new DC/DNS 2k8r2 x64, dns.exe faults/TrustAnchors errors

I'm seeing a wealth of errors on a new DC i have created.. it is a GC, has a
"secondary" dns server (ad integrated), by secondary i mean, its the 2nd dns
server, the first being on the other dc..

I see the following:

warning: eventid 4521
The DNS server encountered error 32 attempting to load zone TrustAnchors
from Active Directory. The DNS server will attempt to load this zone again on
the next timeout cycle. This can be caused by high Active Directory load and
may be a transient condition.

error: 4001
The DNS server was unable to open zone TrustAnchors in the Active Directory.
This DNS server is configured to obtain and use information from the
directory for this zone and is unable to load the zone without it. Check that
the Active Directory is functioning properly and reload the zone. The event
data is the error code.

Under the application log:
Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
0x4a5bc929
Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc929
Exception code: 0xc0000005
Fault offset: 0x000000000001f256
Faulting process id: 0xc80
Faulting application start time: 0x01caa40fcf3873cc
Faulting application path: C:\Windows\system32\dns.exe
Faulting module path: C:\Windows\system32\dns.exe
Report Id: 78e01e48-1006-11df-be5e-00155d64533a
eventid 1000


I've tried removing and re-adding the dns role to no avail, as mentioned
somewhere else..

Possibly related.. but..

In the tcp/ip for this machine.. should the primary dns be the other dns
server, while the secondary be the 127.0.0.1 address?

Thanks for any help

I'm also getting this on both domain controllers:

The request subject name is invalid or too long. 0x80094001

"markm75g" wrote:

> I'm seeing a wealth of errors on a new DC i have created.. it is a GC, has a
> "secondary" dns server (ad integrated), by secondary i mean, its the 2nd dns
> server, the first being on the other dc..
>
> I see the following:
>
> warning: eventid 4521
> The DNS server encountered error 32 attempting to load zone TrustAnchors
> from Active Directory. The DNS server will attempt to load this zone again on
> the next timeout cycle. This can be caused by high Active Directory load and
> may be a transient condition.
>
> error: 4001
> The DNS server was unable to open zone TrustAnchors in the Active Directory.
> This DNS server is configured to obtain and use information from the
> directory for this zone and is unable to load the zone without it. Check that
> the Active Directory is functioning properly and reload the zone. The event
> data is the error code.
>
> Under the application log:
> Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
> 0x4a5bc929
> Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc929
> Exception code: 0xc0000005
> Fault offset: 0x000000000001f256
> Faulting process id: 0xc80
> Faulting application start time: 0x01caa40fcf3873cc
> Faulting application path: C:\Windows\system32\dns.exe
> Faulting module path: C:\Windows\system32\dns.exe
> Report Id: 78e01e48-1006-11df-be5e-00155d64533a
> eventid 1000
>
>
> I've tried removing and re-adding the dns role to no avail, as mentioned
> somewhere else..
>
> Possibly related.. but..
>
> In the tcp/ip for this machine.. should the primary dns be the other dns
> server, while the secondary be the 127.0.0.1 address?
>
> Thanks for any help
>
>
>
>
>
>
>
>
>

"markm75g" <> wrote in message
news:91DDB331-1CD6-4102-93A6-...
> I'm also getting this on both domain controllers:
>
> The request subject name is invalid or too long. 0x80094001


See if this helps.

Request for Certificate Is Denied and a "The Request Subject Name ...The
request subject name is invalid or too long. 0x80094001. In addition, the
following message may be logged in the event log: ...
http://support.microsoft.com/kb/312344

Windows Server 2003 Does Not Use the DNS Name as Certificate SubjectIn
Windows 2000, the Domain Name System (DNS) name of a computer is embedded as
the ... (0x80094001) The request subject name is invalid or too long. ...
http://support.microsoft.com/kb/275528

