DNS Dynamic Update Failures — Event ID 4015 on Active Directory-Integrated DNS Zones (DomainDnsZones / ForestDnsZones)
Active Directory-integrated DNS zones on Windows Server 2016/2019/2022 Domain Controllers refuse dynamic updates from clients and DHCP nodes, logging Event ID 4015 ('directory service threw a critical error') in the DNS Server event log. The root cause is replication latency, lockups, or stale dead replica references within the DomainDnsZones or ForestDnsZones Application Directory Partition, preventing the DNS Server service from writing or replicating zone data. Immediate remediation is a sequenced restart of Netlogon then DNS Server services; persistent failures require ADSI Edit removal of dead replica references from the partition properties followed by forced replication via repadmin. Left unresolved, stale DNS records propagate domain-wide, breaking connectivity to dynamically addressed hosts and causing automation failures.
Indicators
- Event ID 4015 in the DNS Server event log on one or more Domain Controllers: 'The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.'
- Active Directory-integrated DNS zones silently refuse dynamic update requests — clients and DHCP servers receive update rejections or updates complete with no record change visible in DNS.
- Stale A records persisting in DNS zones for hosts that have received new DHCP leases, causing broken connectivity to those hosts.
- Operational automation (e.g. configuration management, monitoring agents) failing with DNS resolution errors for hosts with dynamic addresses.
- repadmin /replsummary or repadmin /showrepl shows replication errors or latency specifically on the DomainDnsZones or ForestDnsZones naming contexts.
- Event ID 5504 or 5774 in the System log related to NETLOGON failing to register DNS records.
- Active Directory authentication failures (Kerberos, LDAP) in multi-site environments traceable to DNS misresolution of domain controller names.
Likely causes
- Replication latency or lockups within the DomainDnsZones or ForestDnsZones Application Directory Partition preventing DNS zone data from being written or replicated across DCs.
- Stale or dead replica references remaining in the Application Directory Partition properties — typically from DCs that were forcibly removed or failed without clean demotion — causing the DNS Server service to fail when attempting to interact with unreachable replication targets.
- Underlying Active Directory replication failure affecting the DomainDnsZones or ForestDnsZones naming contexts, leading to inconsistent partition metadata across Domain Controllers.
- Active Directory-integrated zone replication scoped to a single site's domain controllers, leaving remote-site DNS servers without authoritative zone data.
- DNS server recursion disabled on one or more DCs, preventing forwarding of unknown zone queries to upstream resolvers.
Diagnostic steps
-
Open Event Viewer on affected Domain Controllers and navigate to Applications and Services Logs → Microsoft → Windows → DNS Server. Filter for Event ID 4015 and note the full error text, timestamps, and frequency.Confirms the specific failure mode, identifies which DCs are affected, and establishes a baseline for verifying resolution.
-
Run dcdiag /test:dns on the affected Domain Controller: dcdiag /test:dnsRuns DNS-specific diagnostic tests including delegation, forwarder, dynamic update, and zone checks — pinpoints DNS configuration or registration failures distinct from the partition replication issue.
-
Check AD replication health against both DomainDnsZones and ForestDnsZones partitions: repadmin /replsummary and repadmin /showrepl <DCname>. Review output for replication failures, errors, or high-latency entries on those naming contexts.Confirms whether replication latency or lockups within the Application Directory Partition are the underlying cause of the DNS update failures.
-
Launch ntdsutil, navigate to 'partition management', connect to the affected DC, and list partition replica metadata for DomainDnsZones and ForestDnsZones. Command sequence: ntdsutil → 'partition management' → 'connections' → 'connect to server <DCname>' → 'quit' → 'list' (or equivalent list replicas command for the partition).Verifies the operational state and consistency of the Application Directory Partition metadata replicas across all Domain Controllers, and identifies any dead or missing replica references.
