Secondary Zone disappears

[Simon]

Hi,

We have a recurring problem whereby a secondary zone disappears every few
months.

We are running a 2 domain forest. Domain 1 is running mixed 2000 and 2003
servers, Domain 2 is 2003 only. we setup the domain 2 dns zone as a
secondary in domain 1 and operates normally for months before the problem
reoccurs.

The only error shown in the event log is below.

Can anyone suggest why the secondary zone removes itself? Many thanks in
advance.

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 26/04/2007
Time: 22:43:07
User: N/A
Computer: RGP00
Description:
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 00 00 00 Q...

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Hi,

We have a recurring problem whereby a secondary zone disappears every
few months.

We are running a 2 domain forest. Domain 1 is running mixed 2000 and
2003 servers, Domain 2 is 2003 only. we setup the domain 2 dns zone
as a secondary in domain 1 and operates normally for months before
the problem reoccurs.

Check that the disappearing zone, is not on another DC as "replicate to all
DNS servers in the Active Directory forest <ADfoest>, if it is delete the
secondary and let it replicate.

Zones in the ForestDNSZones, will not replicate to Win2k DNS servers. Zones
in this partition must be ran as Secondary on Win2k DNS server.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Kurt]

Hi,

We have a recurring problem whereby a secondary zone disappears every few
months.

We are running a 2 domain forest. Domain 1 is running mixed 2000 and 2003
servers, Domain 2 is 2003 only. we setup the domain 2 dns zone as a
secondary in domain 1 and operates normally for months before the problem
reoccurs.

The only error shown in the event log is below.

Can anyone suggest why the secondary zone removes itself? Many thanks in
advance.

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4015
Date: 26/04/2007
Time: 22:43:07
User: N/A
Computer: RGP00
Description:
The DNS server has encountered a critical error from the Active Directory.
Check that the Active Directory is functioning properly. The extended error
debug information (which may be empty) is "". The event data contains the
error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 51 00 00 00 Q...

I have a very similar problem. I have a windows 2000 DC that holds a
secondary DNS zone for a 2-way trusted domain (external). The Primary
zone in the other domain is ADI. Every now and then, the secondary zone
just disappears. The zone file is still in the System32\dns directory,
and I can re-create the secondary zone, which immediately populates.
There are NO errors in the DNS log or system log relating to DNS other
than "if this DNS server has no AD integrated peers, this error should
be ignored", which it doesn't, so I do. If anyone has any ideas, I'd
like to hear them.

....kurt

 

[Simon]

Thank you for your response Kevin.

The 'disappearing zone' is on another DC. One DC is 2000 and the other 2003.
As a result one supports replication of the zone and the other doesn't:
On the 2003 DC replication is set to "All domain controllers in Active
Directory"
On the 2000 DC there is no replication option.

Could you clarify whether replicating the zone is possible in this scenario
or whether replication of the zone should be disabled on the 2003 DC?

Many thanks again for your assistance, Simon.

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Thank you for your response Kevin.

The 'disappearing zone' is on another DC. One DC is 2000 and the
other 2003. As a result one supports replication of the zone and the
other doesn't:
On the 2003 DC replication is set to "All domain controllers in Active
Directory"
On the 2000 DC there is no replication option.

Could you clarify whether replicating the zone is possible in this
scenario or whether replication of the zone should be disabled on the
2003 DC?

If the zone is configured to replicate to "All domain controllers in the
Active Directory domain <ADDomain>" it will also replicate to Win2k DCs in
the same domain, in addition to the Win2k3 DCs. In this case, don't use
Secondary zones on Win2k or Win2k3 DCs in the same domain. From your post,
it sounds like this is the scenario you have, and why the zone "disappears".

If it is configured to replicate to "All DNS servers in the AD Domain
<ADDomain>" (DomainDNSZones), or "All DNS Servers in the AD Forest
<ADForest>" (ForestDNSZones) you would have to use a secondary zone on the
Win2k DC.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Simon]

Apologies if our scenario wasn't clear, please note that it is cross-domain
replication that is the problem:

The zone exists in Domain 2 on a 2003 server and is an Active Directory
Integrated Zone. Replication is set to 'All Domain Controller in AD Domain'

The servers dropping the zone are in Domain 1, (one is 2000 and the other
2003.)

As it is a different Domain shouldn't we use a secondary zone? How would you
configure the replication?

Thank you for your patience in helping with this problem, it is much
appreciated.

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Apologies if our scenario wasn't clear, please note that it is
cross-domain replication that is the problem:

The zone exists in Domain 2 on a 2003 server and is an Active
Directory Integrated Zone. Replication is set to 'All Domain
Controller in AD Domain'

The servers dropping the zone are in Domain 1, (one is 2000 and the
other 2003.)

As it is a different Domain shouldn't we use a secondary zone?

Not necessarily, with Win2k3 you have several options, Conditional
forwarders, Stub zones, and Forest Wide Replication. Win2k does not support
any of these but you can leave it out of the loop, or configure a Secondary
zone on it.
You said these domains were in the same forest, if the zone is in the
ForestDNSZones partition, it will replicate to all Win2k3 DCs with DNS in
the forest. It won't replicate to the Win2k DC, but you can configure a
secondary on that DC.






