Forward lookup zone not automatically created for new domain in fo

Discussion in 'Active Directory' started by Shawn Conaway, Nov 17, 2006.

  1. Hi,

    I have a forest with three domains that are in separate trees: company.biz,
    sight.company, and shell.company. Company.biz is the forest root.
    Shell.company is the new domain. In DNS, all three domains appear in the
    forward lookup zones on the domain controllers hosting shell.company. Domain
    controllers for the other two domains only show the two domains.

    DNS is Active Directory-Integrated. Replication is set for 'All DNS servers
    in the Active Directory Forest'. Zone transfers are allowed to 'only to
    servers listed on the Name Servers tab'. Under the Name Servers tab, I have
    update the name servers so that the two new shell.company domain controllers
    appear in all three zones.

    Adding the servers under the Name Servers tab appears to have resolved my
    Kerberos issues because now in Sites and Services, the correct domain appears
    for both of my shell.company domain controllers. Previously, the servers
    were in the site, but the domain did not show.

    Adding the servers to the Names Servers tab also appears to have fixed my
    name resolution problem. Pinging the shell.company is now resolvable from
    other domain controllers. Pinging one shell.company DC from the other
    shell.company DC now returns the FQDN instead of just the name.

    Although I can resolve names, I'm not sure how the resolution is occurring
    as the servers doing the resolution do not have the shell.company domain
    forward lookup zone. I suspect the forest root is resolving names because of
    an A record for a shell.company domain controller in
    company.biz\forestdnszones.

    Are zone transfers actually occurring? Will manually creating a forward
    lookup zone in the company.biz and sight.company domains cause DNS
    corruption? Is there a setting I can change so that the shell.company
    forward lookup zones automatically propagate into the other zones?

    ----------------
    DCDIAG:

    C:\>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Site\DC1
    Starting test: Connectivity
    ......................... DC1 passed test Connectivity

    Doing primary tests

    Testing server: Site\DC1
    Starting test: Replications
    ......................... DC1 passed test Replications
    Starting test: NCSecDesc
    ......................... DC1 passed test NCSecDesc
    Starting test: NetLogons
    ......................... DC1 passed test NetLogons
    Starting test: Advertising
    ......................... DC1 passed test Advertising
    Starting test: KnowsOfRoleHolders
    ......................... DC1 passed test KnowsOfRoleHolders
    Starting test: RidManager
    ......................... DC1 passed test RidManager
    Starting test: MachineAccount
    ......................... DC1 passed test MachineAccount
    Starting test: Services
    ......................... DC1 passed test Services
    Starting test: ObjectsReplicated
    ......................... DC1 passed test ObjectsReplicated
    Starting test: frssysvol
    ......................... DC1 passed test frssysvol
    Starting test: frsevent
    ......................... DC1 passed test frsevent
    Starting test: kccevent
    ......................... DC1 passed test kccevent
    Starting test: systemlog
    ......................... DC1 passed test systemlog
    Starting test: VerifyReferences
    ......................... DC1 passed test VerifyReferences

    Running partition tests on : DomainDnsZones
    Starting test: CrossRefValidation
    ......................... DomainDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... DomainDnsZones passed test CheckSDRefDom

    Running partition tests on : shell
    Starting test: CrossRefValidation
    ......................... shell passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... shell passed test CheckSDRefDom

    Running partition tests on : ForestDnsZones
    Starting test: CrossRefValidation
    ......................... ForestDnsZones passed test
    CrossRefValidation

    Starting test: CheckSDRefDom
    ......................... ForestDnsZones passed test CheckSDRefDom

    Running partition tests on : Schema
    Starting test: CrossRefValidation
    ......................... Schema passed test CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Schema passed test CheckSDRefDom

    Running partition tests on : Configuration
    Starting test: CrossRefValidation
    ......................... Configuration passed test
    CrossRefValidation
    Starting test: CheckSDRefDom
    ......................... Configuration passed test CheckSDRefDom

    Running enterprise tests on : company.biz
    Starting test: Intersite
    ......................... company.biz passed test Intersite
    Starting test: FsmoCheck
    ......................... company.biz passed test FsmoCheck

    NETDIAG -------------------------------------------------------------------


    C:\>netdiag

    Computer Name: DC1
    DNS Host Name: DC1.shell.company
    System info : Microsoft Windows Server 2003 R2 (Build 3790)
    Processor : x86 Family 15 Model 33 Stepping 2, AuthenticAMD
    List of installed hotfixes :
    KB890046
    KB893756
    KB896358
    KB896424
    KB896428
    KB898715
    KB899587
    KB899588
    KB899589
    KB899591
    KB900725
    KB901017
    KB901214
    KB902400
    KB904706
    KB904942
    KB905414
    KB908519
    KB908531
    KB909520
    KB910437
    KB911280
    KB911562
    KB911567
    KB911927
    KB912919
    KB914388
    KB914389
    KB917159
    KB917344
    KB917422
    KB917734
    KB917953
    KB918439
    KB918899
    KB920214
    KB920670
    KB920683
    KB920685
    KB921398
    KB921883
    KB922582
    KB922616
    KB922819
    KB923191
    KB923414
    KB924191
    KB924496
    KB925486
    Q147222


    Netcard queries test . . . . . . . : Passed



    Per interface results:

    Adapter : Local Area Connection

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : DC1.shell.company
    IP Address . . . . . . . . :
    Subnet Mask. . . . . . . . :
    Default Gateway. . . . . . :
    Primary WINS Server. . . . :
    Dns Servers. . . . . . . . :


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.