-
Open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition for DomainDnsZones (connection point: DC=DomainDnsZones,DC=<domain>,DC=<tld>) and ForestDnsZones (DC=ForestDnsZones,DC=<forest>,DC=<tld>). Navigate to the partition root object and inspect replication-related attributes (e.g. msDS-NC-Replica-Locations, msDS-NC-RO-Replica-Locations) for references to DCs that no longer exist.Identifies orphaned or dead replica entries in partition properties that cause the DNS Server service to fail when contacting unreachable replication targets.
-
Verify that the DNS suffix search list on affected clients includes the correct domain suffixes: run 'ipconfig /all | findstr /i "DNS Suffix"' on Windows clients.Rules out client-side suffix misconfiguration where the client never appends the correct suffix before sending the query, which can mimic server-side DNS failures.
Resolution path
- Step 1 — Restart the Netlogon service on the affected DC: 'Restart-Service Netlogon' or 'net stop netlogon && net start netlogon'. This forces re-registration of DNS SRV and A records and clears transient directory service communication errors between the DNS Server and AD.
- Step 2 — Restart the DNS Server service on the affected DC: 'Restart-Service DNS' or 'net stop dns && net start dns'. This forces the DNS Server to re-establish its connection to the DomainDnsZones/ForestDnsZones Application Directory Partition. After restart, monitor the DNS Server event log for 60 seconds and confirm Event ID 4015 does not reappear.
- Step 3 — If Event ID 4015 persists after service restarts: open ADSI Edit (adsiedit.msc), connect to the Application Directory Partition for DomainDnsZones and ForestDnsZones, locate the partition root object, inspect replication attributes for references to decommissioned or failed DCs, and remove dead replica entries. Document (screenshot) all attribute values before deletion.
- Step 4 — After removing dead replica references, force AD replication: 'repadmin /syncall /AdeP'. Monitor completion and watch for replication errors in the output.
- Step 5 — Re-monitor the DNS Server event log on all affected DCs and verify Event ID 4015 no longer appears. Proceed to verification steps.
- Step 6 — If AD-integrated zone replication scope is restricted to a single site, widen it so all forest DNS servers receive zone data: 'Set-DnsServerPrimaryZone -Name "<zone-fqdn>" -ReplicationScope Forest'. Force replication with 'repadmin /syncall /AdeP' and confirm zone data appears on remote-site DCs.
Prevention
- Audit Application Directory Partition replica membership using ntdsutil before decommissioning any Domain Controller — remove the DC from DomainDnsZones and ForestDnsZones replication scope before demotion or shutdown, not after.
- Follow documented DC demotion procedures (use dcpromo gracefully; reserve dcpromo /forceremoval only as a last resort) to ensure clean removal of replica references from Application Directory Partitions and prevent dead entries accumulating.
- Configure proactive alerting on Event ID 4015 in the DNS Server event log and schedule regular 'repadmin /replsummary' health checks (e.g. via scheduled task or SCOM rule) to detect Application Directory Partition latency or lockups before they cause DNS update failures.
- When forcibly removing a failed DC, immediately run 'ntdsutil metadata cleanup' and verify DomainDnsZones/ForestDnsZones partition replica lists no longer reference the removed DC using ADSI Edit.
- Configure Active Directory-integrated DNS zones with forest-wide replication scope by default in multi-site environments so all domain controllers serving DNS have authoritative data regardless of site.
- Implement DNS monitoring with NXDOMAIN spike detection and query failure rate alerting per DNS server so cross-segment or partition-level resolution failures are detected proactively rather than reported by end users.
Tools
- dcdiag /test:dns — DNS diagnostic tests on Domain Controllers including dynamic update and zone validation
- ntdsutil — Verify and manage Application Directory Partition metadata replicas
- ADSI Edit (adsiedit.msc) — Inspect and remove dead replica references from Application Directory Partition properties
- repadmin — Active Directory replication health and synchronisation diagnostics (/replsummary, /showrepl, /syncall)
- Event Viewer (DNS Server event log) — Monitor for Event ID 4015 recurrence
- Resolve-DnsName (PowerShell) — structured DNS resolution testing with explicit server and record-type targeting
- dig — detailed DNS query tool on Linux/macOS with trace and server-selection options