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

"markm75g" <> wrote in message
news:CCCC97D7-08E4-4347-BD2C-...
> I'm seeing a wealth of errors on a new DC i have created.. it is a GC, has
> a
> "secondary" dns server (ad integrated), by secondary i mean, its the 2nd
> dns
> server, the first being on the other dc..
>
> I see the following:
>
> warning: eventid 4521
> The DNS server encountered error 32 attempting to load zone TrustAnchors
> from Active Directory. The DNS server will attempt to load this zone again
> on
> the next timeout cycle. This can be caused by high Active Directory load
> and
> may be a transient condition.
>
> error: 4001
> The DNS server was unable to open zone TrustAnchors in the Active
> Directory.
> This DNS server is configured to obtain and use information from the
> directory for this zone and is unable to load the zone without it. Check
> that
> the Active Directory is functioning properly and reload the zone. The
> event
> data is the error code.
>
> Under the application log:
> Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
> 0x4a5bc929
> Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp:
> 0x4a5bc929
> Exception code: 0xc0000005
> Fault offset: 0x000000000001f256
> Faulting process id: 0xc80
> Faulting application start time: 0x01caa40fcf3873cc
> Faulting application path: C:\Windows\system32\dns.exe
> Faulting module path: C:\Windows\system32\dns.exe
> Report Id: 78e01e48-1006-11df-be5e-00155d64533a
> eventid 1000
>
>
> I've tried removing and re-adding the dns role to no avail, as mentioned
> somewhere else..
>
> Possibly related.. but..
>
> In the tcp/ip for this machine.. should the primary dns be the other dns
> server, while the secondary be the 127.0.0.1 address?
>
> Thanks for any help


It appears there are AD replication or DNS dupe zone issues. You are saying
that you have two DCs, and the _msdcs.yourdomain.com and yourdomain.com
zones are AD integrated? What replication scope are they set to on both DCs?

Was the zone on one of the DCs ever set to just "Seconday" and not stored in
AD at one time?

To check if you have a dupe zone issue, please read my blog on how to find
and fix it.

Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/arc...dns-zones.aspx

As far as how to set DNS addresses on DCs, the recommendations for
configuring DNS addresses, is point the first address to the DC's IP itself,
then the partner as the second entry. Remove the loopback. The loopback was
entered by DCPROMO. One of the cleanup phases after running a promotion is
to set the DNS addresses correctly, which apparently may have been missed in
this case.

Curious, what are you using TrustedAnchors for? That's designed to handled
secured zone transfers between non-authorative DNS servers.

Distribute Trust Anchors
Trust anchors are required on all non-authoritative DNS servers that will
perform DNSSEC validation of data from a signed zone.
http://technet.microsoft.com/en-us/l...80(WS.10).aspx

Please provide an ipconfig /all from both DCs.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

I'm not seeing duplicate zones i dont think.. at one point i think i had a
read only copy (or maybe secondary) on a third server 192.168.100.16.. but
not anymore..

In adsiedit.. I see the reverse lookup zone , domain.local and
RootDNSservers listed in there (under microsoft dns, under system, under
DC=domain, dc=local under the default naming context)

I did notice that this setting is in place on the dns servers (all are 2008
r2 at this point):

DomainNC (only for compatibility with Win2000):

Should i switch it to "to all dns servers running on dcs in this domain" ?

I dont actually see anything listed in the trusts anchors page..


Here are the ipconfigs (note, the best practices tool on r2, said that the
first dns should point to the Other DNS server, while the second is loopback,
doing this made the warning indication go away, but obviously didnt fix other
issues)

first is the first dc, called vsborg01:


Windows IP Configuration

Host Name . . . . . . . . . . . . : vsborg01
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-64-5B-12
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::a523:5025:c96d:834b%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.100.60(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCPv6 IAID . . . . . . . . . . . : 285218141
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
DNS Servers . . . . . . . . . . . : 192.168.100.61
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{3FD2A97E-D911-4EA6-8310-53D2505DD715}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

and now the other:



Windows IP Configuration

Host Name . . . . . . . . . . . . : vsborg02
Primary Dns Suffix . . . . . . . : domain.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.local

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network
Adapter #3
Physical Address. . . . . . . . . : 00-15-5D-64-53-3A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::2d62:5eeb:8b5d:a314%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.100.61(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCPv6 IAID . . . . . . . . . . . : 285218141
DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
DNS Servers . . . . . . . . . . . : 192.168.100.60
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{73116582-123C-475F-92B8-AAEF513F1CC2}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

"Ace Fekay [MVP-DS, MCT]" wrote:

