Active Directory DNS Issues

Discussion in 'DNS Server' started by David Alge, Dec 4, 2009.

  1. David Alge

    David Alge Guest

    We have an Active Directory forest of two domains and have some DNS issues.
    Some computers in one domain is not accessible in the other by their FQDN.
    I've examined the DNS servers in both domains and have found the following:

    In DOMAIN1, under DNS->Forward Lookup Zone->DOMAIN1->_Sites->_TCP, there are
    entries for _kerberos and _ldap for an non-existent DC. This DC was a VMWare
    VM about a year or so ago and the flat file was damaged and I had to delete
    the entries from the Sites and Services and NTDS Settings. This DC does not
    show up anywhere except for the path I mention. I cannot delete it there.
    How do I need to remove these entries?

    On DOMAIN1 DNS Servers, both the DOMAIN1 and DOMAIN2 zones are classified as
    Active Directory Integrated.

    On DOMAIN2 DNS Servers, the DOMAIN2 zone is Active Directory Integrated but
    DOMAIN1 is secondary.

    What is the best practice with two domains in a forest? We are about to move
    to one domain after we demote a couple of W2K DC's and replace them with
    some of our Windows 2003 servers. We believe we should have DNS cleaned up
    and working correctly before that happens.

    Thank you!

    David Alge
    David Alge, Dec 4, 2009
    1. Advertisements

  2. If an old DC is still showing up and was removed forcibly, meaning not
    properly demoted, it must be removed from the AD database using the Metadata
    Cleanup process. Unlike NT4, where you can simply delete an NT4 BDC from the
    Server Manager console, AD is much much different. To perform a Metadata
    Cleanup, follow the procedure in the following link.

    How to remove data in Active Directory after an unsuccessful domain
    controller demotion Windows 2000 and 2003

    As for DNS best practices and infrastructure resolution, it depends on your
    company's needs and delegation design.

    If in a delegated design, meaning the child domain has their own
    administrators, such as a separate entity that is part of the company but
    have their own administrators, then you would setup a parent-child DNS
    delegation to the child DNS servers from the parent domain's DNS servers,
    then set a forwarder from all child domain's DNS servers to the parent, set
    a forwarder from the parent to the ISP's. Then you would make sure all child
    domain machines ONLY use their child domain DNS server(s). If there are
    multiple child domains, you must set a Search Suffix for the other child
    domain's suffix on other child domains so the client side resolver can
    devolve the name and send a proper FQDN query for the other child domain's
    resource to their own DNS server. The zones in this case, other than the
    _msdcs zone, would be set to All DNS Servers in the Domain.

    In a non-delegated design, you can centrally adminster DNS with the zone in
    the Forest Wide replication scope.

    However, if you still have Windows 2000, then you don't have much choice in
    replication scopes until you get rid of all the 2000 servers. You are
    limited to AD integrated or non-Ad integrated only. IN this case, either
    have all child domain members use the DNS servers in the parent zone or
    create a parent-child delegation.

    If you have 2000 and 2003 DNS servers, then there is always the possibility
    that you may have the zone exist in two places, which causes a zone conflict
    scenario in the AD database. To understand this issues, please read the
    following link, which also shows how to find out if this issue exists.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones

    To better assist, please post an ipconfig /all from a child DC and a child
    workstation, as well as a parent DC and a parent domain workstation.
    Otherwise, if you can describe in MORE detail exactly how your DNS servers
    are setup, zone specifics, which DNS servers the child are using, etc, that
    would better help us assist you, but the ipconfigs would really help much
    better than an explanation.



    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
    2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check for regional support phone numbers.
    Ace Fekay [MCT], Dec 8, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.