P2 · Active Directory

DNS Dynamic Update Failures — Event ID 4015 on Active Directory-Integrated DNS Zones (DomainDnsZones / ForestDnsZones)

Active Directory-integrated DNS zones on Windows Server 2016/2019/2022 Domain Controllers refuse dynamic updates from clients and DHCP nodes, logging Event ID 4015 ('directory service threw a critical error') in the DNS Server event log. The root cause is replication latency, lockups, or stale dead replica references within the DomainDnsZones or ForestDnsZones Application Directory Partition, preventing the DNS Server service from writing or replicating zone data. Immediate remediation is a sequenced restart of Netlogon then DNS Server services; persistent failures require ADSI Edit removal of dead replica references from the partition properties followed by forced replication via repadmin. Left unresolved, stale DNS records propagate domain-wide, breaking connectivity to dynamically addressed hosts and causing automation failures.

Indicators

Event ID 4015 in the DNS Server event log on one or more Domain Controllers: 'The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.'
Active Directory-integrated DNS zones silently refuse dynamic update requests — clients and DHCP servers receive update rejections or updates complete with no record change visible in DNS.
Stale A records persisting in DNS zones for hosts that have received new DHCP leases, causing broken connectivity to those hosts.
Operational automation (e.g. configuration management, monitoring agents) failing with DNS resolution errors for hosts with dynamic addresses.
repadmin /replsummary or repadmin /showrepl shows replication errors or latency specifically on the DomainDnsZones or ForestDnsZones naming contexts.

Likely causes

Replication latency or lockups within the DomainDnsZones or ForestDnsZones Application Directory Partition preventing DNS zone data from being written or replicated across DCs.
Stale or dead replica references remaining in the Application Directory Partition properties — typically from DCs that were forcibly removed or failed without clean demotion — causing the DNS Server service to fail when attempting to interact with unreachable replication targets.
Underlying Active Directory replication failure affecting the DomainDnsZones or ForestDnsZones naming contexts, leading to inconsistent partition metadata across Domain Controllers.

Diagnostic steps

Open Event Viewer on affected Domain Controllers and navigate to Applications and Services Logs → Microsoft → Windows → DNS Server. Filter for Event ID 4015 and note the full error text, timestamps, and frequency.

Confirms the specific failure mode, identifies which DCs are affected, and establishes a baseline for verifying resolution.
Run dcdiag /test:dns on the affected Domain Controller: dcdiag /test:dns

Runs DNS-specific diagnostic tests including delegation, forwarder, dynamic update, and zone checks — pinpoints DNS configuration or registration failures distinct from the partition replication issue.
Check AD replication health against both DomainDnsZones and ForestDnsZones partitions: repadmin /replsummary and repadmin /showrepl <DCname>. Review output for replication failures, errors, or high-latency entries on those naming contexts.

Confirms whether replication latency or lockups within the Application Directory Partition are the underlying cause of the DNS update failures.
Launch ntdsutil, navigate to 'partition management', connect to the affected DC, and list partition replica metadata for DomainDnsZones and ForestDnsZones. Command sequence: ntdsutil → 'partition management' → 'connections' → 'connect to server <DCname>' → 'quit' → 'list' (or equivalent list replicas command for the partition).

Verifies the operational state and consistency of the Application Directory Partition metadata replicas across all Domain Controllers, and identifies any dead or missing replica references.
Open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition for DomainDnsZones (connection point: DC=DomainDnsZones,DC=<domain>,DC=<tld>) and ForestDnsZones (DC=ForestDnsZones,DC=<forest>,DC=<tld>). Navigate to the partition root object and inspect replication-related attributes (e.g. msDS-NC-Replica-Locations, msDS-NC-RO-Replica-Locations) for references to DCs that no longer exist.

Identifies orphaned or dead replica entries in partition properties that cause the DNS Server service to fail when contacting unreachable replication targets.

Resolution path

Step 1 — Restart the Netlogon service on the affected DC: 'Restart-Service Netlogon' or 'net stop netlogon && net start netlogon'. This forces re-registration of DNS SRV and A records and clears transient directory service communication errors between the DNS Server and AD.
Step 2 — Restart the DNS Server service on the affected DC: 'Restart-Service DNS' or 'net stop dns && net start dns'. This forces the DNS Server to re-establish its connection to the DomainDnsZones/ForestDnsZones Application Directory Partition. After restart, monitor the DNS Server event log for 60 seconds and confirm Event ID 4015 does not reappear.
Step 3 — If Event ID 4015 persists after service restarts: open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition for DomainDnsZones and ForestDnsZones, locate the partition root object, inspect replication attributes for references to decommissioned or failed DCs, and remove dead replica entries. Document (screenshot) all attribute values before deletion.
Step 4 — After removing dead replica references, force AD replication: 'repadmin /syncall /AdeP'. Monitor completion and watch for replication errors in the output.
Step 5 — Re-monitor the DNS Server event log on all affected DCs and verify Event ID 4015 no longer appears. Proceed to verification steps.

Prevention

Audit Application Directory Partition replica membership using ntdsutil before decommissioning any Domain Controller — remove the DC from DomainDnsZones and ForestDnsZones replication scope before demotion or shutdown, not after.
Follow documented DC demotion procedures (use dcpromo gracefully; reserve dcpromo /forceremoval only as a last resort) to ensure clean removal of replica references from Application Directory Partitions and prevent dead entries accumulating.
Configure proactive alerting on Event ID 4015 in the DNS Server event log and schedule regular 'repadmin /replsummary' health checks (e.g. via scheduled task or SCOM rule) to detect Application Directory Partition latency or lockups before they cause DNS update failures.
When forcibly removing a failed DC, immediately run 'ntdsutil metadata cleanup' and verify DomainDnsZones/ForestDnsZones partition replica lists no longer reference the removed DC using ADSI Edit.

Tools

dcdiag /test:dns — DNS diagnostic tests on Domain Controllers including dynamic update and zone validation
ntdsutil — Verify and manage Application Directory Partition metadata replicas
ADSI Edit (adsiedit.msc) — Inspect and remove dead replica references from Application Directory Partition properties
repadmin — Active Directory replication health and synchronisation diagnostics (/replsummary, /showrepl, /syncall)
Event Viewer (DNS Server event log) — Monitor for Event ID 4015 recurrence

References

Microsoft Learn — Active Directory Domain Services Simplified Administration

DNSActive DirectoryWindows Server 2016Windows Server 2019Windows Server 2022Event ID 4015Dynamic DNS UpdateApplication Directory PartitionDomainDnsZonesForestDnsZonesAD ReplicationADSI EditntdsutilDomain ControllerDHCPrepadmindcdiagDNS ServerStale ReplicaP2L2L3