> "markm75g" <> wrote in message
> news:CCCC97D7-08E4-4347-BD2C-...
> > I'm seeing a wealth of errors on a new DC i have created.. it is a GC, has
> > a
> > "secondary" dns server (ad integrated), by secondary i mean, its the 2nd
> > dns
> > server, the first being on the other dc..
> >
> > I see the following:
> >
> > warning: eventid 4521
> > The DNS server encountered error 32 attempting to load zone TrustAnchors
> > from Active Directory. The DNS server will attempt to load this zone again
> > on
> > the next timeout cycle. This can be caused by high Active Directory load
> > and
> > may be a transient condition.
> >
> > error: 4001
> > The DNS server was unable to open zone TrustAnchors in the Active
> > Directory.
> > This DNS server is configured to obtain and use information from the
> > directory for this zone and is unable to load the zone without it. Check
> > that
> > the Active Directory is functioning properly and reload the zone. The
> > event
> > data is the error code.
> >
> > Under the application log:
> > Faulting application name: dns.exe, version: 6.1.7600.16385, time stamp:
> > 0x4a5bc929
> > Faulting module name: dns.exe, version: 6.1.7600.16385, time stamp:
> > 0x4a5bc929
> > Exception code: 0xc0000005
> > Fault offset: 0x000000000001f256
> > Faulting process id: 0xc80
> > Faulting application start time: 0x01caa40fcf3873cc
> > Faulting application path: C:\Windows\system32\dns.exe
> > Faulting module path: C:\Windows\system32\dns.exe
> > Report Id: 78e01e48-1006-11df-be5e-00155d64533a
> > eventid 1000
> >
> >
> > I've tried removing and re-adding the dns role to no avail, as mentioned
> > somewhere else..
> >
> > Possibly related.. but..
> >
> > In the tcp/ip for this machine.. should the primary dns be the other dns
> > server, while the secondary be the 127.0.0.1 address?
> >
> > Thanks for any help
>
>
> It appears there are AD replication or DNS dupe zone issues. You are saying
> that you have two DCs, and the _msdcs.yourdomain.com and yourdomain.com
> zones are AD integrated? What replication scope are they set to on both DCs?
>
> Was the zone on one of the DCs ever set to just "Seconday" and not stored in
> AD at one time?
>
> To check if you have a dupe zone issue, please read my blog on how to find
> and fix it.
>
> Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
> http://msmvps.com/blogs/acefekay/arc...dns-zones.aspx
>
> As far as how to set DNS addresses on DCs, the recommendations for
> configuring DNS addresses, is point the first address to the DC's IP itself,
> then the partner as the second entry. Remove the loopback. The loopback was
> entered by DCPROMO. One of the cleanup phases after running a promotion is
> to set the DNS addresses correctly, which apparently may have been missed in
> this case.
>
> Curious, what are you using TrustedAnchors for? That's designed to handled
> secured zone transfers between non-authorative DNS servers.
>
> Distribute Trust Anchors
> Trust anchors are required on all non-authoritative DNS servers that will
> perform DNSSEC validation of data from a signed zone.
> http://technet.microsoft.com/en-us/l...80(WS.10).aspx
>
> Please provide an ipconfig /all from both DCs.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance, please
> contact Microsoft PSS directly. Please check http://support.microsoft.com
> for regional support phone numbers.
>
>
>
> .
>

