Repost: Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

Discussion in 'DNS Server' started by Spin, Apr 28, 2006.

  1. Spin

    Chris Dent Guest

    PAWDC1 is the server you're trying to remove?

    You will need to run remove selected server while connected to (using
    connections, connect to server <someserver>) an active Domain Controller
    (one that works perfectly) either as a Domain Admin within the same
    domain as PAWDC1 or as an Enterprise Admin.

    I was under the impression that PAWDC1 no longer existed? Are you going
    to rebuild it after this? It won't be able to talk to the domain without
    some work, a rebuild is the neatest way.

    Chris Dent, Jul 27, 2009
    1. Advertisements

  2. Spin

    Chris Dent Guest

    Okay, that's good then :) You were running the command with an
    Enterprise Admin account?
    There's nothing wrong with DNS, but DNS is very simple. Your problems
    lie in AD where you're trying to get DNS to store and replicate it's data.

    Your diagnostic reports earlier had a significant number of errors.
    Putting the forest into a state where it isn't continually upset carries
    high priority for me, with those there as well it becomes extremely
    difficult to pick out the real issue from the deluge of older errors.

    Chris Dent, Jul 27, 2009
    1. Advertisements

  3. This looks a lot better. You had me worried for a sec, when I looked at the
    previous dcdiag.

    Run dcdiag on the other DCs, too. If clean, then sure, give it a shot now.

    Ace Fekay [MCT], Jul 28, 2009
  4. Spin

    Chris Dent Guest

    That looks wonderful :)

    So where are we up to. ForestDNSZones is replicating properly? Does it
    still refuse to create DomainDNSZones?

    Chris Dent, Jul 28, 2009
  5. Spin

    Chris Dent Guest

    At the moment everything is pointing to the same DNS server (the current
    working version)?

    Can you manually verify whether or not exists
    (_msdcs folder)? If it does, which DC does it point to?

    And is it still troubled about the Domain Naming Master? Where is that
    hosted at the moment if you run "netdom query fsmo"?

    Chris Dent, Jul 28, 2009
  6. Are there any firewall rules blocking traffic between the DCs?

    Ace Fekay [MCT], Jul 28, 2009
  7. Spin

    Chris Dent Guest

    Take out of the IP configuration for now?

    Getting rid of the Kerberos failures is certainly a good thing.

    How are the Event Logs doing these days? Any errors being generated in
    Directory Service / DNS?

    Chris Dent, Jul 29, 2009
  8. Spin

    Chris Dent Guest

    This is going to be a stupid question.....what do you mean "Take out of the IP configuration for now"? Do you mean remove it
    from being a DNS server??

    I mean remove references to it from TCP/IP configuration (network
    adapter properties).
    Since the other DCs are fine, are we able to demote PAWDC?

    I would like to know if it still suffers from Event ID 482 after
    demotion (then ideally a rebuild) and promotion.

    Given that it needs to be able to modify that attribute to enlist the
    ForestDNSZones partition it does go a fair way to explaining why it's
    not had much luck.

    Chris Dent, Jul 29, 2009
  9. Spin

    Chris Dent Guest

    The issues with DNS replication stem from your problems in AD.
    Is VCServer online and happy?

    Chris Dent, Jul 29, 2009

  10. Actually it would, because the Schema and Config container replicate forest

    I thought you were going to demote PAWDC2?

    Ace Fekay [MCT], Jul 30, 2009

  11. You can leave those services on the server. It will just become a member
    server, and you will still be able to access files, etc. Just make sure you
    change the DNS address on it to another DC first, and not pointing to
    itself. DNS on it will be useless because the zone is AD integrated,
    therefore because it is no longer a DC, it will not load the AD integrated
    zone. No problem there, other than making sure no other machine is using it
    as a DNS server.

    Will you be re-promoting it?

    Ace Fekay [MCT], Jul 31, 2009
  12. How long did you wait before you re-promoted it?

    If you waited enough time to allow the information that removed DC is gone
    to replicate, then you should be fine.

    Are there any time issues or anything else in the event viewer?

    Are there any services disabled?


    Ace Fekay [MCT], Jul 31, 2009

  13. Hmm, so there are time errors. When you look at the clock on this machine,
    and the clock on the PDC Emulator, how far off is the time compared to each
    other? Keep in mind, it can be no more than 5 minutes.

    Which machine is

    If I'm reading this correctly, the time errors could be the root cause of
    all the problems. Just to double check (because this thread is so large that
    it's difficult to go back and read through it to double check), there are no
    firewalls blocks between the new DC and the other DCs, right?

    Follow the following procedure. Make sure theer are no firewall ports are
    blocked, and you have inbound UDP 123 allowed to go from the outside world
    to the DC holding the PDC Emulator role. Follow the procedure below first on
    the PDC Emulator (whcih will reset the time service), and then follow the
    section to set the time service on the newly promoted machine (where it says
    On Other DCs).

