Repost: Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

Discussion in 'DNS Server' started by Spin, Apr 28, 2006.

  1. Spin

    Chris Dent Guest

    This suggests replication failure. Creating the application partitions
    should not be necessary if they exist on a current DC within the domain.

    Check replication with RepAdmin, DCDiag and the contents of the
    Directory Service event log?

    A possible alternative is that you have two copies of the same zone.
    However, that should be logging an event stating that in the DNS event
    log. I would expect the two zones to be in different directory partions
    (normally one in the domain NC and one in Domain / Forest DNS Zones). I
    feel that's quite unlikely here, but would need more information.

    Chris
     
    Chris Dent, Jul 21, 2009
    #21
    1. Advertisements

  2. This sounds like it could be a DNS misconfig issue. Can you post an unedited ipconfig /all of the two DCs, please? Let us eliminate the possibility it's a simple DNS misconfig to start off, as well as other issues that an ipconfig /all result will alert us to (single label name, disjointed namespace, multihomed DCs, ISP DNS, external DNS, router as a DNS, and much more).

    Also, Chris mentioned a possible duplicate zone, which I am leaning towards as well. I have a full outlined procedure to check and fix such an issue, but let's rule out the basics with the ipconfigs, please.

    Thanks,


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Jul 22, 2009
    #22
    1. Advertisements


  3. You are welcome. It appears the ipconfigs look pretty good. I would just suggest for DC2 to point to itself in the first entry, and the partner DC as it's second entry. I notice there is another WINS server at 16.2. Keep in mind, with any WINS server, that a WINS server can only point to itself, no others. So make sure that's true on your WINS servers.

    So my feeling, as well as Chris' feelings, is there may be a duplicate zone in the AD database. Please read the following to udnerstand what that means and how to find, and/or fix it, if found.

    ==================================================================
    Conflicting or duplicate AD Integrated DNS zones
    By Ace Fekay, MCSE 2003, MCT
    First published 3/2006, updated accordingly

    You may have a duplicate zone if a zone either exists in both the Domain NC and one of the Application Partitions, if you get an unusal error message stating, "The name limit for the local computer network adapter card was exceeded," or you installed DNS on another DC and manually created the AD zone and didn't wait for it to automatically populate.

    Dupe zone errata:
    A quick explanation: When you have an AD integrated zone, the DNS data is stored in the actual AD database and is replicated to all DCs and will be available to any DC that has DNS installed, depending on the zone replication scope setting. If rep scope is set to the bottom button, it will be store in the DomainNC partition of the AD database and compatible with Windows 2000. If the middle button, it will be stored in the DomainDnsZones and only works with Windows 2003 and newer DCs. These two scope types will be replicated to all DCs only in the domain it exists in. The third type, the top buttton, is stored in the ForestDnsZones application partition and is available to ALL DCs in the whole forest. The data in any of the AD integrated zone types are truly secured since you can;t get at them without the proper tools.

    If you have an AD integrated zone existing on a DC and you install DNS on another DC in the domain or forest, depending what zone type, it will automatically appear on the new DNS installation without any interaction on your part. If you attempted to manually create the zone, then you pretty much just introduced a duplicate in the AD database, which will cause problems and other issues as well.

    A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

    Now **IF** you did manually create a zone on one DC while it already existed on another DC, then you may have a duplicate. If this is the case, you can use ADSI Edit and look for zone data that starts with a "CNF..." in front of it. Delete them and you;re good to go.

    Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Config partitions replicate to all DCs in a forest. However, the DomainNC is specific only to the domain the DC belongs to. That's where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain. When you create an AD INtegrated zone in Win 2000, it gets stored in the DomainNC. This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

    In Windows 2003, there were two additional partitions added, they are called the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000's AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain's DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs zone is stored in the ForestDnsZones application partition.