"markm75g" <> wrote in message
news:8D745556-89A2-4E69-81F9-...
> I'm not seeing duplicate zones i dont think.. at one point i think i had a
> read only copy (or maybe secondary) on a third server 192.168.100.16.. but
> not anymore..
>
> In adsiedit.. I see the reverse lookup zone , domain.local and
> RootDNSservers listed in there (under microsoft dns, under system, under
> DC=domain, dc=local under the default naming context)
>
> I did notice that this setting is in place on the dns servers (all are
> 2008
> r2 at this point):
>
> DomainNC (only for compatibility with Win2000):
>
> Should i switch it to "to all dns servers running on dcs in this domain" ?
>
> I dont actually see anything listed in the trusts anchors page..
>
>
> Here are the ipconfigs (note, the best practices tool on r2, said that the
> first dns should point to the Other DNS server, while the second is
> loopback,
> doing this made the warning indication go away, but obviously didnt fix
> other
> issues)
>
> first is the first dc, called vsborg01:
>
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : vsborg01
> Primary Dns Suffix . . . . . . . : domain.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.local
>
> Ethernet adapter Local Area Connection 3:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
> Network
> Adapter #3
> Physical Address. . . . . . . . . : 00-15-5D-64-5B-12
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> Link-local IPv6 Address . . . . . :
> fe80::a523:5025:c96d:834b%14(Preferred)
> IPv4 Address. . . . . . . . . . . : 192.168.100.60(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.100.1
> DHCPv6 IAID . . . . . . . . . . . : 285218141
> DHCPv6 Client DUID. . . . . . . . :
> 00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
> DNS Servers . . . . . . . . . . . : 192.168.100.61
> 127.0.0.1
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> Tunnel adapter isatap.{3FD2A97E-D911-4EA6-8310-53D2505DD715}:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft ISATAP Adapter
> Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
>
> Tunnel adapter Teredo Tunneling Pseudo-Interface:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
> Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
>
> and now the other:
>
>
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : vsborg02
> Primary Dns Suffix . . . . . . . : domain.local
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : domain.local
>
> Ethernet adapter Local Area Connection 3:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
> Network
> Adapter #3
> Physical Address. . . . . . . . . : 00-15-5D-64-53-3A
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> Link-local IPv6 Address . . . . . :
> fe80::2d62:5eeb:8b5d:a314%14(Preferred)
> IPv4 Address. . . . . . . . . . . : 192.168.100.61(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.100.1
> DHCPv6 IAID . . . . . . . . . . . : 285218141
> DHCPv6 Client DUID. . . . . . . . :
> 00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
> DNS Servers . . . . . . . . . . . : 192.168.100.60
> 127.0.0.1
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
> Tunnel adapter isatap.{73116582-123C-475F-92B8-AAEF513F1CC2}:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Microsoft ISATAP Adapter
> Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
>
> Tunnel adapter Teredo Tunneling Pseudo-Interface:
>
> Media State . . . . . . . . . . . : Media disconnected
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
> Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
>


You could make the first one point to a partner DC. This will help to
quicken startup of a DC, however, the general consensus among most of us out
here is to use the actual IP of itself as the first, then the IP of the
partner. If you decide toleave it the way you set it, remove the Loopback,
and ues the actual IP.

Good to hear that there are not dupes. No.leave the replication scope on the
middle button. That is the application partition DomainDnsZones, whereas the
bottom one is the DomainNC (for backward compatibility).

Did you create a TrustAnchors record? If so, are you using this feature?

Ace

No i never created any trust anchors.. actually the dns setting is on the
compatibility one (bottom).. so i should move it to the middle then?



"Ace Fekay [MVP-DS, MCT]" wrote:

