Deleted Active Directory integrated DNS comes back after restart

Hello,

I have 3 AD integrated DNS zone which I deleted. Every time I restart one of my domain controllers, these zones come back again and again. How can get rid of this? I am running Windows 2003 SP1

Thank you
S.
slimardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

It depends a little on where they're sitting, but you should be able to drop in and delete them from AD entirely.

Can you tell me the current replication scope setting (in the properties for the zone)?

Chris
0
slimardAuthor Commented:
Thanks. The replication scope is "All DNS servers in the Active directory domain cpy.org"
0
slimardAuthor Commented:
by the way all my DCs are DNS
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Chris DentPowerShell DeveloperCommented:

Excellent, in that case we have a helpful little KB Article from Microsoft to refer to:

http://support.microsoft.com/?kbid=305967

If you do not need the zones any more you only need to follow the article as far as Step 7 (inclusive).

The commands to flush DNS, re-register and the restart of NetLogon are only required if the zone is your main AD zone (for your AD domain).

HTH

Chris
0
slimardAuthor Commented:
The issue is that they do not appear in Active Directory Users and Computers under System\MicrosoftDNS.

Please note that in DNS console the zone has a red cross.
0
slimardAuthor Commented:
When I tried to change the zone to Primary Zone, I got a message like "the data on the primary zone failed to set. the operation cannot be performed because this zone is shutdown"
0
Chris DentPowerShell DeveloperCommented:

Interesting, but it's still listing the zone with that scope in the DNS console?

Perhaps search the registry for the zone name? Some zones will load because of configuration in the registry. Does this occur on all DCs?

Chris
0
slimardAuthor Commented:
This occurs on all DCs except the some new DC that were installed recently. The deletion of these zones was before the install if these new DCs

I will have a look at the rigistry right now
0
Chris DentPowerShell DeveloperCommented:

Great, it's worth a try.

Otherwise, we could try creating the zone on a new DC with the replication scope set to all DCs in the AD Domain, that should load it into the area in AD Users and Computers. Just to see if we can force it to overwrite any existing configuration after replication.

Chris
0
slimardAuthor Commented:
you were right, I found them in the registry and I deleted them. Then I restarted DNS server service and they reappred again in the registry
0
Chris DentPowerShell DeveloperCommented:

Same if you stop the DNS service first, then delete, then start?

Chris
0
slimardAuthor Commented:
Just did. Stop DNS --> remove registry --> start DNS and the zones came back again in registry.

I am struggling with this since months without success. I have read somewhere that I might do authorative restore for the DNS part but to be honnest I was a bit afraid
0
Chris DentPowerShell DeveloperCommented:

Hmm, no, it's likely to appear again and goes back to suggesting configuration in AD.

Just to verify, it's reappearing with "DsIntegrated: 1" in the registry?

There aren't many references to the zone itself in AD. We could potentially check the other two areas for the zone, wouldn't hurt to look.

1. Open ADSIEdit.msc (Start / Run)
2. Select "ADSI Edit"
3. Right click and select "Connect to..."
4. Enter the name ForestDNSZones
5. Select "Select or type a Distinguished Name or Naming Context"
6. Enter DC=ForestDNSZones,DC=yourdomain,DC=com. This assumes your forest root / domain is called yourdomain.com
7. Press OK
8. Expand ForestDNSZones
9. Expand MicrosoftDNS

The same can be done for DomainDNSZones.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slimardAuthor Commented:
Yes with "DsIntegrated: 1"

I found something strange. I have these
CN=MicrosoftDNS
CN=MicrosoftDNSCNF:ae30ac08-0366-4a04-bfc1-7a4292401ef5

In the second one I have all the deleted zones we are talking about
0
Chris DentPowerShell DeveloperCommented:

The CNF version is a Conflict Object, created, as the name suggests, when two versions of the same object exist.

You should be able to delete that, but the same precautions with taking backups should be applied.

I would advise you run DCDiag and verify that AD itself is replicating happily in your environment if you haven't already.

Chris
0
Chris DentPowerShell DeveloperCommented:

Hmmm actually, I'd hold off on Deleting it for now unless you're very comfortable with it.

I'd also move any zone you currently require to the "All DNS Servers in the AD Domain" replication scope, that shifts them out of the current scope which might be a good idea.

Chris
0
slimardAuthor Commented:
Many thanks Chris. I delete it because it contained only older deleted zone. I have checked the replication and everything is fine. So I am going to wait 15 min and check on all other DCs the DNS console but I am pretty sure you pointed well the issue.
0
Chris DentPowerShell DeveloperCommented:

Fingers crossed then :)

Chris
0
slimardAuthor Commented:
worked great. the replication has gone on all the DCs and the deleted zone were removed from DNS servers after restarting the DNS service. So many thanks again
0
Chris DentPowerShell DeveloperCommented:

Great news :) Glad it worked.

Chris
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.