Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Changing Zone Replication Scope

Posted on 2010-08-24
22
Medium Priority
?
753 Views
Last Modified: 2012-05-10
This question is an update from a previous post.
Two 2003 Servers: A and B
A- Original DC with FSMO roles, DHCP
B- New DC with DNS added after DC install.

Created matching Zone on B. Everything replicated except A records for domain.
Errors ensued in Server B DNS event log.
Replication Errors in Server A Directory Service Event Logs.

I realize upon closer inspection that Server B Zone properties has the Zone Replication Scope set to: To all DOMAIN CONTROLLERS (third option) where Server A is set to all DNS Servers (second option).  I understand that the third option is chosen when you are using a mixed environment with WIN 2000 controllers.

 Can I just change the setting to option 2 on Server B and see what happens or do I need to uninstall DNS and reinstall? I don't want to mess up Server A. Help really needed and  Error logs available upon request.



0
Comment
Question by:smantz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
  • 2
  • +1
22 Comments
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33511754
You can change this setting without any problem, the new server normaly should complain that it does not get any replication for those partitions.Make sure you Forest and Domain run with 2003 native mode.http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33511849
You shouldn't have had to create the zone on B - it should have replicated itself from A. (Though it sometimes takes a few hours/reboots since DNS was installed)

You may have duplicate zones now (in different AD partitions).  Check the eventlogs for error 4515 to see if it is complaining about duplicates.  If so, removing the duplicate zone should (eventually) fix things.

See http://support.microsoft.com/kb/867464


0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33511896
Thanks @CGretski for pointing to the manually created zone, I forgot this in my post.This zone should be deleted before changing the scope on the old server.Never the less that deleting the addionaly created zone fixes the problem I'd suggest to change it to the 2003 and upwards way for DNS replication within AD.If you add a 2008 (R2) server later to the domain you will get the same problem if you did not change it.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:smantz
ID: 33512119
I had one 4515 when I rebooted Server B yesterday.  I'll check out the above links but I may some questions.
--Thanks for the help
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33512186
Most of the time you now select all Domain Controllers if your DNS zones are AD integrated which they should be.
0
 

Author Comment

by:smantz
ID: 33512256
I have read the kb867464 link and assume that I want to run adsiedit on Server B and follow option 3 directions.  I guess my next question is, should Server B be disconnected from the network until all operations are completed?
0
 

Author Comment

by:smantz
ID: 33513088
OK I am running adsiedit on both servers and this is what I see on both.
Domain [ServerA.mydomain.net]
I drill down to CN=MicrosoftDNS and all I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).
What exactly am I looking for or is what I am seeing normal?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33513172
I would not change anything within adsiedit.If you have a configured and working dns zone on one DNS server and a empty one on the other DNS server.Delete the empty zone, I'd assume on the new server.Afterwards doublecheck you forest and domain functional level that both are 2003 native as you said you don't have any older DCs.If this is done change your replication for DNS to "All Domain Controller within AD Domain" and check if it does replicate now.Over all I'd suggest to run a full backup for the old domain controller before you start. This makes sure you've a working state.
0
 

Author Comment

by:smantz
ID: 33514563
OK everyone, here is the 4515 error on Server B:
The zone smhscs.net was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.smhscs.net. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
 
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.
 
To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

From ADSIEDIT there is in the DomainDNSZones a CN=MicrosoftDNS having under it a DC=mydomain.net.
Within it are records with names, class,and distinguished names. This appears to have LDAP, Kerberos, and all the information you see under DNS management on Server A (the original).
This corresponds to option 2 in KB867464.

Also from ADSIEDIT there is in DC=mydomain,DC=net -> CN=System -> CN=MicrosoftDNS.  I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).  In DNS management on Server B has only Reverse Lookup records, 3 Forward Lookup Records- SOA (pointing to itself), NS Record listing itself, and one Host A record (itself).

What am I to delete in ADSIEDIT to correct the error on bootup. Which is the "new copy of the Zone" the DNS Server ignoring?
0
 

Author Comment

by:smantz
ID: 33514678
Sorry, didn't see your post before sending mine.  At this point, couldn't I just uninstall DNS on Server B, delete the NTDS and ntfrs folders, reboot the Server and reinstall DNS.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33516653
You can try to uninstall DNS but this will keep the zone within you AD partitions.

I asume you've the the state I more or less described above:

Server A:
working DNS setting, including Server and Client A-Records.

Server B:
the more or less emtpy DNS zone you described above, SOA Records, NS records and one or two A records.

