I have a network with multiple domains, each of them behind their own
firewall. (Don't ask. It's ugly.) We only allow IPSec through the FW, and
have setup IPSec policies between two DCs in each domain and the Forest
Root. Everything works like a champ.

When a domain administrator from domain X attempted to add a new DC,
everything went well, replicating AD from the DC on his side of the
firewall. When he attempted to make the DC a DNS server, though, things
fell apart.

The DNS server log is getting a bunch of errors such as :
The DNS server detected that it is not enlisted in the replication scope of
the directory partition DomainDnsZones.subdomain.root.com. This prevents the
zones that should be replicated to all DNS servers in the subdomain.root.com
domain from replicating to this DNS server.

and

The DNS server was unable to connect to the domain naming FSMO
DC.subdomain.root.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections.

I am at a loss as to why the DNS server needs to contact the Domain Naming
Master. I assume this is necessary for it to enlist in the zone, but I have
never read this anywhere. Has anyone else?

Comments are greatly appreciated.

Thanks.

--
Sean Siler
MCSE (NT, 2000, 2003), MCT
(E-Mail Removed)

In news:(E-Mail Removed),
Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered mine
> I have a network with multiple domains, each of them behind their own
> firewall. (Don't ask. It's ugly.) We only allow IPSec through the
> FW, and have setup IPSec policies between two DCs in each domain and
> the Forest Root. Everything works like a champ.
>
> When a domain administrator from domain X attempted to add a new DC,
> everything went well, replicating AD from the DC on his side of the
> firewall. When he attempted to make the DC a DNS server, though,
> things fell apart.
>
> The DNS server log is getting a bunch of errors such as :
> The DNS server detected that it is not enlisted in the replication
> scope of the directory partition DomainDnsZones.subdomain.root.com.
> This prevents the zones that should be replicated to all DNS servers
> in the subdomain.root.com domain from replicating to this DNS server.
>
> and
>
> The DNS server was unable to connect to the domain naming FSMO
> DC.subdomain.root.com. No modifications to Directory Partitions are
> possible until the FSMO server is available for LDAP connections.
>
> I am at a loss as to why the DNS server needs to contact the Domain
> Naming Master. I assume this is necessary for it to enlist in the
> zone, but I have never read this anywhere. Has anyone else?
>
> Comments are greatly appreciated.
>
> Thanks.

In a mixed mode or Win2000 Mode environment with W2k3 DCs, which apparently
you seem have here, the Domain Name Master must be moved off the W2k DC to a
W2k3 DC or you'll get these errors. I've seen it once before in this
scenario. Here you go, read up on it:

http://www.microsoft.com/resources/d...ir_Storage.asp

To eliminate the URL wrap, use this link:
http://tinyurl.com/2n5zl

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

Actually, every DC in the Forest is 2003, although the Forest is in 2000
mode.

I'll check out the link, though.

Thanks for the response.

-Sean


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> In news:(E-Mail Removed),
> Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered
mine
> > I have a network with multiple domains, each of them behind their own
> > firewall. (Don't ask. It's ugly.) We only allow IPSec through the
> > FW, and have setup IPSec policies between two DCs in each domain and
> > the Forest Root. Everything works like a champ.
> >
> > When a domain administrator from domain X attempted to add a new DC,
> > everything went well, replicating AD from the DC on his side of the
> > firewall. When he attempted to make the DC a DNS server, though,
> > things fell apart.
> >
> > The DNS server log is getting a bunch of errors such as :
> > The DNS server detected that it is not enlisted in the replication
> > scope of the directory partition DomainDnsZones.subdomain.root.com.
> > This prevents the zones that should be replicated to all DNS servers
> > in the subdomain.root.com domain from replicating to this DNS server.
> >
> > and
> >
> > The DNS server was unable to connect to the domain naming FSMO
> > DC.subdomain.root.com. No modifications to Directory Partitions are
> > possible until the FSMO server is available for LDAP connections.
> >
> > I am at a loss as to why the DNS server needs to contact the Domain
> > Naming Master. I assume this is necessary for it to enlist in the
> > zone, but I have never read this anywhere. Has anyone else?
> >
> > Comments are greatly appreciated.
> >
> > Thanks.
>
> In a mixed mode or Win2000 Mode environment with W2k3 DCs, which
apparently
> you seem have here, the Domain Name Master must be moved off the W2k DC to
a
> W2k3 DC or you'll get these errors. I've seen it once before in this
> scenario. Here you go, read up on it:
>
>
http://www.microsoft.com/resources/d...ir_Storage.asp
>
> To eliminate the URL wrap, use this link:
> http://tinyurl.com/2n5zl
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>