    Before you do that, read the following link to see if any of the poster's
    scenarios are similar to what you have going on.

    Configuring the time service on your PDC FSMO role holder
    by Ace Fekay, MCT, MCTS Exchange 2007, MCSE & MSCA 2003, MCSA Messaging
    Updated 7/12/2009

    To set the time service in an existing domain:

    On the DC with the PDCEmulator FSMO:

    w32tm /config /manualpeerlist: /syncfromflags:manual
    /reliable:yes /update
    net stop w32time
    net start w32time

    On other DCs (that are not the PDC Emulator):
    w32tm /config /syncfromflags:domhier /update
    net stop w32time
    net start w32time


    If you move the PDC Emulator to another DC:

    On the new PDCEmulator (where 'peers' is an Internet time source such as
    w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes

    On the old PDCEmulator:
    w32tm /config /syncfromflags:domhier /update

    After that run the following on both DCs:
    net stop w32time
    net start w32time


    The "peers" can be a text file, or direct input, allowing you to set the
    time source, either DNS name
    such as (, or an ip address for a reliable time source. I
    normally use
    On your edge firewall, make sure UDP port 123 traffic is allowed inbound
    from the time source.

    Here you can find some time sources at this link:
    The project is a big virtual cluster of timeservers striving to
    provide reliable and easy to use NTP service for millions of clients without
    putting strain on the big popular timeservers.

    If some domain machines have problems

    w32tm /config /syncfromflags:domhier /update

    After that run:
    net stop w32time
    net start w32time

    Some links to read up on:

    Time Service:

    How to configure an authoritative time server in Windows Server 2003

    Change the Windows Time service configuration on the previous PDC emulator

    Ace Fekay [MCT], Jul 31, 2009
  14. That's fine, you can use I've been using, as well as many
    others,, and it's reliable. It's a gov time server in
    Washington, DC. There are others, as well. Here's a list of US Gov and other
    NIST time servers:

    A list of the Simple Network Time Protocol (SNTP) time servers ...This
    article describes the Simple Network Time Protocol (SNTP) time servers that
    are available on the Internet.

    How to tell if UDP is blocked? Setup the time service on the PDC emulator as
    I've posted how, and look for any w32time errors in the event logs on the
    PDC emulator. If none, it's working. Either way, I think it would be
    beneficial to configure your time hierarchy for the forest.

    Ace Fekay [MCT], Aug 1, 2009

  15. Sorry, I should have read this first before replying to the other one. This
    looks good. These are informational, and are not errors. This will insure
    all DCs are synched. Client machines will automatically look for the
    hierarchy to synch time.

    Ace Fekay [MCT], Aug 1, 2009
  16. PAW2 was the one you just repromoted?

    These are indicative of DNS or replication issues. They can also be
    indicative of issues with DFS services (whether using it or not). Read

    Event ID 1058 Source Userenv1. dfsutil /purgemupcache (dfsutil.exe is in the
    Windows 2003 Support Tools). ... As stated previously, dfsutil
    /PurgeMupCache also solved my 1058 problems. ...

    Ace Fekay [MCT], Aug 1, 2009

  17. Ok, I'm just trying to keep track!

    Try that dfsutil command and see if it works. No harm in trying.

    Ace Fekay [MCT], Aug 2, 2009

  18. Did you try to follow the repair suggestions in the message?
    Ace Fekay [MCT], Aug 2, 2009

  19. Do you have a reverse zone created for all of your subnets?

    It's possible the replication scope error in the other post may be causing

    Good to hear the 1058's are gone.

    Ace Fekay [MCT], Aug 2, 2009
  20. So if it can't contact the DNM, then no use rerunning dcpromo. Obviously
    there's a communication issue. It really smells like a firewall issue,
    unless the routers have the default MTU lowered from 1500, which will cause
    LDAP communication problems. Such MTUs lower than 1500 are usually on ADSL
    lines, but I don't rememeber you having such a line. I've seen some VPN
    routers with altered MTUs that caused problems. I had one customer years ago
    with a SonicWall that after an IOS upgrade, AD replication took a dive. It
    took me two days to figure out what happened when I finally asked what
    occured prior to the replication issue, which was when the customer told me
    they had upgraded one firewall. Ouch! We wound putting on the old image, and
    replication kicked off with no problems.

    Check all of your routers and VPNs, please.

    Also, run portquery on each DC between each DC to make sure all ports are

    New features and functionality in PortQry version 2.0Dec 15, 2003 ... This
    article discusses the new features and functionality that are available in
    PortQry Command Line Port Scanner version 2.0.

    Download details: PortQry Command Line Port Scanner Version 2.0Dec 11, 2003
    .... Download PortQryV2.exe, a command-line utility that you can use to help
    troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows ...

    Ace Fekay [MCT], Aug 3, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.