[Last Call] Learn how to a build a cloud-first strategyRegister Now


Microsoft, DNS, AD Integrated Primary Zone Replication Scope

Posted on 2007-10-15
Medium Priority
Last Modified: 2008-06-28
We have a multi-site network, each remote site running a child domain of the parent domain which is based at head quarters eg. parent 'colour.com' and the childs eg. 'red.colour.com', 'green.colour.com' etc.  All are AD Integrated Primary Zones, the parent being set to replicate to all DNS servers in the AD Forest and the the childs set on there own servers to replicate to DNS servers in their own child domain - - well that's the way it is planned.  The problem is that the parent zone 'colour.com' in one of the child domains is only set to replicate to the DNS servers in it's own child domain (one other server), so hence is not picking up records from the rest of the forest.  I'm guessing that it was changed from forest replication at some point, because otherwise, how else did it get there ?  Is it OK to just try to change the replication scope of this zone on the child domains server to replicate to the forest ? (FYI the serial number for this zone in this one child domain is way down on the zones in the other domains)
Question by:gearbulk

Expert Comment

ID: 20077694
My best .guess is that someone inadvertently created the parent zone 'colour.com' (wll spelt by the way ;0) on the child DC-DNS server (that is just a guess though).  Since it appears they may created it in a different NC (naming context or partition if you prefer), Active Directory does not perceive any conflict, DNS does.  The DNS server's decision making criteria for which zone to service in the event it sees two same-named zones in different places (i.e. the other zone is ignored completely) is lacking; it's which ever is sees last (no priority according to data source, no ordinal number and no control mechanism).

In your shoes, I would suggest that you do the following (NOTE - the steps here have the potential to break things) -

1. logon to an offending child DC-DNS server as a Domain Admin
3. convert the parent zone 'colour.com' (as it exists on the child DC) to a non-integrated zone
4. copy the file %windir%\system32\dns\colour.com.dns to a backup location (shouldn't really be necessary but since I'm not doing this myself, I'd rather be certain)
5. restart the child DNS server
6. verify the 'colour.com' zone is listed as non-AD integrated
7. force replication (assuming it's possible) such that the forest root DCs pull content from the child DC we've just changed
8. restart a DNS server in the forest root
9. verify that the 'colour.com' zone still exists and is AD-integrated with a valid repl. scope
10. if so, and again we're over-doing things here a bit -- using DSSITE.MSC against the child DC, 'Check the replication tolopology'  and force replication in the opposite direction (from root to child)
11. restart the child DNS server

... what do we have now?

Author Comment

ID: 20216517
Fix we used was :-
Converted existing child zone to a "secondary" and then DELETED.  Recreated colour.com zone on child server, AD integrated applying to the entire forest.  This simply re-polulates the zone from the exsting information held in AD - No data is lost.

Accepted Solution

Computer101 earned 0 total points
ID: 21890466
PAQed with points refunded (250)

EE Admin

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question