In news:%(E-Mail Removed),
Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered mine
> Actually, every DC in the Forest is 2003, although the Forest is in
> 2000
> mode.
>
> I'll check out the link, though.
>
> Thanks for the response.
>
> -Sean
>
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
> message news:%(E-Mail Removed)...
>> In news:(E-Mail Removed),
>> Sean Siler <(E-Mail Removed)> posted their thoughts, then I
>> offered
> mine
>>> I have a network with multiple domains, each of them behind their
>>> own
>>> firewall. (Don't ask. It's ugly.) We only allow IPSec through the
>>> FW, and have setup IPSec policies between two DCs in each domain and
>>> the Forest Root. Everything works like a champ.
>>>
>>> When a domain administrator from domain X attempted to add a new DC,
>>> everything went well, replicating AD from the DC on his side of the
>>> firewall. When he attempted to make the DC a DNS server, though,
>>> things fell apart.
>>>
>>> The DNS server log is getting a bunch of errors such as :
>>> The DNS server detected that it is not enlisted in the replication
>>> scope of the directory partition DomainDnsZones.subdomain.root.com.
>>> This prevents the zones that should be replicated to all DNS servers
>>> in the subdomain.root.com domain from replicating to this DNS
>>> server.
>>>
>>> and
>>>
>>> The DNS server was unable to connect to the domain naming FSMO
>>> DC.subdomain.root.com. No modifications to Directory Partitions are
>>> possible until the FSMO server is available for LDAP connections.
>>>
>>> I am at a loss as to why the DNS server needs to contact the Domain
>>> Naming Master. I assume this is necessary for it to enlist in the
>>> zone, but I have never read this anywhere. Has anyone else?
>>>
>>> Comments are greatly appreciated.
>>>
>>> Thanks.
>>
>> In a mixed mode or Win2000 Mode environment with W2k3 DCs, which
> apparently
>> you seem have here, the Domain Name Master must be moved off the W2k
>> DC to
> a
>> W2k3 DC or you'll get these errors. I've seen it once before in this
>> scenario. Here you go, read up on it:
>>
>>
>
http://www.microsoft.com/resources/d...ir_Storage.asp
>>
>> To eliminate the URL wrap, use this link:
>> http://tinyurl.com/2n5zl
>>
>> --
>> Regards,
>> Ace
>>
>> Please direct all replies to the newsgroup so all can benefit.
>> This posting is provided "AS-IS" with no warranties and confers no
>> rights.
>>
>> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
>> Microsoft Windows MVP - Active Directory
>>
>> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
>> pig. --
>> =================================


No problem. Maybe if all your servers are W2k3, then raising the domain and
forest levels would be prudent.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

In news:%(E-Mail Removed),
Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered mine
> Actually, every DC in the Forest is 2003, although the Forest is in
> 2000
> mode.
>
> I'll check out the link, though.
>
> Thanks for the response.
>
> -Sean
>

Just to add, are there possibly any servers still in AD that were not
removed properly that were W2k machines?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================

It's a brand new forest. Not a migration, but from the ground up, brand
new. I build every server from scratch. Nope, they are all 2003, and
always have been. (Don't even have any workstations. Really. It's 100%
2003.)

Thanks for the good info!

-Sean Siler


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
message news:%(E-Mail Removed)...
> In news:%(E-Mail Removed),
> Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered
mine
> > Actually, every DC in the Forest is 2003, although the Forest is in
> > 2000
> > mode.
> >
> > I'll check out the link, though.
> >
> > Thanks for the response.
> >
> > -Sean
> >
>
> Just to add, are there possibly any servers still in AD that were not
> removed properly that were W2k machines?
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>

In news:(E-Mail Removed),
Sean Siler <(E-Mail Removed)> posted their thoughts, then I offered mine
> It's a brand new forest. Not a migration, but from the ground up,
> brand new. I build every server from scratch. Nope, they are all
> 2003, and always have been. (Don't even have any workstations.
> Really. It's 100% 2003.)
>
> Thanks for the good info!
>
> -Sean Siler
>
>
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&(E-Mail Removed)> wrote in
> message news:%(E-Mail Removed)...
>> In news:%(E-Mail Removed),
>> Sean Siler <(E-Mail Removed)> posted their thoughts, then I
>> offered
> mine
>>> Actually, every DC in the Forest is 2003, although the Forest is in
>>> 2000
>>> mode.
>>>
>>> I'll check out the link, though.
>>>
>>> Thanks for the response.
>>>
>>> -Sean
>>>
>>
>> Just to add, are there possibly any servers still in AD that were not
>> removed properly that were W2k machines?
>>
>> --
>> Regards,
>> Ace
>>
>> Please direct all replies to the newsgroup so all can benefit.
>> This posting is provided "AS-IS" with no warranties and confers no
>> rights.
>>
>> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
>> Microsoft Windows MVP - Active Directory
>>
>> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
>> pig. --
>> =================================


Hmm, that is strange. And I wouldn't assume functional level may have
something to do with it.

Good luck!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================