Active Direcroty Integration in DNS - Looses Forward Zone :-0

[Marvin Miller]

Hi Folks;

I have a problem with DNS that's stemming from Active Directory integration
(as near as I can tell).
First, I know next to nothing about AD - I'm still coming from the realm of
NT 3.5/4.0 and PDC's and BDC's. My network is small so AD is just something
I need installed and working. Here's what's happened.....

All machines are Windows 2000 and I had an AD PDC that worked just fine.
There was also an AD BDC machine. Network changes caused me to need to
remove AD from the PDC and promote the BDC to a PDC and run with one PDC.

To that end I ran DCPROMO on the machine that I no longer wanted to be and
AD server. I made sure beforehand that the BDC was also a catalog server.
Everything went well, the BDC became a PDC and authentications worked etc.

I then changed the new PDC so that it would not be compatable with
pre-Windows 2000 domains. This is not necessary for me so I thought that was
a good thing to do.

The new PDC is also the primary DNS server set to allow dynamic updates.
When the changeover ocurred everything was fine. When I later re-booted the
new PDC I found that the DNS had lost the forward zone for my domain! Also
an event viewer entry was logged;

Event ID 5773;

The DNS Server for this DC does not support dynamic DNS. Add the DNS records
from the file '%SystemRoot%\System32\Config\netlogon.dns' to the DNS server
servicing the domain referenced in that file.

I found the file but have no idea as to how to get it 'into' the DNS server.
I tried copying the file the DNS server directotry and re-starting the
service but that didn't work. I then tried un-installing DNS, re-installing
it and making a new Active Directory Integrated forward zone. That will
work - but only if I choose a zone name that is different then the previous
existing one. If I try to choose the existing zone name I get an error
message stating;

The Zone cannot be created.
The Zone type is invalid.

It's as if the registry contains information on that zone and won't allow me
to create it. I then thought to myself, "Do I have to have an AD integrated
DNS?" - remember, I know little about this. So I then made a new standard
zone and it worked fine. The problem is that I get entries in the event
viewer saying to the effect that Active Directory is trying to do dynamic
updates to the DNS but it's not working - with multiple Stop Signs each time
AD tries to add an entry :-0

As a workaround, I made my Primary DNS server a secondary, made my secondary
a primary and then did a zone transfer from it! (because the secondary DNS
server still had the AD integrated information for the forward zone). This
worked and I then promoted the AD DNS back to primary and demoted the other
DNS server back to a secondary. I ensured that the AD integrated Primary DNS
server was set to allow dynamic updates and all is perfect. Until I re-boot
the machine.

Once I reboot the AD machine it drops the entire forward zone and then logs
the same error;

Event ID 5773;

The DNS Server for this DC does not support dynamic DNS. Add the DNS records
from the file '%SystemRoot%\System32\Config\netlogon.dns' to the DNS server
servicing the domain referenced in that file

The forward lookup zone on the AD DNS server is set to allow Dynamic
Updates. It's also set to load Zone Date on Startup from Active Directory
and Registry.

I'm pretty sure I'm missing something simple here and that it's caused by my
lack of basic AD understanding. Can anyone tell me what needs to be done to
fix this issue?

Thanks VERY much !
Marvin Miller

 

[Kurt]

Several things here. When you demoted your first DC (there are no PDCs and
BDCs anymore), did you transfer the 5 Flexible Single Master Operations
(FSMO) roles the the second DC? Only AD Integrated DNS zones can accept
dynamic updates. Don't confuse dynamic updates with incremental zone
transfers. Dynamic updates are just hosts registering themselves in DNS so
you don't have to add the records manually. Since you now only have one DC,
you won't have any AD replication, and therefore no incremental zone
updates. I'm not sure why you can't create a DNS zone for your domain name,
but if you haven't transferred the FSMO roles, do that first and try again.
You'll actually have to seize the roles rather than transfer since you
already demoted your first DC (which likely held all 5 roles).

....kurt

 

[Marvin Miller]

Hi Kurt;

Thanks for replying

"did you transfer the 5 Flexible Single Master Operations
(FSMO) roles the the second DC? "

I doubt it as I don't know what those are. All I did was run DCPROMO on the
DC and ensure that the new DC was a catalog server. I followed a MS KB
article and it seemed to work fine. The previous DC is now a normal server
although for some reason it seems to still run the File Replication
Service.....

