Remote DNS replication problems

Posted on 2009-02-11
Medium Priority
Last Modified: 2012-05-06
We have a remote DC that is running Windows 2003 SP2 and it is unable to replicate the DomainDNSZone, all other replication is working fine.

I have looked through the DNS on the remote server and it is missing new records and has some records that were deleted.  Since it is not replicating the zone these bad records are not replicating across our network.

I have tried cleaning lingering objects and the zone showed one successful replication but then began to fail again.  And even though it showed one successful replication the old DNS records were still there and none of the new ones were created.

The error in replmon is Replication Failure: The reason is: Insufficient attributes were given to create an object.  This object may not exist because it may have been deleted...

I am at the point where I may need to demote and repromote the server but since it is in a remote location with bad internet connection I want to save this for a last resort.

Question by:Erik Bjers
  • 3
  • 2
LVL 71

Expert Comment

by:Chris Dent
ID: 23613511

You might find you have to kill off the DomainDNSZones partition entirely.

I would expect replication of DNS data to work perfectly if you were to change the scope to "All Domain Controllers in the Active Directory Domain". That shifts the zone data back into the directory partition.

Or even change it to All DNS Servers in the Forest (ForestDNSZones).

If either of those are fine I'd nuke the DomainDNSZones partition, ensure the change replicates, then recreate it and move the zone back in.

LVL 23

Author Comment

by:Erik Bjers
ID: 23613592

Thanks for the input.  Since we have many DCs in remote locations that are not always connected and replicating I would prefer not to nuke the and recreate the zone.

LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 23613669

I'm not suggesting that you do, it wouldn't be the zone, it would be the underlying partition (after the zone has been moved out of it). I can certainly understand any reluctance to nuke the zone itself.

That would take the following steps (which will hopefully clear up any confusion I may have caused):

1. Open the Properties for the zone in DNS Manager
2. Select Change next to Scope. Change the replication scope to either of the other two options (DCs in the Domain, or DNS Servers in the Forest)
3. Allow time for replication to occur (depending on your topology)
4. See if the replication error message is still occurring for DomainDNSZones (and hasn't moved with the zone)

If the problem still only exhibits with DomainDNSZones I would then move on to:

Domain Management
Connect To Server <AnyActiveDC>
Delete NC DC=DomainDNSZones,DC=daiglobal,DC=net

Then again, allow time for full replication. Verify whether or not the server suffering the problem sees the change.

Finally, from the command line run this against a DNS server to recreate the directory partition:

dnscmd /CreateBuiltInDirectoryPartitions /Domain

Once again, wait for replication and check for errors. If none occur, change the replication scope of the DNS zone back to All DNS servers in the AD Domain.

LVL 23

Author Comment

by:Erik Bjers
ID: 23745918
Sorry for the long silence been rather busy and this got shifted to the back burner.  I am still working on this issue and will get back to you in a few days.
LVL 23

Accepted Solution

Erik Bjers earned 0 total points
ID: 23847658
OK I got the problem solved, it seems like the remote domain controller thought our main DC had lingering objects so I checked for lingering objects on the primary server (with out removing them).  Once this was done it started replicating again and has been fine for the last week.

Thanks for the help, I will accept this as the solution but give you the points.


Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question