Solved

Forward Lookup zones are getting deleted

Posted on 2008-10-14
28
880 Views
Last Modified: 2012-06-27
I ran the command adsiedit.msc and looked in:
DC=Domain name
CN=System
CN=MicrosoftDNS
In here I see all my forward and reverse lookup zones. I do have duplicate zones. (duplicate forward zone)
Is this normal or should I have only one?
If I should have only one, I think I found which one has the most accurate records.
Now, all I need to know is do I delete the others and do I have to do this on all my DC's or do I do it on just one and then demote all the rest and when they come up, they will replicate with the ONE who DOES NOT have duplicate zones?
0
Comment
Question by:DOCDGA
  • 16
  • 12
28 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Where is the other zone? Presumably in either DomainDNSZones or ForestDNSZones?

You can find which zone you're using at the moment by looking at the Replication scope of the zone in the DNS console.

"All Domain Controllers in the AD Domain" is the location you found above.
"All DNS Servers in the AD Domain" is DomainDNSZones
"All DNS Servers in the AD Forest" is ForestDNSZones

Once you know which one you're using you can determine which needs to be deleted.

If you need to connect to DomainDNSZones or ForestDNSZones you would right click on the "ADSI Edit" level in adsiedit.msc and select "Connect to ...". Then type in a distinguished name (or naming context):

DC=DomainDNSZones,DC=yourdomain,DC=com
Or
DC=ForestDNSZones,DC=yourdomain,DC=com

As above, you should find they contain a MicrosoftDNS folder and any zones loaded into that partition.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
First of all I am looking under Domain. Not Configuration or Schema.
DC=Domain name
CN=System
CN=MicrosoftDNS
In the CN=MicrosoftDNS folder I see all my reverse lookup zones and my forward lookup zone, execpt there or multiple copies of my domain.
They have 7 copies of the same folder with my domain name, which IS my Domain. What I'm asking is should I see only one folder of my domain in CN=MicrosoftDNS? I was told to look in MicrosoftDNS folder and that is where I am looking and that they may have duplicate zones. Plain and simple, what should I be seeing in CN=MicrosoftDNS????????
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You should see each forward lookup zone using the directory partition. Can you attach a screenshot of what you're seeing because duplicate zones within the same partition is impossible (the CN= portion of the name must be unique within the parent container).

What prompted you to check for duplicate zones like this? This is normally associated with a specific error logged in the event log.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
What made me look for this was that after the Huricaines in Louisiana we came back into the office and the power had been going up and down. We then noticed that our forward and reverse lookup zones had all disapeared. We then began rebuilding DNS from a backup copy we had. But as soon as you would make the zone ADI they would vanish. That is what started all of this. So someone responded to my problem on here and they refered me to this article.
http://support.microsoft.com/kb/867464

It talks about duplicate zones and that might cause my ADI zones to vanish.

I tried to attach a screen shot and it was to large so I exported the data to a .txt file. I hope this will do.

Thanks for the help Chris.
list.txt
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Each of the zones that contains:

> CNF:209de682-379b-452d-8b73-5aac4608ef7b

Is a tombstone, it represents a zone that has been deleted. It will stay until it expires; 60 days or 180 days depending on which version of Windows you build the domain with.

Are you actually getting error 4515?

And could you confirm the Replication setting for each of the zones that's troubling you in the DNS console?

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
I don't see the 4515 error, but I is the only thing that is remotely close to what is going on with my network. Can you be specific when you say confirm the Replicaiton setting for each of the zones? Please be patient with me, I am new to this. Where to I check my replication settings for the zones?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Head to Administrative Tools, the open up the DNS Console.

Expand Forward Lookup Zones, then right click on the zone and select Properties.

At the top of the general tab we should see a Replication option, it'll have one of three possible values, that relates to where in AD the zone you're using is actually stored.