"I'm not sure why you can't create a DNS zone for your domain name, but if
you haven't transferred the FSMO roles, do that first and try again."

Can that still be done after the original DC has become a normal server? If
so, how do I do that?

Thanks very much;
Marvin

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kurt;

Thanks for replying

"did you transfer the 5 Flexible Single Master Operations
(FSMO) roles the the second DC? "

The AD wizard will attempt to transfer the FSMO roles to another DC, when
you demote it. If the FSMO roles cannot be transferred Dcpromo will fail and
ask you if you want to do a forceremoval. If it did not warn you of this,
then it is a safe bet the roles transferred. The Global Catalog is the only
AD "role" which won't be transferred by DCPromo. (The Global catalog is not
really a role, it is actually a directory service) You must have at least
one Global catalog per forest, but you can have more, I recommend one at
each site.

I doubt it as I don't know what those are. All I did was run DCPROMO
on the DC and ensure that the new DC was a catalog server. I followed
a MS KB article and it seemed to work fine. The previous DC is now a
normal server although for some reason it seems to still run the File
Replication Service.....

The File replication service is used by AD, but it does not require AD, this
is the service that runs the Distributed File service, which can be on any
Windows server.

"I'm not sure why you can't create a DNS zone for your domain name,
but if you haven't transferred the FSMO roles, do that first and try
again."

Can that still be done after the original DC has become a normal
server? If so, how do I do that?

You should do a AD integrated zone re-install, or remove the zone from AD
and leave it a Primary. AD integrated zones do not have zone files, the DNS
data is stored in the AD Database. You cannot convert a secondary zone to AD
integrated, it won't let you, have to change the secondary zone to a primary
first. You also cannot have a Secondary zone on a DC if there is an AD
integrated zone on another DC. All AD integrated zones are Primary masters
with zone data stored in AD.

294328 - How to Reinstall a Dynamic DNS Active Directory- Integrated Zone
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294328&sd=RMVP

 

[Marvin Miller]

Hi Kevin;

Thanks very much for the reply

I never received an error about the FSMO - in fact the whole process went
well with no errors showing and I checked the event viewer on the new DC and
it had lots of good reports (to the extent of transfer from original DC for
this and that succeeded) and no ill reports of any consequence (that I could
discern).

I did manually make the new DC a Global Catalog before I removed the other
one.

With regards to the File Replication Service - If it's not required what's
the best way to remove it from the previous DC that's now just a server?

I briefly looked at the link you provided (it's late at night) but I suspect
that it's going to hit the nail right on the head. Already I see from it
that there is an are in the Active Directory that has DNS info - I didn't
know that and it makes sense. I bet I can fix it knowing that info alone -
if not though its looks like I'm properly armed to go through it and case it
once and for all.

I'm really looking forward to having it squared away and being able to
re-start the server without it loosing the forward zone - it causes all
sorts of problems! I know nothing about AD - but I know more now and think I
have what I need to case it - thank you both !

Best
Marvin

 

[Herb Martin]

With regards to the File Replication Service - If it's not required what's

the best way to remove it from the previous DC that's now just a server?

Don't remove it. It's got other purposes and messing
with it might cause you future problems.

(You can disable, but best would be to set the service to
MANUAL start, e.g., using the Services control panel/MMC.)

If you are still having troubles after transferring roles, GC is
good, and DNS on the DC is dynamic then check these:

1) ALL DNS Clients (especially DNS servers, including the
DNS server itself) set to use STRICTLY the (internal)
DNS that can resolve your internal records.

2) Run DCDiag against each DC to check functionality


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin;

Thanks very much for the reply

I never received an error about the FSMO - in fact the whole process
went well with no errors showing and I checked the event viewer on
the new DC and it had lots of good reports (to the extent of transfer
from original DC for this and that succeeded) and no ill reports of
any consequence (that I could discern).

I did manually make the new DC a Global Catalog before I removed the
other one.

With regards to the File Replication Service - If it's not required
what's the best way to remove it from the previous DC that's now just
a server?

The File replication service is required on DCs and any other server hosting
a DFS share. If the server is not hosting a DFS share the service can be
disabled.

 

[Marvin Miller]

Hi Kevin;

That seems to have fixed it I followed the KB article and re-started the
server and my two forward zones were still there and working fine

Thank you - that made my day!

Marvin