Repost: Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

Discussion in 'DNS Server' started by Spin, Apr 28, 2006.

  1. If we can clear this up using the newsgroups, and udpquery shows there are
    no ports blocked or not responding, and firewalls and VPNs check clean,
    knowing this is important for your production network, I must say that it
    may be time to call Microsoft PSS to remote in and take care of it for you.
    With all due respect, this thread is pretty large, and without remoting in
    on my part or anyone else offering to remote in to take a first hand look,
    it may really be beneficial to call them to get it fixed. They only charge
    USD $250 for the support call during the week, and will take as long as they
    need for the one charge to fix it.

    I think it's an option you'll need to consider at this point.

    Ace Fekay [MCT], Aug 3, 2009
    1. Advertisements

  2. You are welcome, so far. It's been weeks, and I'm sure you want to resolve

    I assume the Source name is Userenv. The 1054's can be cleaned up with
    dfsutil /purgemupcache. This utility is partof the support tools.



    Ace Fekay [MCT], Aug 4, 2009
    1. Advertisements

  3. I haven't heard from you in awhile. Apparently from the results you've
    posted, there's a block going on with the firewalls and/or VPN, or the local
    machines. Did you say you checked the firewalls and VPN filters to insure
    they allow 'any - any" between all locations? And also, there is no local
    firewall installed or some other security or antivirus app installed that
    could be blocking the traffic? Possibly an IPSec rule somewhere either
    locally or in a GPO?


    Ace Fekay [MCT], Aug 17, 2009

  4. It appears there is a block going on. Sometimes the networking group who
    control the routers and firewalls, and whom may not be familiar with AD,
    will believe they have everything opened, but not necessarily so. It is
    unfortunate in a larger company this occurs when departments are subdivided
    and you can't see for yourself. Ask if they can provide a report for the
    firewalls in question.

    You should also be looking at other ports, such as 135, 389, 3268, etc. Keep
    in mind, there are over 29 ports that AD needs for communications, not
    including the empheral service response ports of UDP 1023 + (the whole UDP
    1023 and above range needs to be opened - or the DCs can't communicate).

    I hope the following links will help:

    Active Directory Replication over FirewallsJan 31, 2006. Active Directory
    relies on remote procedure call (RPC)

    How to configure a firewall for domains and trusts

    Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for
    the intranet firewall.
    Ports required for Active Directory and Kerberos communications

    Ace Fekay [MCT], Aug 18, 2009

  5. Port 42 is WINS. If the DC doesn't have WINS installed, it won't be
    listening. Now they appear to be listening? I thought earlier that PAW2
    wasn't listenting on some ports?

    Let's go back to square one. This thread has grown so large, when trying to
    go back through it, it's difficult to read the whole thing to review what
    we've went over. Therefore...

    Are you still seeing any errors in the event logs? If so, post them, please.

    Re-run the dcdiag and netdiag on your servers. Post only the errors, please.

    Ace Fekay [MCT], Aug 19, 2009

  6. I can't see any highlights, since the newsgroups are text only. However if
    you are referring to the 'records are different..." messages, I wouldn't
    worry about them. It's default behavior with AD integrated zones. It's an
    indication there are multiple DC/DNS servers in the domain. This is based on
    DNS AD integrated zones behave using the multi-master model, meaning each DC
    is authorative for the zone, so any changes made on any specific DC in DNS,
    now becomes the SOA and replicates that, then as soon as another makes a
    change, it becomes the SOA, etc.

    Ace Fekay [MCT], Aug 22, 2009

  7. So the DC is not replicating, still. Darn.

    Check the time between all DCs to see if they are under 5 minutes of each
    other, with respect to time zones, of course.

    How about the event logs on all the DCs?

    Try these tools, please:

    repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

    ntfrsutl ds PAW2 > c:\sysvol.log
    (run for each DC)



    Post the results, please. Attach them to your post.

    If you can, go into Sites and Services, for each connection object under
    each server, right-click, replicate now. Which ones error out? Keep in mind,
    when you select to replicate now, it's pull request from whatever other
    server the connection object is connected to.

    Also, re-run an ipconfig /all for each DC, put them into one notepad and
    attach it.


    On another note, it's starting to get difficult to get a wide open view of
    your infrastructure, the DNS scope settings, SRV settings, etc. If possible,
    I would like to remote in to take a look at everything to get a better first
    hand picture. If I can't get it to work within 30 minutes, I would suggest
    to call Microsoft PSS for further help. Also, I can't guarantee anything, If
    you are not comfortable with that, I would suggest to call Microsoft PSS
    anyway at this point to allow them to remote in and assist you with this

    Ace Fekay [MCT], Aug 22, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.