> "markm75g" <> wrote in message
> news:8D745556-89A2-4E69-81F9-...
> > I'm not seeing duplicate zones i dont think.. at one point i think i had a
> > read only copy (or maybe secondary) on a third server 192.168.100.16.. but
> > not anymore..
> >
> > In adsiedit.. I see the reverse lookup zone , domain.local and
> > RootDNSservers listed in there (under microsoft dns, under system, under
> > DC=domain, dc=local under the default naming context)
> >
> > I did notice that this setting is in place on the dns servers (all are
> > 2008
> > r2 at this point):
> >
> > DomainNC (only for compatibility with Win2000):
> >
> > Should i switch it to "to all dns servers running on dcs in this domain" ?
> >
> > I dont actually see anything listed in the trusts anchors page..
> >
> >
> > Here are the ipconfigs (note, the best practices tool on r2, said that the
> > first dns should point to the Other DNS server, while the second is
> > loopback,
> > doing this made the warning indication go away, but obviously didnt fix
> > other
> > issues)
> >
> > first is the first dc, called vsborg01:
> >
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : vsborg01
> > Primary Dns Suffix . . . . . . . : domain.local
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.local
> >
> > Ethernet adapter Local Area Connection 3:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
> > Network
> > Adapter #3
> > Physical Address. . . . . . . . . : 00-15-5D-64-5B-12
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > Link-local IPv6 Address . . . . . :
> > fe80::a523:5025:c96d:834b%14(Preferred)
> > IPv4 Address. . . . . . . . . . . : 192.168.100.60(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.100.1
> > DHCPv6 IAID . . . . . . . . . . . : 285218141
> > DHCPv6 Client DUID. . . . . . . . :
> > 00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
> > DNS Servers . . . . . . . . . . . : 192.168.100.61
> > 127.0.0.1
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> >
> > Tunnel adapter isatap.{3FD2A97E-D911-4EA6-8310-53D2505DD715}:
> >
> > Media State . . . . . . . . . . . : Media disconnected
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Microsoft ISATAP Adapter
> > Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> >
> > Tunnel adapter Teredo Tunneling Pseudo-Interface:
> >
> > Media State . . . . . . . . . . . : Media disconnected
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
> > Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> >
> > and now the other:
> >
> >
> >
> > Windows IP Configuration
> >
> > Host Name . . . . . . . . . . . . : vsborg02
> > Primary Dns Suffix . . . . . . . : domain.local
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : domain.local
> >
> > Ethernet adapter Local Area Connection 3:
> >
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Microsoft Virtual Machine Bus
> > Network
> > Adapter #3
> > Physical Address. . . . . . . . . : 00-15-5D-64-53-3A
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> > Link-local IPv6 Address . . . . . :
> > fe80::2d62:5eeb:8b5d:a314%14(Preferred)
> > IPv4 Address. . . . . . . . . . . : 192.168.100.61(Preferred)
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.100.1
> > DHCPv6 IAID . . . . . . . . . . . : 285218141
> > DHCPv6 Client DUID. . . . . . . . :
> > 00-01-00-01-12-F3-A6-2A-00-15-5D-64-53-37
> > DNS Servers . . . . . . . . . . . : 192.168.100.60
> > 127.0.0.1
> > NetBIOS over Tcpip. . . . . . . . : Enabled
> >
> > Tunnel adapter isatap.{73116582-123C-475F-92B8-AAEF513F1CC2}:
> >
> > Media State . . . . . . . . . . . : Media disconnected
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Microsoft ISATAP Adapter
> > Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> >
> > Tunnel adapter Teredo Tunneling Pseudo-Interface:
> >
> > Media State . . . . . . . . . . . : Media disconnected
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
> > Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
> > DHCP Enabled. . . . . . . . . . . : No
> > Autoconfiguration Enabled . . . . : Yes
> >
>
>
> You could make the first one point to a partner DC. This will help to
> quicken startup of a DC, however, the general consensus among most of us out
> here is to use the actual IP of itself as the first, then the IP of the
> partner. If you decide toleave it the way you set it, remove the Loopback,
> and ues the actual IP.
>
> Good to hear that there are not dupes. No.leave the replication scope on the
> middle button. That is the application partition DomainDnsZones, whereas the
> bottom one is the DomainNC (for backward compatibility).
>
> Did you create a TrustAnchors record? If so, are you using this feature?
>
> Ace
>
>
>
> .
>

"markm75g" <> wrote in message
news:5C06F13D-6F81-4A09-A346-...
> No i never created any trust anchors.. actually the dns setting is on the
> compatibility one (bottom).. so i should move it to the middle then?
>

You didn't create any? You can delete it, but hold off on that for right
now.

Yes, I would suggest the center selection.

Ace

"markm75g" <> wrote in message
news:5C06F13D-6F81-4A09-A346-...
> No i never created any trust anchors.. actually the dns setting is on the
> compatibility one (bottom).. so i should move it to the middle then?
>

Select the center one as long as there are no 2000 DCs in existence.

I assume the _msdcs.domain.local zone is the top selection, in the forest
replicaiton scope.

Ace

Ok, so now..

if i do properties on domain.local under the dns tree.. i have set it to
"all dns servers in the domain"..

For the _msdcs one, it was already set to the top option.. to all dns in the
forest.


As far as the trust anchors.. where do i delete them.. as under the trust
anchors tab i have nothing listed.

Thanks again

"Ace Fekay [MVP-DS, MCT]" wrote:

> "markm75g" <> wrote in message
> news:5C06F13D-6F81-4A09-A346-...
> > No i never created any trust anchors.. actually the dns setting is on the
> > compatibility one (bottom).. so i should move it to the middle then?
> >
>
> Select the center one as long as there are no 2000 DCs in existence.
>
> I assume the _msdcs.domain.local zone is the top selection, in the forest
> replicaiton scope.
>
> Ace
>
>
>
>
> .
>