Replication failure

[Guest]

Hi,
we have a Windows 2000 domain.
The domain has a 'root' server and domain namend xxx. The domain is a single
labeled domain.
We have also am.xxx, as.xxx and eu.xxx domains.
All DCs are patched with the regkey from KB article 300684.
Now we have AD replication problems. And it seems that the root of the
problems are a DNS misconfiguration.
The DNS zone xxx. on the root server is differnt from the one on eg. the
eu.xxx DCs.
The zone will not be replicated to the subdomains.
I don't know what the formely admin has done here. I think he updated the
zone on the subdomains by hand.
All DCs in all subdomains have the root server as first DNS server in their
network properties. Therefore all DCs will register correct to the DNS zone
on the root server, but it will not be replicated.

Any ideas what I can do?

Thanks
Florian

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi,
we have a Windows 2000 domain.
The domain has a 'root' server and domain namend xxx. The domain is a
single labeled domain.
We have also am.xxx, as.xxx and eu.xxx domains.
All DCs are patched with the regkey from KB article 300684.
Now we have AD replication problems. And it seems that the root of the
problems are a DNS misconfiguration.
The DNS zone xxx. on the root server is differnt from the one on eg.
the eu.xxx DCs.
The zone will not be replicated to the subdomains.
I don't know what the formely admin has done here. I think he updated
the zone on the subdomains by hand.
All DCs in all subdomains have the root server as first DNS server in
their network properties. Therefore all DCs will register correct to
the DNS zone on the root server, but it will not be replicated.

Any ideas what I can do?

Under Win2k, DNS replication does not extend past the domain NC partition.
What this means, zones on the root DC/DNS replicate only to DCs in the root
domain, not to any child domains.

You can resolve this by deleting the child subdomains on the root (xxx)
zone, then create delegations named am, as, and eu in the xxx zone, make
these delegations to their respective child DNS servers. Then on all the
child DNS servers forward to the xxx DNS server and check the box "Do not
use recursion" on the child forwarder tab.
An alternate to forwarding the child DNS servers to the root DNS server is
to create a secondary of the xxx (root) zone on all child DNS servers. This
makes all DNS server in all domains capable of resolving all child domains
in addtion to the root domain.


If this were Win2k3 and all DCs were Win2k3, you would set the root domain
zone to replicate to all DNS servers in the forest. But, under Wink2 your
options are limited to my recommendations.

 

[Ace Fekay [MVP]]

In

Under Win2k, DNS replication does not extend past the domain NC
partition. What this means, zones on the root DC/DNS replicate only
to DCs in the root domain, not to any child domains.

You can resolve this by deleting the child subdomains on the root
(xxx) zone, then create delegations named am, as, and eu in the xxx
zone, make these delegations to their respective child DNS servers.
Then on all the child DNS servers forward to the xxx DNS server and
check the box "Do not use recursion" on the child forwarder tab.
An alternate to forwarding the child DNS servers to the root DNS
server is to create a secondary of the xxx (root) zone on all child
DNS servers. This makes all DNS server in all domains capable of
resolving all child domains in addtion to the root domain.


If this were Win2k3 and all DCs were Win2k3, you would set the root
domain zone to replicate to all DNS servers in the forest. But, under
Wink2 your options are limited to my recommendations.

Kevin, I'm not entirely convinced that all DNS functions properly work with
single label names. 300684 is designed to allow updates into a single label
zone, but DNS is still DNS, which is hierarchal, where a single label name
doesn't have a hierarchy. It will treat the delegation as a TLD delegation.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

 

[Kevin D. Goodknecht Sr. [MVP]]

Ace Fekay [MVP]

In

Kevin, I'm not entirely convinced that all DNS functions properly
work with single label names. 300684 is designed to allow updates
into a single label zone, but DNS is still DNS, which is hierarchal,
where a single label name doesn't have a hierarchy. It will treat the
delegation as a TLD delegation.

I agree, but Florian is under the assumption that the zone is replicated
from the parent DC to the child DCs.
IT's too bad the root domain is not multi-labeled, but that still won't
change replication.

 

[Ace Fekay [MVP]]

In

Ace Fekay [MVP]


I agree, but Florian is under the assumption that the zone is
replicated from the parent DC to the child DCs.
IT's too bad the root domain is not multi-labeled, but that still
won't change replication.

True. I hope it works for Florian.

Ace

 

[Guest]

Thank you both for your answers.
There still exists delegations for eu,as and am on the root DNS. And this
seems to work.
So, can I delete the root DNS zone from the child DCs without any harm?
Maybe the former administrator has copied the zone to the child DCs and they
are not replicated.

greetings
Florian

 

[Guest]

PS.
or maybe first it was a secondery zone and later the administrator has
changed this to an AD integrated zone.
If I understood this right, this can be happend, right?

Florian

 

[Kevin D. Goodknecht Sr. [MVP]]

Thank you both for your answers.
There still exists delegations for eu,as and am on the root DNS. And
this seems to work.
So, can I delete the root DNS zone from the child DCs without any
harm? Maybe the former administrator has copied the zone to the child
DCs and they are not replicated.

You can remove the secondary root domain zone, BUT, only if the child DNS
servers forward to the root DNS and have "Do not use recursion" checked.
Personally, I'd leave the secondary root zone on all the Child DNS servers,
then the child DNS servers may forward to a local ISP DNS for external
queries, instead of across a long WAN link.

 

[Ace Fekay [MVP]]

In

PS.
or maybe first it was a secondery zone and later the administrator has
changed this to an AD integrated zone.
If I understood this right, this can be happend, right?

Florian

If this is Windows 2003, yes, because AD Integration has an option to
replicate the zone forest-wide.

If Win2000, no, because that option does not exist and AD Integrated zones
exist only in each domain's DomainNC (Domain Name Container, or Domain
partition).

So if the admin changed it to AD Integration in a child domain, and this is
Win2000 or Win2003 with the option to leave it in the DomainNC or
DomainDnsZones partition, then the zone in the child is now an SOA and will
never get updated from the parent zone.

It was probably a secondary.

Ace