I expect it to say "To all Domain Controllers in the Active Directory Domain", that would match up to the MicrosoftDNS folder you've been looking at in ADSIEdit.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
No Replication option on the general tab. If it would be easier to help me via email I would be glad to give you my email address and if we can fix this I will be glad to give you the points. I don't know what the points are for, but I see people assigning points if their problem was fixed. I just want..............need to fix what's going on over here on my network. What I see in the MicrosoftDNS folder is my lookup zones, not a list of my Domain Controllers.
ddebaillon@corrections.state.la.us
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Is this Windows 2000? If so, the replication option won't exist and we'll be using the versions you're looking at in ADSIEdit.msc. Sorry, I kind of assume Windows 2003 these days unless it's specified.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
The server I am using ADSIEdit.msc on is Server 2K3. We only have 2 2000 DC's left on our network.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Then you're restricted to the version above, however you can get 4515 if someone attempted to set the replication scope on one of the 2003 servers as it moves the DNS zones away from the place you're looking at the moment.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

The above assumes any of the DCs are 2003. Is that the case?

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
19 2003 DC's and 2 2000 DC's.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Okay, so it's disappearing on the Win 2000 DCs? Or on the 2003 DCs? Or both?

Because if someone has changed the replication scope on the 2003 DCs it will remove the zone from the 2000 DCs which cannot support the new location for the data.

Chris
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:DOCDGA
Comment Utility
It disapears on both. Can you tell me where to look for the replicaition scope on the 2003 DC's?

If you haven't been following this I will explain it to you. I came in one day and all my zones had disapeared. I replaced the forward and reverse lookup zones with backups. On the reverse lookup zones, I made them ADI, but not on the forward zones. So far, my reverse lookup zones are doing well. They have not vanished.
Now on the forward lookup zones:
At first I didn't turn dynamic updates on and I also had scavenging turned off. I left if like that for a couple of weeks and my entries got stale. Not knowing better I turned ADI on again and my forword lookup zone vanished, so I turned ADI off.
As I read more and learned more,
I did turn on dynamic updates and scavenging. Things started working better once I did that. I haven't turned on ADI on my forward lookup zones since then. I don't know what is causing them to vanish. And that is where I am now. I have backed them up, so if I do turn ADI on and it vanishes again, I can restore them, but I am left with the same problem again. I don't' see anything that stands out in the event viewer, but at the same time, maybe I am missing something because I don't know what to look for.
In your opinion, what might be causeing my forward lookup zones to vanish when I turn on ADI? Thanks Chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

In all honesty I don't know, but we can try to find out.

We can only do this when ADSIEdit is attached to one of the 2003 DCs. I would like to know if there's anything in the 2003 DNS partitions. These partitions are not exposed in ADSIEdit by default, we must tell ADSIEdit how to connect:

1. Start, Run, ADSIEdit.msc
2. Right click on ADSI Edit and select "Connect to..."
3. Under Name enter DomainDNSZones
4. Select "Select or type a Distinguished Name or Naming Context"
5. Enter "DC=DomainDNSZones,DC=yourdomain,DC=com"
6. Leave Computer as default and press OK

Repeat the same instructions for ForestDNSZones (DC=ForestDNSZones,DC=yourdomain,DC=com), in each case you would replace DC=yourdomain,DC=com with the relevant information.

You should find a MicrosoftDNS folder beneath each of those, then it should list each zone stored in that partition within there.

It would be nice to go back to a state where no zones for your domain name exist in AD. Then we can change the current version to AD Integrated on one of the servers and see if it will stay put.

We should also run DCDiag and NetDiag so we can investigate if anything else is in need of attention.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
Can you tell me what I'm supposed to be seeing in the CN=MicrosoftDNS folder? You said that is was supposed to house the other DC's that replicate with each other...........am I correct in saying that? What I have in that folder is my lookup zones. Thanks.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

You're supposed to see the Forward and Reverse Lookup Zones (those that you've set to AD Integrated).

