Repost: Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

Discussion in 'DNS Server' started by Spin, Apr 28, 2006.

  1. Spin

    Spin Guest


    How come I do not see a ForestDNSZones and DomainDNSZones partition under my
    child AD 2003 domain inside the DNS management console? This child domain
    is one of two domains in an AD 2003 forest (one parent, one child) forest.
    I do indeed see both of these partitions in the forest root domain but not
    under the child domain. See URL below, you will have to set Internet
    Explorer to FULL screen mode to view the bitmap properly. Notice in the
    corp.alpha.local (highlighted domain in picture), both ForestDNSZones and
    DomainDNSZonesare missing. But if you look under alpha.local (forest root)
    both of these partitions are present.
    Spin, Apr 28, 2006
    1. Advertisements

  2. In
    Try rt-clicking the zone, new domain, type in DomainDnsZones. Then run
    netdiag /v /fix. Refresh the console. I've done it this was a few times.
    Keep in mind, from a child, (can't remember this for sure), you may not be
    able to see the ForestDnsZones since I believe you need to be an EA.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
    Ace Fekay [MVP], Apr 28, 2006
    1. Advertisements

  3. In addition to Ace's reply, are you sure these partitions exist? Can you
    see the crossRef objects for them under CN=Partitions, CN=Configuration,
    DC=domain-name, DC=com? If not, they need to be recreated. You can do this
    from the DNSMGMT.MSC tool if your Domain Naming master FSMO role holder is
    running Server 2003.
    Paul Williams [MVP], Apr 28, 2006
  4. Spin

    Spin Guest

    So Ace, I guess what you're saying is, if one does not log on as an EA to a
    child domain (say they logon as a DA), and then proceeds to open the DNS
    console, they will NOT see the ForestDNSZones and DomainDNSZones partitions
    b/c these are only viewable by an EA? Or am I confused?


    Spin, Apr 28, 2006
  5. In
    No, that's not what I said. I said that you may be able to see the
    DomainDnsZones, but _*MAY*_ not be able tosee the ForestDnsZones.

    Have you tried my procedure yet? There's nothing to lose... and nothing
    gained by not trying it.

    Ace Fekay [MVP], Apr 28, 2006
  6. Spin

    Spin Guest

    Spin, Apr 29, 2006
  7. Spin

    Spin Guest

    Spin, Apr 29, 2006
  8. From that LDP output, you have a ForestDNSZone but not a DomainDNSZone App

    The scope of your child domain is probably still "All domain controllers in
    this domain" as opposed to "All DNS servers in this domain".

    As for why the ForestDNSZones isn't showing, three things spring to mind (in
    no particular order):

    1. Non-Windows 2003 DNSMGMT.MSC console or DNS server.
    2. Permissions problem.
    3. Name resolution problem.

    Logon to the child domain with an admin account in the root domain and see
    if you can see the ForestDNSZones then. If you can, you need to check the
    permissions on that zone. If you cannot, you need to check that that
    snap-in is OK and that the DNS server in question is actually reading zone
    info. from AD. In the child, can you resolve That sub-domain should have been
    registered. You should be able to resolve it. If you can't, that is
    probably your issue.
    Paul Williams [MVP], Apr 29, 2006
  9. Spin

    Spin Guest

    There are only two servers in the test environment. One AD/DNS server in
    the parent domain and one in the child. Both run Windows Server 2003. The
    replication scope of the child domain is set to all domain controllers in
    the AD domain. Two questions.

    1) Is that why I do not have a DomainDNSZones partition?
    2) How should I attempt to resolve ""? Should
    I be using this syntax:

    nslookup ForestDNSZones.alpha.local
    Spin, Apr 30, 2006
  10. 1) Is that why I do not have a DomainDNSZones partition?

    Yes. Change to all DNS servers in the domain to store it in DomainDNSZones
    app partition.

    Yes, that is correct. If that doesn't work, test from the root domain.
    Does it work there? Can you resolve host.alpha.local (where host is any
    given host in that domain)?