--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ace Fekay [MVP]]

In

I have a very similar problem. I have a windows 2000 DC that holds a
secondary DNS zone for a 2-way trusted domain (external). The Primary
zone in the other domain is ADI. Every now and then, the secondary
zone just disappears. The zone file is still in the System32\dns
directory, and I can re-create the secondary zone, which immediately
populates. There are NO errors in the DNS log or system log relating
to DNS other than "if this DNS server has no AD integrated peers,
this error should be ignored", which it doesn't, so I do. If anyone
has any ideas, I'd like to hear them.

...kurt

As stated by Kevin, if the zone exists as AD integrated in the domain the DC
is a member of, the AD integrated zone takes precedent over the secondary
and therefore gets removed. How many DCs do you have? Is there another DC in
your domain (not the trusted domain) where someone created this zone as AD
integrated? Maybe you can walk us through the steps you took to create the
zone?


--
Regards,
Ace

Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain

 

[Kurt]

In

As stated by Kevin, if the zone exists as AD integrated in the domain the DC
is a member of, the AD integrated zone takes precedent over the secondary
and therefore gets removed.

This is not the case. The DC in question is actually my test Windows
2000 DC at my house (Still running - I set it up in my MCSE Class 7
years ago). The domain is "home.local". The domain at work (2 DCs, both
W2K3 R1 SP2) is "xyz.hq". Both domains have ADI zones for their Windows
domains, and the DC at home has a secondary to the work ADI zone. Other
than the trust (so I can access work resources when logged in at home),
there is no connection between the domains. Also, this is a fairly new
occurrence. It worked just fine for several years.

How many DCs do you have? Is there another DC in

your domain (not the trusted domain) where someone created this zone as AD
integrated? Maybe you can walk us through the steps you took to create the
zone?

Pretty much, the steps to create are the usual:
New zone
Enter Zone name
Add masters for the zone
click OK or whatever

The secondary zone immediately populates and works for weeks at a time,
then I'll try to ping a host or do something that requires name
resolution on the xyz.hq domain and get an error due to name resolution
failing. When I open the DNS snap-in, sure enough the zone is missing. I
re-add it and I'm good again for another long while.

Another point, the DCs at work host another ADI zone and 3 additional
standard zones (one holds primaries and the other secondaries). My DC at
home also holds secondary zones for all 4 of those, and none of them
(including the secondary to the other ADI zone) disappear like this.
Weird, huh?

....kurt

 

[Ace Fekay [MVP]]

In

This is not the case. The DC in question is actually my test Windows
2000 DC at my house (Still running - I set it up in my MCSE Class 7
years ago). The domain is "home.local". The domain at work (2 DCs,
both W2K3 R1 SP2) is "xyz.hq". Both domains have ADI zones for their
Windows domains, and the DC at home has a secondary to the work ADI
zone. Other than the trust (so I can access work resources when
logged in at home), there is no connection between the domains. Also,
this is a fairly new occurrence. It worked just fine for several
years.
How many DCs do you have? Is there another DC in

Pretty much, the steps to create are the usual:
New zone
Enter Zone name
Add masters for the zone
click OK or whatever

The secondary zone immediately populates and works for weeks at a
time, then I'll try to ping a host or do something that requires name
resolution on the xyz.hq domain and get an error due to name
resolution failing. When I open the DNS snap-in, sure enough the zone
is missing. I re-add it and I'm good again for another long while.

Another point, the DCs at work host another ADI zone and 3 additional
standard zones (one holds primaries and the other secondaries). My DC
at home also holds secondary zones for all 4 of those, and none of
them (including the secondary to the other ADI zone) disappear like
this. Weird, huh?

...kurt

Hmm, maybe weird, unless the connection between your server and the office
falls asleep too often. What type of line and are you VPN'd in?

Ace

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

This is not the case. The DC in question is actually my test Windows
2000 DC at my house (Still running - I set it up in my MCSE Class 7
years ago). The domain is "home.local". The domain at work (2 DCs,
both
W2K3 R1 SP2) is "xyz.hq". Both domains have ADI zones for their
Windows domains, and the DC at home has a secondary to the work ADI
zone. Other
than the trust (so I can access work resources when logged in at
home),
there is no connection between the domains. Also, this is a fairly new
occurrence. It worked just fine for several years.

How many DCs do you have? Is there another DC in

Pretty much, the steps to create are the usual:
New zone
Enter Zone name
Add masters for the zone
click OK or whatever

The secondary zone immediately populates and works for weeks at a
time,
then I'll try to ping a host or do something that requires name
resolution on the xyz.hq domain and get an error due to name
resolution failing. When I open the DNS snap-in, sure enough the zone
is missing. I re-add it and I'm good again for another long while.

Another point, the DCs at work host another ADI zone and 3 additional
standard zones (one holds primaries and the other secondaries). My DC
at
home also holds secondary zones for all 4 of those, and none of them
(including the secondary to the other ADI zone) disappear like this.
Weird, huh?

