DNS Dynamic Update Failures — Event ID 4015 on AD-Integrated DNS Zones (Application Partition Replication Lockup)

Indicators

• Event ID 4015 logged in the DNS Server event log on one or more Domain Controllers: 'The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.'
• AD-integrated DNS zones refusing dynamic update requests from DHCP servers or domain-joined clients
• Stale DNS A/PTR records persisting across the fleet — hosts resolve to old IP addresses despite DHCP renewals
• Operational automation failures (scripts, monitoring, provisioning tools) caused by unresolvable or stale host records in DNS

Likely causes

• Latency or replication lockups within the Application Directory Partition (DomainDnsZones or ForestDnsZones) in Active Directory prevent DNS zone data from being written or replicated between Domain Controllers
• Stale or dead replica references remaining in the application partition properties block healthy replication and dynamic update propagation — typically caused by a decommissioned DC whose partition replica references were not cleanly removed

Diagnostic steps

1. Open Event Viewer on the affected Domain Controller and navigate to Applications and Services Logs > DNS Server. Confirm Event ID 4015 is present and note the exact error text referencing a critical directory service error. Check timestamps to establish onset and frequency.
   Confirms the symptom, scopes which Domain Controllers are affected, and establishes incident timeline before proceeding with deeper diagnostics.
2. Run dcdiag targeting DNS and replication health on the affected Domain Controller: `dcdiag /test:dns /test:replications /v`
   Identifies DNS configuration failures and Active Directory replication errors that may be causing the Application Directory Partition lockup — output will flag failed replication links and DNS misconfiguration.
3. Check replication status for DomainDnsZones and ForestDnsZones application partitions across all DCs: `repadmin /showrepl` and `repadmin /replsummary`. Look for non-zero failure counts or large replication deltas on the application partitions specifically.
   Pinpoints which replication links are degraded or stalled, confirming the replication lockup hypothesis and identifying source and target DCs with blocked synchronisation.
4. Launch ntdsutil to verify the operational state and consistency of the application partition metadata replicas. At the ntdsutil prompt: type `domain management`, then `connections`, then `connect to server <DCname>`, then `quit` back to domain management, then `list nc replicas dc=DomainDnsZones,dc=<domain>,dc=<tld>` and the equivalent for ForestDnsZones.
   Determines whether the Application Directory Partition metadata is consistent across replica Domain Controllers and surfaces any dead or decommissioned DC entries still listed as replica holders.
5. If dead or stale replica references are suspected, open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition (select 'Application Directory Partition' and specify the distinguished name e.g. DC=DomainDnsZones,DC=<domain>,DC=<tld>), navigate to the partition root object, and inspect the msDS-NC-Replica-Locations and msDS-NC-RO-Replica-Locations attributes for references to decommissioned or unreachable DCs.
   Locates the specific stale replica entries in the partition properties that are blocking healthy updates, confirming whether ADSI Edit remediation is required before proceeding.

Resolution path

• Step 1 — Restart the Netlogon service on the affected Domain Controller to clear transient replication state and re-register the DC with DNS: `net stop netlogon && net start netlogon`. Allow 5 minutes for re-registration to complete.
• Step 2 — Restart the DNS Server service on the affected Domain Controller to force it to re-establish its connection to the AD-integrated zone data in the application partition: `net stop dns && net start dns`. Confirm DNS is serving queries before proceeding.
• Step 3 — If Event ID 4015 persists after service restarts, open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition (DomainDnsZones or ForestDnsZones), navigate to the partition root, and remove any dead or decommissioned DC references found in the replica location attributes identified during diagnostics.
• Step 4 — After removing stale replica references, force immediate replication convergence across all Domain Controllers: `repadmin /syncall /AdeP`. Monitor for successful completion and confirm zone dynamic update acceptance resumes.

Prevention

• Establish alerting on Event ID 4015 in the DNS Server event log (via SCOM, Azure Monitor, or Windows Event Forwarding) so incidents are detected and triaged at L2/L3 before stale DNS records propagate fleet-wide and cause connectivity or automation failures.
• Monitor AD replication health proactively using scheduled `repadmin /replsummary` checks or SCOM/Azure Monitor alerts on replication latency thresholds — catch Application Directory Partition replication delays before they cause DNS dynamic update failures.
• Periodically audit application partition replica membership using ntdsutil and ADSI Edit to identify and remove references to decommissioned or dead Domain Controllers before they accumulate and cause partition lockups.

Tools

• dcdiag — Active Directory diagnostic tool for DNS and replication health checks (`dcdiag /test:dns /test:replications /v`)
• repadmin — AD replication diagnostic and management tool (`repadmin /showrepl`, `repadmin /replsummary`, `repadmin /syncall /AdeP`)
• ntdsutil — AD database utility for verifying and managing Application Directory Partition metadata and replica references
• ADSI Edit (adsiedit.msc) — Low-level AD object editor for inspecting and removing stale replica references from partition properties
• net stop / net start — Windows service control for restarting Netlogon and DNS Server services

References

• Microsoft Learn — Active Directory Directory Maintenance Architecture