It won't show you anything about specific Domain Controllers in there, but it will tell you which zones AD thinks it has.

Probably easiest if I show you mine, you should be able to see that I have two DNS Zones in my ForestDNSZones partition. Those are replicated between the two 2008 Domain Controllers that make up my testing domain at home.

I included DomainDNSZones as well so you could see that as I hope you should be able to :)

On top of those two you have the version you find under the "Domain" section in ADSIEdit, that's the only one Windows 2000 DCs can read data from.

Chris
DNSZones.jpg
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Sort of half away from the keyboard, dinner time (or I'll be in trouble), but I'll respond to any questions you have as soon as I can.

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
1. Start, Run, ADSIEdit.msc
2. Right click on ADSI Edit and select "Connect to..."
3. Under Name enter DomainDNSZones
4. Select "Select or type a Distinguished Name or Naming Context"
5. Enter "DC=DomainDNSZones,DC=yourdomain,DC=com"
6. Leave Computer as default and press OK

I ran the command that you asked and it shot an error back at me saying: A referral was returned from the server.
And your right, I would like to get it in a Integrated AD, which it isn't.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

That was on a 2003 server? Did it do the same for ForestDNSZones?

If so, back into ADSIEdit, can you expand Configuration, then select Partitions. I've attached an image again, we need to see if the two partitions, DomainDNSZones and ForestDNSZones, are actually listed.

Then if you could, see if the problem occurs on a few of the other Windows 2003 DCs (as long as they're running the DNS service). Before we do anything serious we just need to make sure about the state of the partitions.

Chris
DNSPartitions.jpg
0
 

Author Comment

by:DOCDGA
Comment Utility
That was on a 2003 server? Did it do the same for ForestDNSZones?
The answer is yet to both.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Okay, we can delete those partitions and recreate them. Note that we cannot do that through ADSIEdit but I can provide explicit instructions.

Before we do that we should ensure that replication is functional or we will only cause other problems. Would you mind running DCDiag and "repadmin /showreps"?

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
I mean yes to both.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It's okay, I read that as yes anyway :)

Chris
0
 

Author Comment

by:DOCDGA
Comment Utility
I ran both. Where will the log be for them so I can send it to you?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It outputs to the screen only unless you tell it to do otherwise. For DCDiag you can make it log to a file with "DcDiag /f filename.txt". For repadmin it would be "repadmin /showreps > repadmin.txt".

My e-mail address is in my profile, although slightly obscured.

Chris
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

The next step for us is to remove the current DomainDNSZones and ForestDNSZones partitions. After that's done we will re-create them and verify they work.

As this step involves destructive actions please ensure that you have a full System State backup of your Domain Controllers before continuing. It shouldn't break anything, but we always want a way back if we really need it.

We will need to enter the following:

Start, Run
ntdsutil

This loads the ntdsutil program and leaves you with a prompt like "ntdsutil:". From there we type the following commands:

  domain management
  connections
  connect to server <Any2003DomainController>

Note that it is important that we use a 2003 DC here as Windows 2000 cannot read or host the partitions we are interested in.

  quit

Quit at this point takes us back to Domain Management.

  list

List shows each of the partitions currently present on the system. Now we need to delete the DomainDNSZones and ForestDNSZones partitions.

  delete nc DC=DomainDnsZones,DC=yourdomain,DC=com
  delete nc DC=ForestDnsZones,DC=yourdomain,DC=com

The names used with the "delete nc" command should match those shown in the list returned above.

Once done, type "quit" until ntdsutil exits then log onto a Windows 2003 Domain Controller (running the DNS Service), ideally the same server we used above. Open the DNS Console. Right click on the server name in the console and select "Create Default Application Directory Partitions".

Once done we should be able to use ADSIEdit.msc as before to connect to DomainDNSZones and ForestDNSZones, we don't want it to return a Referral.

Chris
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now