    When selecting a zone replication scope in Win2003, in the zone's properties, click on the "Change" button. Under that you will see 3 options:
    To choose the ForestDnsZones:
    "To all DNS servers in the AD forest example.com"

    To choose DomainDnsZones:
    "To all DNS servers in the AD domain example.com"

    To choose the DomainNC (only for compatibility with Win2000):
    "To all domain controllers in the AD domain example.com"


    If you have a duplicate, that's indicating there is a zone that exists in the DomainNC and in the DomainDnsZones Application partition. This means at one time, or currently, you have a mixed Win2000/2003 environment and you have DNS installed on both operating systems. On Win2000, if the zone is AD Integrated, it is in the DomainNC, and should be set the same in Win2003's DC/DNS server to keep compatible. Someone must have attempted to change it in Win2003 DNS to put it in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Win2003 app partitions, you then must insure the zone on the Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that's done, you can then go to the Win2003 DNS and change the partition's replication scope to one of the app partitions.

    In ADSI Edit, you can view all five partitions. You were viewing the app partitions, but not the main partitions. You need to add the DomainNC partition in order to delete that zone. But you must uninstall DNS off the Win2000 server first, unless you want to keep the zone in the DomainNC. But that wouldn't make much sense if you want to take advantage of the _msdcs zone being available forest wide in the ForestDnsZones partition, which you should absolutley NOT delete. I would just use the Win2003 DNS servers only.

    In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click on "Well known Naming Context", then in the drop-down box, select "Domain". Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will see the zone in there.

    But make sure to decide FIRST which way to go before you delete anything.

    To view the DomainDnsZones or the ForestDnsZones partitions, follow these steps:

    [ForestDNSZones]
    Click Start, click Run, type adsiedit.msc, and then click OK.
    In the console tree, right-click ADSI Edit, and then click Connect to.
    Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK:
    DC=ForestDNSZones, DC=contoso, DC=com
    In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
    Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should now be able to view the DNS records which exist in this DNS partition. If you desire to remove this partition, right-click on contoso.com and then click Delete.

    Note Deleting a zone is a destructive operation. Please confirm that a duplicate zone exists before you perform a deletion.
    If you have deleted a zone, restart the DNS service. To do this, follow these steps:
    Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
    In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.

    [DomainDNSZones]
    Click Start, click Run, type adsiedit.msc, and then click OK.
    In the console tree, right-click ADSI Edit, and then click Connect to.
    Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.
    In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
    Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should now be able to view the DNS records which exist in this DNS partition. If you desire to remove this partition, right-click on contoso.com and then click Delete.

    Note Deleting a zone is a destructive operation. Please confirm that a duplicate zone exists before you perform a deletion.
    If you have deleted a zone, restart the DNS service. To do this, follow these steps:
    Click Start, point to All Programs, point to Administrative Tools, and then click DNS.
    In the console tree, right-click contoso.com, point to All Tasks, and then click Restart.

    Some reading for you...

    Directory Partitions:
    http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbg_dat_favt.asp

    kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions issues:
    http://www.kbalertz.com/kb_867464.aspx


    How to fix it?
    -------------

    What I've done in a few cases with my clients that have issues with
    'duplicate' zone entries in AD (because the zone name was in the Domain NC
    (Name Container) Partition, and also in the DomainDnsZones App partition),
    was first to change the zone on one of the DCs to a Primary zone, and
    allowed zone transfers. Then I went to the other DCs and changed the zone to
    a Secondary, and using the first DC as the Master. Then I went into ADSI
    Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
    reference to the domain name. Then I added the DomainDnsZones partition to
    the ADSI Edit console, and deleted any reference to the zone name in there
    as well. If you see anything saying something to the extent of a phrase that says
    "In Progress...." or "CNF" with a long GUID number after it, delete them too. Everytime
    you may have tried tochange the replication scope, it creates one of them.
    Delete them all.

    Then I forced replication. If there were Sites configured, I juggled around
    the servers and subnet objects so all of the servers are now in one site,
    then I forced replication (so I didn't have to wait for the next site
    replication schedule). Once I've confirmed that replication occured, and the
    zones no longer existed in either the Domain NC or DomainDnsZones, then I
    changed the zone on the first server back to AD Integrated, choosing the
    middle button for it's replication scope (which puts it in the
    DomainDnsZones app partition). Then I went to the other servers and changed
    the zone to AD Integrated choosing the same replication scope. Then I reset
    the sites and subnet objects, and everything was good to go.

    Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
    problems and is located in the ForestDnsZones (default) in all of my client
    cases I've come across with so far.

    It seems like alot of steps, but not really. Just read it over a few times
    to get familiar with the procedure. You may even want to change it into a
    numbered step by step list if you like. If you only have one DC, and one
    Site, then it's much easier since you don't have to mess with secondaries or
    play with the site objects.

    I hope that helps!
    ==================================================================

    Ace
     
    Ace Fekay [MCT], Jul 22, 2009
    #23
  4. Spin

    Chris Dent Guest

    I would just suggest for DC2 to point to itself in the first entry, and the partner DC as it's second entry.

    I would leave them both pointing at DC1 until any potential replication
    failures are resolved, otherwise DC2 won't be able to locate DC1 within
    it's own version of the zone.


    Chris
     
    Chris Dent, Jul 22, 2009
    #24
  5. Good point, since DC1 is the 'working' one at this time.

    Ace
     
    Ace Fekay [MCT], Jul 22, 2009
    #25
  6. NO, DO NOT USE SECONDARIES. AD Integrated zones are already part of the AD database. YOu must set the scope on ONLY ONE DC and let replication happen. Goto lunch or do something for awhile, and the zone will automatically appear on the other DC by itself. If you try to manually create it, or create a secondary, you will cause more problems and create additional duplicates. Now I see why you have duplicates. You must have did something similar in the past. Be patient, please.

    Look under DomainNC, DomainDnsZones and ForestDnsZones.
    I thought my instructions were clear?
    In the console tree, right-click ADSI Edit, and then click Connect to.
    Click Select or type a Distinguished Name or Naming Context, type the following text in the list, and then click OK: DC=DomainDNSZones,DC=contoso,DC=com.


    YES, delete anything wtih those prefixes. They are your duplicates.


    Yes, Sites and Services, or just let it happen.

    Ace
     
    Ace Fekay [MCT], Jul 23, 2009
    #26
  7. Spin

    Chris Dent Guest

    Your replication scope indicates that your data is stored in
    ForestDNSZones rather than DomainDNSZones. Could you verify you can
    connect to ForestDNSZones as well?

    Does it allow you to change the replication scope to All Domain
    Controllers in the AD Domain? That moves it back into the Domain NC
    which isn't ideal but it would be good to know if it works.

    Chris
     
    Chris Dent, Jul 23, 2009
    #27

  8. If you added it correctly, and the zone is in the ForestDnsZones replication scope, then there shouldn't be anything in it.

    btw - How are you posting? Are you creating new threads each time? Or are you hitting Reply when posting. Niormally when replying, a newsreader, and even Techarena, will put in an arrow in front of the previous post. Howevber, I've been finding it difficult to read your responses because I'm not seeing the arrow (">") in front of the post that you are quoting , which makes it appear as if I'm seeing my previous post intermixed with your responses. So it's difficult to read.

    Ace
     
    Ace Fekay [MCT], Jul 23, 2009
    #28
  9. Is your domain name hbrpaw.hbr-inc.com?
    No idea. Not familiar with Techarena, but this one seems better, but then again, I don;t see my post in it, but I assume this is the better method. Techarena poses a challenge if you read the posts in the Microsoft Newsgroups. The posts from Techarena actually post to the newsgroups, and posts from here go to there. That's their source. But the way the web interface works, is probably what was causing the problem. Many find that using an actual newsreader is much better. It's free, and you don't have to log in.

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #29

  10. Actually, just to update, I did notice that your post showed up normally this time as a "normal" repky. So we both learned something about Techarena!

    :)
     
    Ace Fekay [MCT], Jul 24, 2009
    #30
  11. Spin

    Chris Dent Guest

    Not really, it was to see if there was an issue moving it from the
    current ForestDNSZones NC rather than there being a problem moving it to
    the DomainDNSZones NC.

