Active Directory DNS Issues

We have an Active Directory forest of two domains and have some DNS issues.
Some computers in one domain is not accessible in the other by their FQDN.
I've examined the DNS servers in both domains and have found the following:

In DOMAIN1, under DNS->Forward Lookup Zone->DOMAIN1->_Sites->_TCP, there are
entries for _kerberos and _ldap for an non-existent DC. This DC was a VMWare
VM about a year or so ago and the flat file was damaged and I had to delete
the entries from the Sites and Services and NTDS Settings. This DC does not
show up anywhere except for the path I mention. I cannot delete it there.
How do I need to remove these entries?

On DOMAIN1 DNS Servers, both the DOMAIN1 and DOMAIN2 zones are classified as
Active Directory Integrated.

On DOMAIN2 DNS Servers, the DOMAIN2 zone is Active Directory Integrated but
DOMAIN1 is secondary.

What is the best practice with two domains in a forest? We are about to move
to one domain after we demote a couple of W2K DC's and replace them with
some of our Windows 2003 servers. We believe we should have DNS cleaned up
and working correctly before that happens.

Thank you!

David Alge

"David Alge" <> wrote in message
news:...
> We have an Active Directory forest of two domains and have some DNS
> issues. Some computers in one domain is not accessible in the other by
> their FQDN. I've examined the DNS servers in both domains and have found
> the following:
>
> In DOMAIN1, under DNS->Forward Lookup Zone->DOMAIN1->_Sites->_TCP, there
> are entries for _kerberos and _ldap for an non-existent DC. This DC was a
> VMWare VM about a year or so ago and the flat file was damaged and I had
> to delete the entries from the Sites and Services and NTDS Settings. This
> DC does not show up anywhere except for the path I mention. I cannot
> delete it there. How do I need to remove these entries?
>
> On DOMAIN1 DNS Servers, both the DOMAIN1 and DOMAIN2 zones are classified
> as Active Directory Integrated.
>
> On DOMAIN2 DNS Servers, the DOMAIN2 zone is Active Directory Integrated
> but DOMAIN1 is secondary.
>
> What is the best practice with two domains in a forest? We are about to
> move to one domain after we demote a couple of W2K DC's and replace them
> with some of our Windows 2003 servers. We believe we should have DNS
> cleaned up and working correctly before that happens.
>
> Thank you!
>
> David Alge
>
>


If an old DC is still showing up and was removed forcibly, meaning not
properly demoted, it must be removed from the AD database using the Metadata
Cleanup process. Unlike NT4, where you can simply delete an NT4 BDC from the
Server Manager console, AD is much much different. To perform a Metadata
Cleanup, follow the procedure in the following link.

How to remove data in Active Directory after an unsuccessful domain
controller demotion Windows 2000 and 2003
http://support.microsoft.com/kb/216498

As for DNS best practices and infrastructure resolution, it depends on your
company's needs and delegation design.

If in a delegated design, meaning the child domain has their own
administrators, such as a separate entity that is part of the company but
have their own administrators, then you would setup a parent-child DNS
delegation to the child DNS servers from the parent domain's DNS servers,
then set a forwarder from all child domain's DNS servers to the parent, set
a forwarder from the parent to the ISP's. Then you would make sure all child
domain machines ONLY use their child domain DNS server(s). If there are
multiple child domains, you must set a Search Suffix for the other child
domain's suffix on other child domains so the client side resolver can
devolve the name and send a proper FQDN query for the other child domain's
resource to their own DNS server. The zones in this case, other than the
_msdcs zone, would be set to All DNS Servers in the Domain.

In a non-delegated design, you can centrally adminster DNS with the zone in
the Forest Wide replication scope.

However, if you still have Windows 2000, then you don't have much choice in
replication scopes until you get rid of all the 2000 servers. You are
limited to AD integrated or non-Ad integrated only. IN this case, either
have all child domain members use the DNS servers in the parent zone or
create a parent-child delegation.

If you have 2000 and 2003 DNS servers, then there is always the possibility
that you may have the zone exist in two places, which causes a zone conflict
scenario in the AD database. To understand this issues, please read the
following link, which also shows how to find out if this issue exists.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/arc...dns-zones.aspx


To better assist, please post an ipconfig /all from a child DC and a child
workstation, as well as a parent DC and a parent domain workstation.
Otherwise, if you can describe in MORE detail exactly how your DNS servers
are setup, zone specifics, which DNS servers the child are using, etc, that
would better help us assist you, but the ipconfigs would really help much
better than an explanation.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.