warnings. You'll then want to re-enable AD integration on the zone and set the replication to All DNS servers in the domain (note that this is different from the replication option I noted at the beginning of this post). Restart DNS again and make sure there are no errors or warnings. Then force AD replication to get the changes to the other DCs and then start DNS back up on the other DCs.

edit: fixed a couple things