AD integrated zone single entry corruption

Discussion in 'DNS Server' started by sawyer, Jan 22, 2010.

  1. sawyer

    sawyer Guest

    In a 2003 AD integration zone that contains a corrupted record, will this
    corruption shutdown the zone or somehow delete the zone? is this a built in
    security feature of AD integrated zones?
    sawyer, Jan 22, 2010
    1. Advertisements

  2. A corrupted record may, but I'm not sure. It all depends on the record. If
    it's a nameserver, SOA or otherr configuration record, possibly. What errors
    are you seeing, event log or otherwise? Please post them.

    It could also be a dupe zone. Look in ADSI Edit. Follow my blog I posted on
    how to use ADSI Edit in your other thread asking about converting from
    Primary Std to AD Integrated to find out if any records or zones show up
    with "CNF..." or "In Progress... " They are dupes and need to be deleted.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check
    for regional support phone numbers.
    Ace Fekay [MVP-DS, MCT], Jan 23, 2010
    1. Advertisements

  3. sawyer

    sawyer Guest


    This is how this question got posted to this news group. I agree with you
    about an AD integrated DNS zone being in two locations in AD, and I have
    seen this happen before, but the reason why I posted this particular
    question to the newsgroup, is I am trying to either debunk of prove that
    there is a self defense mechanism in AD that prevents a zone from loading if
    AD finds corrupted records in the zone. Below is the conversation thread
    regarding this issue. I have delted the names to protect the inocent

    #4 I'm not saying don't do it, it's a good idea.
    Im just saying be more regular about backing up the zone. Use dnscmd in a
    job every night or something like that.

    It doesn't matter how they get corrupted. Any single entry corruption will
    do this in ad integration. Nothing to do with AD integration, but its
    rather the FEATURE included by AD integration that wipes the entire zone,
    because of what can be an integration failure. I think if you think back
    2.5 years ago, youll probably know what I mean. This tends to happen if you
    get a 4010 error in DNS (we've had 2 or 3 in in the year or so)
    which tends to happen if someone is using DNS admin tool and maybe creating
    and deleting entries when they set servers up.
    I double checked and this is still a feature in the latest versions of ad /

    Some basic info:,289483,sid68_gci1342778,00.html

    #3 Never heard of a AD integrated zones getting corrupted due AD
    replication. We have been replicating,,,
    ect all of our zones currently are AD integrated accept We will
    however have to delete the secondary zones off of all the DC\DNS servers
    before we change the zone to AD integrated. Part of a system state
    backup on a DC \DNS is backing up all * AD integrated DNS zones* it does not
    backup standard primary zones, these zones need to be backed up manually.

    #2 My only suggestion is that from experience with AD integrated zones, a
    small corruption in transfer removes the zone compeltely (by design), so
    just want to recommend that we start taking daily backups of the zone and
    keeping them in a easily locatable place in case we run into that.

    #1 I want to convert the zone to AD integrated. Right now this DNS
    zone is a standard primary zone which means the zone doesn't use AD
    replication to copy the zone to the other DNS servers in the company, we
    have to manually create secondary zones on all of our DNS servers, and then
    manually setup secondary zones on all DNS servers, and then configure DNS
    replication from the DC1 to all the other DC\DNS servers that require a copy
    of this zone. Because all of our DC's are DNS servers, and the entire
    company accesses records in the zone, it makes more sense to make
    this zone AD integrated and let AD replicate the zone to all the other
    DC\DNS servers.

    Also when we shut down DC1 it is possible that any DC\DNS server that has a
    copy of the zone will try and do a DNS zone transfer from DC1, and
    if this happens the secondary zone will shut down and stop servicing DNS
    request for I see no reason to keep this zone as a standard primary
    zone, it should be AD integrated. We can continue to transfer this zone once
    it is AD integrated to 3rd party appliances the same way we do today
    sawyer, Jan 25, 2010
  4. I wouldn't call it a 'self defense' mechanism, but if there's anything
    corrupted, there's a dupe zone or there are problems contacting AD for any
    reason (netlogon or other errors), including dupe zones causing it, or even
    using an ISP's DNS or the router/firewall as DNS, (or other a non-internal
    DNS that doesn't have a copy or reference to the zone data effectively
    causing the DC to not be able to "find" AD), the zone will fail to load.

    You can do that, but I think it's overhead. If the zone is AD Integrated, a
    simple System State backup will back it up. However, if the zone is
    corrupted (whether from one record or some other reason), the corrupted data
    will be backed up making it useless for restoring.
    Sure, if there's corruption in the records, or if someone else manually
    created a copy of the zone, that will surely cause it, too. I remember
    working at a 5000 user system with 30 DCs. A new DC was setup at one of the
    remote locations by someone in the domain admin group, and what they did is
    manuall created the forest root zone on that DC. It effectively created a
    dupe causing the correct zone to disappear (since the correct one is now the
    dupe), and the zone he created, which only had about 3 or 4 records, appear
    on all DCs. No need telling you what issues that caused.
    AD replication will not cause zone corruption, however if there are any
    issues with replication, such as a USN Rollback or other NTFRS issues, that
    will surely do it, along with corrupting or causing issues on a wider
    You are implying you do this manually. This happens by default, not
    Yep, that's correct. System State backups up system data, IIS, AD database,
    COM info, etc. DNS AD integrated zones are part of the AD database, but it
    can be in different "logical" portions of the physical database, depending
    on its replication scope.

    And you don't have to delete the secondaries. The DCs will remove them for

    I'm not sure who quoted this, but AD Integraged zones do not "transfer" from
    DC to DC. It's AD replication.
    Which is a huge administrative overhead that is not necessary. Using AD
    integrated zones will populate all DCs within its replication scope
    Yep. If you want any zone to appear on all DCs, and you have child domains,
    set the replication scope to Forest wide. Otherwise, if one domain in the
    forest, Domain wide will suffice.

    That's correct. AD Integrated zOnes still follow the RFCs defining how DNS
    works, so you can simply allow a secondary on a third party. You must set
    zone transfer allowance manually on the zone if you want to do this. By
    default, AD integrated zones have this feature unchecked (disabled).

    I hope this helps.

    Ace Fekay [MVP-DS, MCT], Jan 25, 2010
  5. sawyer

    sawyer Guest

    Thanks Ace appreciate you taking the time and answering these questions, it
    is very helpful indeed!
    sawyer, Jan 26, 2010

  6. You are welcome!!

    Ace Fekay [MVP-DS, MCT], Jan 26, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.