Microsoft, DNS, AD Integrated Primary Zone Replication Scope

Posted on 2007-10-15
Last Modified: 2008-06-28
We have a multi-site network, each remote site running a child domain of the parent domain which is based at head quarters eg. parent '' and the childs eg. '', '' etc.  All are AD Integrated Primary Zones, the parent being set to replicate to all DNS servers in the AD Forest and the the childs set on there own servers to replicate to DNS servers in their own child domain - - well that's the way it is planned.  The problem is that the parent zone '' in one of the child domains is only set to replicate to the DNS servers in it's own child domain (one other server), so hence is not picking up records from the rest of the forest.  I'm guessing that it was changed from forest replication at some point, because otherwise, how else did it get there ?  Is it OK to just try to change the replication scope of this zone on the child domains server to replicate to the forest ? (FYI the serial number for this zone in this one child domain is way down on the zones in the other domains)
Question by:gearbulk
    LVL 9

    Expert Comment

    My best .guess is that someone inadvertently created the parent zone '' (wll spelt by the way ;0) on the child DC-DNS server (that is just a guess though).  Since it appears they may created it in a different NC (naming context or partition if you prefer), Active Directory does not perceive any conflict, DNS does.  The DNS server's decision making criteria for which zone to service in the event it sees two same-named zones in different places (i.e. the other zone is ignored completely) is lacking; it's which ever is sees last (no priority according to data source, no ordinal number and no control mechanism).

    In your shoes, I would suggest that you do the following (NOTE - the steps here have the potential to break things) -

    1. logon to an offending child DC-DNS server as a Domain Admin
    2. run DNSMGMT.MSC
    3. convert the parent zone '' (as it exists on the child DC) to a non-integrated zone
    4. copy the file %windir%\system32\dns\ to a backup location (shouldn't really be necessary but since I'm not doing this myself, I'd rather be certain)
    5. restart the child DNS server
    6. verify the '' zone is listed as non-AD integrated
    7. force replication (assuming it's possible) such that the forest root DCs pull content from the child DC we've just changed
    8. restart a DNS server in the forest root
    9. verify that the '' zone still exists and is AD-integrated with a valid repl. scope
    10. if so, and again we're over-doing things here a bit -- using DSSITE.MSC against the child DC, 'Check the replication tolopology'  and force replication in the opposite direction (from root to child)
    11. restart the child DNS server

    ... what do we have now?

    Author Comment

    Fix we used was :-
    Converted existing child zone to a "secondary" and then DELETED.  Recreated zone on child server, AD integrated applying to the entire forest.  This simply re-polulates the zone from the exsting information held in AD - No data is lost.
    LVL 1

    Accepted Solution

    PAQed with points refunded (250)

    EE Admin

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now