    When you run nslookup forestdnszones.alpha.local you should have the IP
    address of your DC returned.
    Paul Williams [MVP], May 1, 2006
  11. In
    In addition to Paul's response, you can also use ADSI Edit to look at the
    partitions. Matter of fact, if you find any zones or records under the
    partitions that start with CNF_, then you've got an issue due to conflicting
    zones due to an administrator selecting the wrong replication scope of a
    zone using the 2003 DNS console, say putting the zone in the "To all DNS
    servers in the Active Directory domain", which is the
    DomainDNSZones, however, in the 2000 DNS console, it's still set to "To all
    domain controllers in the Active Directory domain", which is the
    DomainNC partition, therefore creating a conflict. For obvious reasons, I've
    see this quite often in a mixed 2000/2003 environment.

    This will explain how to view them in ADSI Edit. Let us know if you find any
    CNF entries in any of the partitions (Domain NC, DomainDnsZones, and

    kbAlertz (867464) - Explains how to use ADSI Edit to resolve a problem where
    the DNS service logs event ID 4515 in the DNS Server log.:

    Ace Fekay [MVP], May 2, 2006
  12. Spin

    Spin Guest

    Yes, the command nslookup ForestDNSZones.alpha.local does in fact return the
    IP addresses of my root domain AD/DNS server and my child domain AD/DNS
    server. However, I get an error when I change the replication scope of
    corp.alpha.local to all DNS servers in the AD domain. I am logged on as a
    DA in corp.alpha.local whenever I try this. The error is:

    "The replication scope could not be set... The specified directory partition
    does not exist".

    What is weird is, the error is saying the "specified directory partition
    does not exist" -- my response to that is of course is doesn't exist, I am
    trying to create it! I'm befuddled!
    Spin, May 2, 2006
  13. Spin

    Spin Guest

    I was able to successfully use ADSIEDIT to see both the ForestDNSZones and
    DomainDNSZones in the forest root domain alpha.local (logged on as an EA to
    that domain to that AD/DNS server). However, I get "Directory Object Not
    Found" while searching for both ForestDNSZones and DmainDNSZones in the
    child domain, logged on as a DA in the child domain to the child domain
    AD/DNS server and even when logged on as an EA the child domain AD/DNS
    Spin, May 2, 2006
  14. In
    Then this sounds (obviously) more of a DNS misconfiguration. How is the
    child domain's DNS configured? Is it delegated from the parent or using
    stubs? If you are trying to set the scope for the child and it;s not
    working, then how is the child supposed to find the parent? Set it up with a
    parent to child delegation, then forward from the child to the parent for
    now to get it working first.

    Ace Fekay [MVP], May 2, 2006
  15. Spin

    Spin Guest

    The child domain DNS server points to itself for preferred DNS server under
    TCP/IP properties. In the DNS console, I have setup a forwarder pointing at
    the root domain DNS server for unresolved queries. I have not setup any
    delegation or stubs. Do I need to?
    Spin, May 3, 2006
  16. Spin

    Spin Guest

    Ace, YOU ARE A GENIUS! After I re-read your post, I understood what you
    meant. All I needed to do, like you said, was create a delegation on the
    forest root domain for the child domain on the root domain DNS server. Once
    I did that, and selected "Create Default Application Directory Partitions"
    on my child domain DNS server, the DomainDNSZones partition (folder) showed
    Spin, May 3, 2006
  17. In

    Time for a double shot of Crown Royal straight up...

    Ace Fekay [MVP], May 3, 2006
  18. Spin

    Spin Guest

    You've heard of the "ACE Hardware" store right, well, you should be known as
    ACE "Software"! :)

    Thanks to Paul Williams for sticking through this as well!
    Spin, May 3, 2006
  19. In
    Ace Software? Hmm, there may be some merit in that...

    Ace Fekay [MVP], May 3, 2006
  20. In
    Thanks! But you helped out too! Between your responses and mine, it helped
    to narrow it down.

    Ahh, pool, you remembered!

    Be glad to play a few racks... :)
    Ace Fekay [MVP], May 5, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.