Extra DNS zone in mixed Win2k3 and Win2k domain

[Vic Russell]

Hi,
We have SBS 2003 which is the pdc and a Win2k server which is also a Global
catalog server in the same domain.
Our DNS is showing two zones for some reason; mycompany.com and also
_msdcs.mycompany.com
The Win2k server was previously a Global catalog server on the mycompany.com
domain which I had collapsed before starting off with a new domain (also
mycompany.com) on the SBS 2003 server - it had to be the first server in the
domain. I think this is where the problem came from.
If I look at the NTDS settings in Active Directory Sites and Services, the
domain alias is BFAF49FE-CCAD-433A-B365-D525FCAB9298._msdcs.mycompany.com
which seems to imply that the _msdcs.mycompany.com zone is the correct one.

However, putting test host records in this zone does not seem to work when I
ping one of them. Putting them in mycompany.com does work.

Replication of the two zones appears to be working OK.

Can anyone trow any light on this?

In addition, we are getting the following System log entries every hour:-
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 09/01/2004
Time: 16:08:26
User: N/A
Computer: EAGLE
Description:
The Security System detected an authentication error for the server
DNS/eagle.mycompany.com. The failure code from authentication protocol
Kerberos was "The attempted logon is invalid. This is either due to a bad
username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

AND

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 09/01/2004
Time: 16:08:26
User: N/A
Computer: EAGLE
Description:
The Security System could not establish a secured connection with the server
DNS/eagle.mycompany.com. No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

Also we are getting the following in the DNS log :-
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4515
Date: 08/01/2004
Time: 13:08:11
User: N/A
Computer: EAGLE
Description:
The zone mycompany.com was previously loaded from the directory partition
MicrosoftDNS but another copy of the zone has been found in directory
partition DomainDnsZones.mycompany.com. The DNS Server will ignore this new
copy of the zone. Please resolve this conflict as soon as possible.

If an administrator has moved this zone from one directory partition to
another this may be a harmless transient condition. In this case, no action
is necessary. The deletion of the original copy of the zone should soon
replicate to this server.

If there are two copies of this zone in two different directory partitions
but this is not a transient caused by a zone move operation then one of
these copies should be deleted as soon as possible to resolve this conflict.

To change the replication scope of an application directory partition
containing DNS zones and for more details on storing DNS zones in the
application directory partitions, please see Help and Support.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 89 25 00 00 ‰%..

 

[Ace Fekay [MVP]]

In

Hi,
We have SBS 2003 which is the pdc and a Win2k server which is also a
Global catalog server in the same domain.
Our DNS is showing two zones for some reason; mycompany.com and also
_msdcs.mycompany.com
The Win2k server was previously a Global catalog server on the
mycompany.com domain which I had collapsed before starting off with a
new domain (also mycompany.com) on the SBS 2003 server - it had to be
the first server in the domain. I think this is where the problem
came from.
If I look at the NTDS settings in Active Directory Sites and
Services, the domain alias is
BFAF49FE-CCAD-433A-B365-D525FCAB9298._msdcs.mycompany.com which seems
to imply that the _msdcs.mycompany.com zone is the correct one.

However, putting test host records in this zone does not seem to work
when I ping one of them. Putting them in mycompany.com does work.

Replication of the two zones appears to be working OK.

Can anyone trow any light on this?

In addition, we are getting the following System log entries every
hour:- Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 09/01/2004
Time: 16:08:26
User: N/A
Computer: EAGLE
Description:
The Security System detected an authentication error for the server
DNS/eagle.mycompany.com. The failure code from authentication
protocol Kerberos was "The attempted logon is invalid. This is either
due to a bad username or authentication information.
(0xc000006d)".

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

AND

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 09/01/2004
Time: 16:08:26
User: N/A
Computer: EAGLE
Description:
The Security System could not establish a secured connection with the
server DNS/eagle.mycompany.com. No authentication protocol was
available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 00 c0 m..À

Also we are getting the following in the DNS log :-
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 4515
Date: 08/01/2004
Time: 13:08:11
User: N/A
Computer: EAGLE
Description:
The zone mycompany.com was previously loaded from the directory
partition MicrosoftDNS but another copy of the zone has been found in
directory partition DomainDnsZones.mycompany.com. The DNS Server will
ignore this new copy of the zone. Please resolve this conflict as
soon as possible.

If an administrator has moved this zone from one directory partition
to another this may be a harmless transient condition. In this case,
no action is necessary. The deletion of the original copy of the zone
should soon replicate to this server.

If there are two copies of this zone in two different directory
partitions but this is not a transient caused by a zone move
operation then one of these copies should be deleted as soon as
possible to resolve this conflict.

To change the replication scope of an application directory partition
containing DNS zones and for more details on storing DNS zones in the
application directory partitions, please see Help and Support.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 89 25 00 00 ?%..

Couple reasons these 40960's and 40961's will show up. First usual fix is
just create a reverse zone and that should usually fix it. If not, I've seen
this error when you rename your Default-First-Site-Name. Make sure time is
synched between all your servers.

More info:
http://www.eventid.net/display.asp?eventid=40961&source=


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Vic Russell]

Thanks,

I have created the reverse zone and this is replicated between the two
servers. I still don't know what to to about the two forward lookup zones
though (_msdcs.mycompany.com and mycompany.com)

Both these zones are replicated but I don't know which one to get rid of.
The mycompany.com zone seems to be the one that resolves entries I put in to
test. However, the _msdcs.mycompany.com zone seems to be the default as far
as
the NTDS settings in Active Directory Sites.

Which one is safe to remove?

Kind regards,

Vic
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Thanks,

I have created the reverse zone and this is replicated between the two
servers. I still don't know what to to about the two forward lookup
zones though (_msdcs.mycompany.com and mycompany.com)

Both these zones are replicated but I don't know which one to get rid
of. The mycompany.com zone seems to be the one that resolves entries
I put in to test. However, the _msdcs.mycompany.com zone seems to be
the default as far as
the NTDS settings in Active Directory Sites.

Which one is safe to remove?

Kind regards,

Vic

DO NOT DELETE the _msdcs zone. That is needed for forest information.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory