DNS Entries are not register correctly to the other site domain

Another question: how to correctly register DNS for this type of error messege?

    PASS - All the DNS entries for DC are registered on DNS server '192.168.2.2
'.
    [WARNING] The DNS entries for this DC are not registered correctly on DNS se
rver '192.168.1.2'. Please wait for 30 minutes for DNS server replication.

The command completed successfully

Do i run NETDIAG /FIX?

I believed i ran this test on ParentDom of Site1, and i think it caused some changed in Active Directory Site and Services. It looks llike it removed the DNSHost name for the Site2 DC-Site2.ChildDom.ParentDom.Local within the DC-Site2 AD Site and Services (default-site) and it caused some problem but i fixed it with ADSIEdit.

I just ran the DCDIAG /V test on Site1 ParentDom.Local and i get the fail messge for this service. All other Services are Passed

      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 07/15/2006   10:28:07
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C5
            Time Generated: 07/15/2006   10:28:57
            (Event String could not be retrieved)
         ......................... AD failed test frsevent

How to fix it, why it caused it? Is this problem major?

This is a full DCDiag test on Site1

Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine DC-Site1, is a DC.
   * Connecting to directory service on server DC-Site1.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\DC-Site1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
            *** Warning: could not confirm the identity of this server in
               the directory versus the names returned by DNS servers.
               If there are problems accessing this directory server then
               you may need to check that this server is correctly registered
               with DNS
         * Active Directory ParentDom.Local RPC Services Check
         ......................... DC-Site1 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\DC-Site1
      Starting test: Replications
         * Replications Check
         [DC-Site2] DsBindWithSpnEx() failed with error 1722,
         The ParentDom.Local RPC server is unavailable..
         Printing ParentDom.Local RPC Extended Error Info:
         Error Record 1, ProcessID is 1876 (DcDiag)
            System Time is: 7/16/2006 3:6:45:437
            Generating component is 8 (winsock)
            Status is 1722: The ParentDom.Local RPC server is unavailable.
            Detection location is 322
         Error Record 2, ProcessID is 1876 (DcDiag)
            System Time is: 7/16/2006 3:6:45:437
            Generating component is 8 (winsock)
            Status is 11001: No such host is known.
            Detection location is 320
            NumberOfParameters is 1
            Unicode string: e1688926-75af-4442-a9c6-0c67a9d58e16._msdcs.ParentDom.Local
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            CN=Configuration,DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            DC=ParentDom.Local
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
            DC=ChildDom,DC=ParentDom.Local
               Latency information for 1 entries in the vector were ignored.
                  0 were retired Invocations.  1 were either: reDC-Site1-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 hDC-Site1 no
 latency information (Win2K DC).
         * Replication Site Latency Check
         ......................... DC-Site1 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC-Site1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ParentDom.Local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ParentDom.Local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ParentDom.Local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=ParentDom.Local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=ParentDom.Local
            (Domain,Version 2)
         * Security Permissions Check for
           DC=ChildDom,DC=ParentDom.Local
            (Domain,Version 1)
         ......................... DC-Site1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC-Site1\netlogon
         Verified share \\DC-Site1\sysvol
         ......................... DC-Site1 passed test NetLogons
      Starting test: DC-Site1vertising
         The DC DC-Site1 is DC-Site1vertising itself as a DC and having a DS.
         The DC DC-Site1 is DC-Site1vertising as an LDAP server
         The DC DC-Site1 is DC-Site1vertising as having a writeable directory
         The DC DC-Site1 is DC-Site1vertising as a Key Distribution Center
         The DC DC-Site1 is DC-Site1vertising as a time server
         The DS DC-Site1 is DC-Site1vertising as a GC.
         ......................... DC-Site1 passed test DC-Site1vertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Domain Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-
Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role PDC Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Rid Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Sit
e-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN
=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ParentDom.Local
         ......................... DC-Site1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 4603 to 1073741823
         * DC-Site1.ParentDom.Local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1603 to 2102
         * rIDPreviousAllocationPool is 1603 to 2102
         * rIDNextRID: 1788
         ......................... DC-Site1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC DC-Site1 on DC DC-Site1.
         * SPN found :LDAP/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :LDAP/DC-Site1.ParentDom.Local
         * SPN found :LDAP/DC-Site1
         * SPN found :LDAP/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :LDAP/5bbdf621-c1a9-4127-acae-655515f7961e._msdcs.ParentDom.Local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5bbdf621-c1a9-4127-ac
ae-655515f7961e/ParentDom.Local
         * SPN found :HOST/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :HOST/DC-Site1.ParentDom.Local
         * SPN found :HOST/DC-Site1
         * SPN found :HOST/DC-Site1.ParentDom.Local/ParentDom.Local
         * SPN found :GC/DC-Site1.ParentDom.Local/ParentDom.Local
         ......................... DC-Site1 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: ParentDom.Local RPCSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC-Site1 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         DC-Site1 is in domain DC=ParentDom.Local
         Checking for CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local in domain DC=ParentDom.Local on 1 ser
vers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=ParentDom.Local in domain CN=Configuration,DC=ParentDom.Local on 1 servers

            Object is up-to-date on all servers.
         ......................... DC-Site1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL reDC-Site1y test
         File Replication Service's SYSVOL is reDC-Site1y
         ......................... DC-Site1 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occured.  EventID: 0x800034C4
            Time Generated: 07/15/2006   10:28:07
            (Event String could not be retrieved)
         An Warning Event occured.  EventID: 0x800034C5
            Time Generated: 07/15/2006   10:28:57
            (Event String could not be retrieved)
         ......................... DC-Site1 failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minut
es.
         ......................... DC-Site1 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/15/2006   20:02:02
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 07/15/2006   20:02:03
            (Event String could not be retrieved)
         ......................... DC-Site1 failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local and backlink on
         CN=DC-Site1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=ParentDom.Local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.Local
         and backlink on CN=DC-Site1,OU=Domain Controllers,DC=ParentDom.Local are correct.
         The system object reference (serverReferenceBL)
         CN=DC-Site1,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=ParentDom.Local
         and backlink on
         CN=NTDS Settings,CN=DC-Site1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=ParentDom.Local
         are correct.
         ......................... DC-Site1 passed test VerifyReferences
      Test omitted by user request: VerifyEnteParentDom.LocalriseReferences
      Test omitted by user request: CheckSecurityError

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : ParentDom.Local
      Starting test: CrossRefValidation
         ......................... ParentDom.Local passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ParentDom.Local passed test CheckSDRefDom

   Running enteParentDom.Localrise tests on : ParentDom.Local
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ParentDom.Local passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         PDC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         Time Server Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         KDC Name: \\DC-Site1.ParentDom.Local
         Locator Flags: 0xe00003fd
         ......................... ParentDom.Local passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS

Please review Site1 DCDIAG log and show me what i need to fix? i believe there are 1 warnings and 2 error on the Repl

To set this up  properly, normally the following are done:

1)  Set the root DC (in the parent) to sync with an external timesource.  http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

2)  Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites).  The only place to put this address is on the Forwarder tab of EACH DNS server you have.

3)  On the parent DNS server, the _msdcs.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the FOREST.

4)  On the parent DNS server, the parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the DOMAIN.

5)  On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain.  Point this to the DNS server in the child domain.

6)  On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.

7)  On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.

8)  Point the main site clients and servers to the main site DNS and any secondary you may also have.  NO ISP addresses here.

9)  Point the remote site clients and servers to the remote site's DNS only.  Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.

10)  If any server has 2 NICs, make sure the LAN-side card is at the top of the binding order and both DNS and DHCP (if you run it) are servicing only that interface.

Once all this is correct, restart the Netlogon service on each server then run IPCONFIG /flushdns and IPCONFIG /registerdns from the CMD prompt on each server.

Check DNS carefully now to ensure all SRV records are present in the correct domains.  Remove any entries for servers that are in the wrong zones.

Wait for awhile for KCC to recalculate topology and start FRS working properly.

Let us know.

2)  Make sure there are absolutely NO ISP DNS addresses on ANY network interface inside your LAN (both main and remote sites).  The only place to put this address is on the Forwarder tab of EACH DNS server you have.

----------------------------------------------

The only place to put this address is on the Forwarder ...

Do you mean ISP DNS if i prefer? or the Internal DNS of each DOMAIN that i am hosting Active Directory Intergrated DNS?

The ISP DNS.

Do not forward between your domains.  It's needless bandwidth.  Just forward directly from each DNS server to the ISP.  The Conditional Forwarding I mentioned above will take care of the other domains.

I notice that when if i don't put 192.168.1.2 (site1 DNS) on the ParentDom - properties - DNS Forwarder for the Site2 Domain. then when i do DCDIAG /v i will get the output of CONNECTIVITIES FAILURE. So to make this clear, i should put External DNS in the forwader? i dont user any External DNS...

And if i don't manually put parentdom.local in the Appending these DNS Suffix (In Order) on the Site2 TCP/Ip DNS setting, then it cannot ping by names. Do i really have to put the parentdom.local as DNS Suffix?


6)  On the child domain DNS server, the child.parentdom.local zone should be AD Integrated, accept Secure Dynamic Updates and replicate to all DNS servers in the domain.
(I checked on the child.parentdom.local zone, there is AD integrated and secure updates only, but no replicate to all DNS servers in the Domain, i am running windows 2000 advanced server in Site2 child domain.
----------------------------------------------------
8)  Point the main site clients and servers to the main site DNS and any secondary you may also have.  NO ISP addresses here.

9)  Point the remote site clients and servers to the remote site's DNS only.  Use only local secondaries - do not point them to the main site as a secondary since it has no idea what is part of the child domain.

i don't get #8 and #9
do you mean, from the TCP/IP DNS Properties? i don't put the DNS ip of each server? Just the DNS ip of the server domain itself?
Let say from Site1 DNS properties, i put 192.168.1.2 and not 192.168.2.2?
same thing to site2 DNS properties, i put 192.168.2.2 and not 192.168.1.1?
----------------------------------------------------
How about the Appending these DNS Suffix (In Order)?

i forgot to mention that we have IP TABLE (NETFILTER) firewall proxy running... i dont know if this effect the settings... somehow site2 can access  and logon parentdom.local
but from site1 cannot logon to child.parentdom.local...

The only thing is that, when i view the Security properties of an object from Site1 parentdom.local,
such as:
DNS - Site1-DC - Forward Look Up Zone - _msdc.parentdom.local - properties, security
i can see the correct name for the child domain group ex; Site2-DC$(CHILDDOM\SITE2-DC$)
and/or
 when i go to
Active Directory Sites and Services
Sites
Default-First-Site-Name
Servers
ChildDom
NTDS Settings
<Automatic Generated> Site1-DC Default-First-Site-name
Properties - Security - Domain admins (ChildDom\Domain admins)

When i click add and browse for location, parentdom.local - ChildDom.Local
i cannot view the directory and either find the names or group

I dont understand why it can show the (ChildDom\Domain admins) group but cannot find the domain

so i can use any ISP DNS or do i have to use my ISP dns?

5)  On the Forwarder tab of the parent DNS server, you setup Conditional Forwarding for the child domain.  Point this to the DNS server in the child domain
     Does this means, from the PAReNT DNS SERVER, i put the DNS forwarder of 192.168.2.2?
7)  On the child domain DNS server, setup Conditional Forwarding so the parentdom.local queries are sent to the parent DNS server.
     And from Child DOMAIN DNS, i put 192.168.1.2?

so i can put ISP DNS in these forwarder?

I get it, on the Site1 parentdom.local DNS server properties, FORWARDER TAP... NEW DNS DOMAIN -
type - CHILDDOM.PARENTDOM.LOCAL -> hightlight childom.parentdom.local
and enter the ip ex: 192.168.2.2 ?

On the Site2 ChildDom.ParentDom.Local (widows 2000 base) DNS Server properties doesnt have DNS DOmain like windows 2003 in site1

From Site2-DC TCP/IP properties, DNS settings, i took off DC-Site1 DNS 192.168.1.2 and the APPEND THESE DNS SUFFIX (IN ORDER) i cannot ping Site2-DC by name....

I forgot to mention that, i am using a single label domain, ex; parentdom, not parent.local, can this be a problem?

Absolutely if makes a huge difference.

You need to configure DNS to allow registering single-label names.

http://support.microsoft.com/kb/300684/en-us

Sorry, could you give me a clearer instruction what should i do with the dns registering single-lable name?

Currently, on my Site1-DC windows 2003 i had enable GP to allow top level domain update . but my windows xp client did not successfully register with windows 2003 DNS in the forward lookup zone.

as far the modification i dont understand this part.. where on which computer base should i do this step?
on a windows 2003/2000 base server? or the windows xp/2000/ client base?

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the right pane, locate the AllowSingleLabelDnsDomain entry. If the AllowSingleLabelDnsDomain entry does not exist, follow these steps:a.  On the Edit menu, point to New, and then click DWORD Value.
b.  Type AllowSingleLabelDnsDomain as the entry name, and then press ENTER.
 
4. Double-click the AllowSingleLabelDnsDomain entry.
5. In the Value data box, type 1, and then click OK
6. Quit Registry Editor.

My ChildDom is a windows 2000 base, so i should work with single label.. right

Sorry, Now i want to demote my childdom. but i cannot demote child domain
it say,
" The operation failed because:
The directory service failed to replicate off changes made locally.

The DSA operation is unable to proceed becaused of DNS lookup failure."

What step and how do i manually demote so i can reinstall active directory?

and how to completely remove child domain from ParentDom? and any related file in parentdom?


Thanks for trying to help!

Point it back to the parent DNS server.

point what back to the parernt DNS? can you give me a clearer instruction?

Thanks

The child domain controller should have the Primary DNS server set to the parent's DNS server for the last DC in that domain to be able to be demoted.

i did set the child domain to the parentdom primary DNS server. but somehow i cannot demote it... it kept saying DNS lookup failure

How do i manuall demote child..? or do i just follow this page then i can remove it?

http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Run DCPROMO /forceremoval.

Then follow this guide to remove all traces of the old domain and domain controllers:

http://support.microsoft.com/kb/216498/en-us

nvm, it was simple, i just remove the forwarder from the child dom DNS

Why would that make a difference?  If the primary was set to the parent DNS it should never have been looking to the Forwarder.  Where was it pointing?

To all this point, i guess my DNS configuration was not right....

OK.

i dont know why, but if i don't put the parentdom IP address in the CHILD DOM DNS FORWARDER, then i will get CONNECTIVITY FAILURE in the DCDIAG.EXE /v test
so i have to put it there somehow.

Ok... here is my detail configuration: Please tell me what i'm doing wrong ok? I really appreaciate your professional service and time.

Scenerio:
Site1
hostname: DC-Site1
domain: ParentDom
TCP/IP Configuration:
IP: 192.168.1.2/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
Alternate DNS: 192.168.1.3
Alternate DNS: 192.168.2.2 (DC-Site2  DNS)

DNS: allow zone transfer to 192.168.1.3
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
----------------------------
Additional Domain Controller (Backup DC)
hostname: ADC-Site1
domain: ParentDom
TCP/IP Configuration
IP: 192.168.1.3/24
gw: 192.168.1.1
prefered DNS: 192.168.1.2
alternate DNS: 192.168.1.3
alternate DNS: 192.168.2.2 (DC-Site2 DNS)
DNS: contained a secondary backup DNS of site1
----------------------------

Site2
hostname: DC-Site2
domain: ChildDom.ParentDom
TCP/IP Configuration:
IP: 192.168.2.2/24
gw: 192.168.2.1
prefered DNS: 192.168.2.2
Alternate DNS: 192.168.1.2  (DC-Site1  DNS)
DNS settings are default just like you describe above
Secure Only Dynamic Updates... etcs
----------------------------

I ran DCPROMO,
Domain Controller for a new domain -> Create a child domain in Existing Domain Tree and so on...
It ask for DNS --> i choose Install and Configure DNS automatically

Thats it?

This isn't necessary:

DNS: allow zone transfer to 192.168.1.3

On Site one DNS since all zones should be AD Integrated.

I think part of the reason we're having issues is that the child domain DNS is Windows 2000.  The Zones are not the same at all.  Replication to all zones in the Forest is a function of 2003 DNS only.

In order to make this work (the easiest way) would be to use a 2003 DNS server in the child domain.

Other than that, Forwarding to the parent or making ALL zones Primary (non-AD Integrated) on the parent and creating Secondary zones on the child (and vise-versa) would be the only other method since 2000 and 2003 DNS use different methods to configure the way you need to.

Oh, Thanks,

I just demoted it, and promote as a new domain - new domain tree in an existing forest? will thise work better or the same?

Thanks Netman66 for the info...

Or should i create a new forest of domain tree?

It will probably work the same.

No, don't create a new Forest, that opens up a whole new set of problems.

On the parent domain, change the _msdcs.parentdomain.local zone to Primary (non-AD Integrated).
On the child domain, create a new Secondary zone the same as the parent _msdcs zone.
Accept zone transfers from the parent DNS server.
Go back to the parent DNS server and allow zone transfers to the child.

This should take care of the _msdcs zone.

You can add a Delegation record on the child DNS for the parentdomain.local domain then point it to the parent DNS server.

You can also add a Delegation record on the parent DNS server for the child domain and point it to the child DNS server.

This should get the zones in order.

You may need to do the same for the Reverse Zone also.

NM

Thanks for the update, I'll give it a try and i'll let you know

Alternatively,
Can i promote active directory on site2 to be
Additional domain controller for an existing domain
And hosting GC there? and everyone from site2 logon using DC-Site2 domain controller?
will it help the bandwidth?

and placing an exchange server in site2 on the additional domain controller?

so, that means it replicate within site2? and using less bandwidth right?

and for exchange, what step do i install exchange on site2 as an secondary exchange server, and replicate (and hold) only a certain user and mailbox in site2, that it doesn't replicate the entire mailbox from site1

Not necessarily.  After you initially join the server it will use up some bandwidth to replicate, but it should drop down to nearly nothing after a short period.

You should make it a GC and also install DNS.  Make sure all zones (except the _msdcs zone) are AD Integrated.  Then simply install DNS on the remote server and do nothing else (install it after a successful DCPROMO).   Replication will create and populate all the zones except the _msdcs zone.

Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.

Since 2003 uses the application partition for the _msdcs zone it will NOT replicate to the 2000 DNS server as it normally is installed by default.

Exchange won't replicate anything.  You can get away with using the main Exchange server for a small amount of users on the remote site.  It may be a lot less complicated.

Ok thanks,
Right, So i dont need to install exchange on the remote site?
Thats alot less complicated... Thanks...
I gained more experience from this forum...

I wouldn't think it would be necessary if there aren't too many users.

With the domain being the same now, it'll be much easier to setup and maintain with one Exchange server.

How many user's are in the remote site?

less than 10

No issue that I can see.

what is the user limitation?

and follow up?

Create the _msdcs (secondary) zone manually and set it up to zone transfer from the main DNS server.

from site2 DNS, i create secondary zone name
_msdcs.parentdom
and allow zone transfer to 192.168.2.2 (remote site)
i cannot transfer from master

You need to change the zone on the parent to a standard Primary.  Then enable zone transfers from the parent to the child.

User limitation depends on link bandwidth.  Ten users shouldn't be too bad on even a T1.

Oh, thanks for the info

I just checked my ParentDom, in Active Directory User and Computer
Operation Master ERROR on the first box...
and the second box shows, DC-Site2.ParentDom
RID - PDC - Infrastructure
Operation Master (ERROR)
The current operations master is offline. The role cannot be transferred. CHANGE button
DC-Site2.ParentDom

Should i click change so that Parent Domain holds all the server roles?

Note that: i install as an additional domain controller in an existing domain... not child domain

On the parent domain, if you have the Resource Kit installed on one of the DCs, then run:

dumpfsmos <servername>    <= where <servername> is the name of your DC.

Check for all 5 roles in the output.