If the zone does this again, see if there is a Key with the zone name here:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones
With the zone type 0x2
You might also enable Notify on the zone transfers tab on the master zone
and extend the Expire time beyond the default 1 day.

open ADU&C, click View>Advanced features, Expand System and open the
MicrosoftDNS container, if you find an object with the same name as the
disappearing zone, delete it



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ace Fekay [MVP]]

In

If the zone does this again, see if there is a Key with the zone name
here: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS
Server\Zones
With the zone type 0x2
You might also enable Notify on the zone transfers tab on the master
zone and extend the Expire time beyond the default 1 day.

open ADU&C, click View>Advanced features, Expand System and open the
MicrosoftDNS container, if you find an object with the same name as
the disappearing zone, delete it

Good point, he may have previously changed the zone to AD integrated and
that will surely remove the secondary zone all the time.

Ace

 

[Kurt]

In

Hmm, maybe weird, unless the connection between your server and the office
falls asleep too often. What type of line and are you VPN'd in?

Ace

It is a VPN, although just because of my own laziness. I work for a
fiber optic service provider and one of the perks is a 100Mb VLAN to my
house. My main workstation at home is connected directly to the office
VLAN (100Mb layer-2). But my home DC is primarily serving the house and,
since I don't want the kids on the company network, I have the DC VPN'd
into the company LAN. Even though it's technically across the Internet,
the next hop from the house is the same router as for the office, so
excepting our firewalls, it's just one hop away, all my own gear, and
not subject to anything "Internet". The VPN is a Windows PPTP and fires
up in a startup script using rasdial. It does occasionally fail to
start, but the secondary to the other ADI zone stays put. Since it's a
home thing, it's not critical, and generally the situation that brings
my attention to the missing zone is higher priority than the missing
zone itself, so I just re-create the zone. By the time I've solved
whatever crisis got me to that point, I forgotten all about the phantom
DNS zone. At some point I'll do some more debugging.

 

[Kurt]

open ADU&C, click View>Advanced features, Expand System and open the

MicrosoftDNS container, if you find an object with the same name as
the disappearing zone, delete it.

There it was! So where do I find information on what I just did (deleted
the container)?

Thanks for the advice, we'll see what happens now!

....kurt

 

[Ace Fekay [MVP]]

In

There it was! So where do I find information on what I just did
(deleted the container)?

Thanks for the advice, we'll see what happens now!

...kurt

Be careful how you configure zones. Apparently you changed it to an AD
integrated zone at one time.

Use ADSIEdit to delete the references for the zone.

Using ADSI Edit and telling you exact;ly what to delete or not deleted
depends on a number of things. Here's a blog on ADSI Edit explaining all of
that and how to possibily fix your issue. BE VERY CAREFUL with ADSI Edit. DO
a dry run first. Next time you set zone properties, understand what the zone
types mean and where you are storing it.

Ace

==================================
==================================

Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."

Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.

In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS serer in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS serer in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"


If you have a duplicate, that's telling me that there is a zone that exists
in the DomainNC and in the DomainDnsZones Application partition. This means
at one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of "In
Progress...." with a long GUID number after it, delete them too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helped!

==================================
==================================

Ace

 

[Kurt]

In

Be careful how you configure zones. Apparently you changed it to an AD
integrated zone at one time.

Use ADSIEdit to delete the references for the zone.

Using ADSI Edit and telling you exact;ly what to delete or not deleted
depends on a number of things. Here's a blog on ADSI Edit explaining all of
that and how to possibily fix your issue. BE VERY CAREFUL with ADSI Edit. DO
a dry run first. Next time you set zone properties, understand what the zone
types mean and where you are storing it.

Ace

==================================
==================================

Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."

Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.

In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS serer in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS serer in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"


If you have a duplicate, that's telling me that there is a zone that exists
in the DomainNC and in the DomainDnsZones Application partition. This means
at one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/...server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of "In
Progress...." with a long GUID number after it, delete them too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helped!

==================================
==================================

Ace

I don't know how I managed to set it up as an ADI zone, I do know
better. If I did this, it must have been on one of the re-creations (as
I said, it worked fine for a number of years without disappearing).
Probably just forgot to click the secondary zone radio button. Since
this is a single-site, single-DC domain, and since the zone is for a
completely different domain, I won't have to do most of the steps in the
procedure you outlined above, but I will file it for future reference.

Thanks a lot for the help,

....kurt

 

[Ace Fekay [MVP]]

In

I don't know how I managed to set it up as an ADI zone, I do know
better. If I did this, it must have been on one of the re-creations
(as I said, it worked fine for a number of years without
disappearing). Probably just forgot to click the secondary zone radio
button. Since this is a single-site, single-DC domain, and since the
zone is for a completely different domain, I won't have to do most of
the steps in the procedure you outlined above, but I will file it for
future reference.
Thanks a lot for the help,

...kurt

Cool. Sounds good!

If you have any other questons, please post back.

Ace