    I guess it still refuses to let you move it into the DomainDNSZones
    partition?

    We could potentially delete the DomainDNSZones partition and recreate
    it, however it's worth noting that doing so is not supported. Happy to
    go ahead with that anyway?

    Unless Ace has any alternatives?

    Chris
     
    Chris Dent, Jul 24, 2009
    #31

  12. If that domain name wasn't misspelled while adding it, then I am assuming that the partition doesn't exist. I assume you ran this while logged on as the enterprise admin?

    Create the default DNS application directory partitions: Domain ...Jan 21, 2005
    http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #32

  13. It appears from his latest post, the DomainDnsZones partition doesn't exist, when trying to add it in ADSI Edit. I forgot to ask him if that's true with the ForestDnsZones partition. So if that's the case, create one. :)

    Ace
     
    Ace Fekay [MCT], Jul 24, 2009
    #33
  14. Spin

    Chris Dent Guest

    Ignore recreating DomainDNSZones, that only applies if we can find an
    existing but broken instance. For some reason I was under the impression
    that was working on DC1. Sorry about that.

    The DomainDNSZones sub-folder / sub-domain you see (or wanted to see)
    under your Forward Lookup Zone is used to store a list of servers which
    have enlisted the partition (in this case every DC in your domain which
    is running the DNS service). Creating the sub-domain and associated
    records wouldn't make the partition appear.

    The event log errors aren't really very encouraging. Which DC are they
    refusing to talk to?

    You also mentioned a problem with the Domain Naming Master. Where is that?

    I still think the full output from DCDiag would be beneficial.

    Chris
     
    Chris Dent, Jul 24, 2009
    #34
  15. Spin

    Chris Dent Guest

    Do the tombstone warnings appear for both DCs in your domain? Or is this
    only DCDiag from the second DC?

    If they both show this we will have to look at reducing the
    restrictions on replication with tombstoned DCs on the DCs in the root
    domain. I doubt you want to rebuild your domain after all.

    If only one shows that issue I'd ditch that DC and build a new one,
    cleaning any references to it out using NTDSUtil.

    Chris
     
    Chris Dent, Jul 24, 2009
    #35

  16. Follow the Metadata Cleanup procedure in the following link to remove PVB1
    from the AD database.
    http://support.microsoft.com/kb/216498

    Then delete the PVB1 server object from Sites and Services.

    It looks to me, that PAWDC1 is the good one. How many other DCs do you have?

    Let's clean out PVB1 first before creating any partitions.

    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #36

  17. To create a ForestDnsZones partition, you would need to be Enterprise Admin
    (EA). How to log on as the EA while on a child domain controller? Simply log
    on to the DC as EA by typing in administrator, the password, and in the
    dropdown box for the domain, choose hbr-inc (if that is the NetBIOS domain
    name).

    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #37
  18. Spin

    Chris Dent Guest

    The domain that no longer exists wasn't the forest root domain was it?

    Chris
     
    Chris Dent, Jul 25, 2009
    #38

  19. Certainly hope not!

    Ace
     
    Ace Fekay [MCT], Jul 25, 2009
    #39
  20. Spin

    Chris Dent Guest

    In my opinion your next steps should be:

    1. Clear out any dead DCs from the domain (refer to
    http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx)
    2. Clear out any dead / orphaned domains from the forest (refer to
    http://technet.microsoft.com/en-us/library/cc781245(WS.10).aspx)
    3. Account for all FSMO Roles (so you know where they are. "netdom query
    fsmo" will do in each domain)
    4. Check which servers are Global Catalogs (just to make sure)
    5. Check DNS configuration (make sure all DCs can access a working DNS
    server. It Doesn't matter if that's the local DNS service on the DC or
    not, as long as it works.
    6. Check replication on all DCs (RepAdmin / DCDiag / Event Logs)

    Only after those steps are complete would I think about attempting to
    create DomainDNSZones. From the errors you've been bumping into by the
    time you finish the above you should be able to create it.

    Chris
     
    Chris Dent, Jul 27, 2009
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.