    WINS service test. . . . . : Passed


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{92CF28BD-0ECC-4EDC-A934-915B8D99B36E}
    1 NetBt transport currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Passed
    PASS - All the DNS entries for DC are registered on DNS server ''
    and other DCs also have some of the names registered.
    PASS - All the DNS entries for DC are registered on DNS server ''
    and other DCs also have some of the names registered.
    [WARNING] The DNS entries for this DC are not registered correctly on
    DNS se
    rver ''. Please wait for 30 minutes for DNS server replication.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{92CF28BD-0ECC-4EDC-A934-915B8D99B36E}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{92CF28BD-0ECC-4EDC-A934-915B8D99B36E}
    The browser is bound to 1 NetBt transport.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed

    IP Security test . . . . . . . . . : Skipped

    Note: run "netsh ipsec dynamic show /?" for more detailed information
     
    Shawn Conaway, Nov 17, 2006
    #1
    1. Advertisements

  2. Shawn Conaway

    Herb Martin Guest

    You need your DNS servers in every domain/tree
    to be able to find the others so you can make them Secondaries
    (as you have done with shell.company), use Stubs instead if
    zones are giant, conditionally forward, or if ALL DC-DNS
    servers are Win2003 you can do forest wide AD Integration
    and replication.
    Chances are the problem is due to the DCs in all the
    "other" zones/domains to be able to initially find the
    one that is working.

    Try (TEMPORARILY) changes the DCs in those domains
    to use the main DNS servers ONLY in their NIC->IP
    properties.

    Re-register them with DNS (DCDiag /fix or restart NetLogon service.)

    Check replication. Once it replicated the other zones
    you can put them back to the most efficient DNS settings.
    Zone transfer settings are NOT relevant to AD integration
    replication -- only to ordinary secondaries.
    Check time -- and especially TIME ZONE settings if
    you suspect Kerberos issues.

    One common mistake is to set the time on a server based
    on an INCORRECT time zone and thus end up being hours
    away (in GMT) from the correct time.

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]
     
    Herb Martin, Nov 17, 2006
    #2
    1. Advertisements

  3. Hi.

    Thanks for the help...I appreciate it. I don't think I'm getting any
    closer, though. I updated the 'Preferred DNS server' on shell.company to
    point to the forest root company.biz instead of itself. I got all sorts of
    unpleasant errors when I ran 'dcdiag /fix':

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may
    cause
    Group Policy problems.
    ......................... BKFADDC08 failed test frsevent
    Starting test: kccevent
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Warning Event occured. EventID: 0x80000677
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0xC0000466
    Time Generated: 11/17/2006 15:44:01
    (Event String could not be retrieved)
    An Warning Event occured. EventID: 0x80250828
    Time Generated: 11/17/2006 15:44:22
    (Event String could not be retrieved)
    An Error Event occured. EventID: 0xC0000466
    Time Generated: 11/17/2006 15:45:15
    (Event String could not be retrieved)
    ......................... BKFADDC08 failed test kccevent

    No forward lookup zone appeared.

    I waited a bit, then switched the DNS servers back so that the preferred DNS
    servers were DC1.shell.company (itself first), then to DC2.shell.company,
    company.biz, and sight.company (in that order). I waited a bit and the
    'dcdiag /fix' reports that it is working normally except for the following
    error, which appears like it will resolve itself in a day:

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.
    ......................... DC1 failed test frsevent


    The main indicator that tells me something is still wrong is the following
    error:

    -------------------

    DNS server has updated its own host (A) records. In order to ensure that
    its DS-integrated peer DNS servers are able to replicate with this server, an
    attempt was made to update them with the new records through dynamic update.
    An error was encountered during this update, the record data is the error
    code.

    If this DNS server does not have any DS-integrated peers, then this error
    should be ignored.

    If this DNS server's Active Directory replication partners do not have the
    correct IP address(es) for this server, they will be unable to replicate with
    it.

    To ensure proper replication:
    1) Find this server's Active Directory replication partners that run the DNS
    server.
    2) Open DnsManager and connect in turn to each of the replication partners.
    3) On each server, check the host (A record) registration for THIS server.
    4) Delete any A records that do NOT correspond to IP addresses of this
    server.
    5) If there are no A records for this server, add at least one A record
    corresponding to an address on this server, that the replication partner can
    contact. (In other words, if there multiple IP addresses for this DNS
    server, add at least one that is on the same network as the Active Directory
    DNS server you are updating.)
    6) Note, that is not necessary to update EVERY replication partner. It is
    only necessary that the records are fixed up on enough replication partners
    so that every server that replicates with this server will receive (through
    replication) the new data.

    ----------------

    The reason why I wanted to create a forward lookup zone is because this
    above error indicates that the servers cannot find an A record for the
    DC1.shell.company server. However, it sounds like are recommending that a
    forward lookup zone is unnecessary since all the DCs in the forest are using
    AD-integrated DNS. Please let me know if I have misinterpreted what you are
    recommending.

    Thanks again.

     
    Shawn Conaway, Nov 17, 2006
    #3
  4. Shawn Conaway

    Herb Martin Guest

    Did you remove the other DNS servers? You must only
    allow a DNS Client (including DCs which are DNS
    clients) to use ONE (set) of DNS servers that all return
    the same answers - -there is not way to guarantee which
    will be used if you have alternates in there too.

    This looks like you already had replication errors (at least
    for SysVol.)
    This implies that the main DNS servers cannot find
    the child or other tree DNS servers. You said earlier
    that you had those zones on the main DNS for the other
    zones/domains. Are they all AD Integrated? If so,
    any should be able to take replication.

    Are they all using the same scope of replication?

    --
    Herb Martin, MCSE, MVP
    Accelerated MCSE
    http://www.LearnQuick.Com
    [phone number on web site]

     
    Herb Martin, Nov 17, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.