I'd realy suggest to delete the "empty" zone on server B.
Afterwards you can uninstall DNS and reinstall it to make sure it is kept at a clear point.

Don't create any zones within the server B now and wait what will be loaded after replication.

When everything is working as expected or at least not zone is loaded within server B check you functional level and change the replication behaviour on server A to "All DNS Server within the domain".

Make sure not to reboot server A for now if this is poissble because server A would as well find two zones within AD and would load one of them, and this might be the wrong/"empty" one.

Hope this pointed out the steps, if not keep asking you question.
0
 

Author Comment

by:smantz
ID: 33517178
You given some great input.  So on Server B, I delete the whole zone, --- Forward and Reverse lookup and the _msdcs --I forgot to mention it populated(I think this is what it is called, at home now).  Hopefully this will clear it out. Stay clear of using ADSIEDIT and hope for the best.  Once I delete the zone, I should see only one MicrosoftDNS zone in one partition, my guess the DomainDNSZone  rather than the one in the System.  Hope for the best.  Could I delete the Zone with the server unplugged, see what it does on Server B before letting it replicate back to Server A (if it will)?
0
 

Author Comment

by:smantz
ID: 33517192
Is MS backup System State O.K. for the backup?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33518990
Check the zones you've created manually on server B if there are any entries except for his own and SOA records, hopefully there aren't any other entries.

Then you can even delete them unplugged but the point comes when the two server are replicating the changes.

Sure MS Backup System State is perfect.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33519159
be careful with _msdcs that is a separate zone holding active directory info.
Before you delete it make sure it is a duplicate copy of the zone and not a successful replica.
Otherwise if you delete it from B, it will replicate the deletion to A



0
 

Author Comment

by:smantz
ID: 33520926
O.K ---I'm  heading in to work and will update when I get there however, as I recall:  I created the mydomain.net on Server B.  I didn't create anything else.  The forward lookup appeared immediately (I don't think I created it although in a bit could have).  I kept checking and eventually, the _msdcs and reverse lookup appeared and populated.  I'm pretty sure they replicated to the zone.  It sounds like all I should do is delete the forward lookup and not anything else. Maybe I'm confused and will look closer.
0
 

Author Comment

by:smantz
ID: 33522217
Server B:  Forward Lookup has: _msdcs.mydomain.net and mydomain.net.  The mydomain has the 3 records previously mentioned.  The _msdcs.mydomain.net replicated from server A.  What do I do? I'm pretty sure I don't want to delete the whole Zone.  Should I try just deleting the mydomain.net in the Forward Zone?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33522705
yes don't delete the _msdcs zone that is replicated this zone is absolutely critical for AD.

Only remove the empty zone for mydomain.net on sever B
0
 

Author Comment

by:smantz
ID: 33523768
Hey thanks and I think I understand the error looking with ADSIEDIT (interesting tool).
On server B and only Server B the following. Connected to (ServerA.mydomain.net) DomainDNSZones, MicrosoftDNS and see DC=mydomain.net (filled with all the domain goodies).  Good so far.
I then Connect to just ServerB and drill down to the MicrosoftDNS under system and see DC=20.172.in-addr-arpa (expected), DC=RootDNSServers (expected) and DC=mydomain.net (not expected and has just the ServerB info. in it)
I am pretty sure that this is the culprit.  On bootup, it finds two of the DC=mydomain.net, gives and error and loads the Local info.
I am hoping removing mydomain.net from the Zone will clear the error or I can remove it using ADSIEDIT.
Your thoughts and what would be the right procedure to get this controller back on track?
0
 
LVL 8

Accepted Solution

by:
SGrossmann earned 2000 total points
ID: 33528924
Delete the zone in the DNS management console on server B
Afterward wait some minutes and restart the DNS service or the whole server and recheck DNS.


I had a similar problem with one of my customers and within DNS I did not need to use ADSIEdit to fix them.
0
 

Author Comment

by:smantz
ID: 33557960
Sorry it's taken a while to get back.  I think that did the trick.   I had Server B only connected for a few minutes Thursday before I had to leave and will be back this morning. The only thing I noticed now is a mrxSmb 8003 on Server A.  Not sure how to approach this as Server be thinks it's a Master Browser and maybe it is. Should I post this separately?
--SM
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33558289
If the server is not the server holding the PDC fsmo role then it should not be the master browser.

How to enable servers becoming browser servers

To encourage singlehomed computers to become the browser servers, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and change the value of this key to yes, quit Registry Editor, and then restart your computer. NOTE: The registry settings in this article do not work on a Windows 2000 DC if it is the PDC emulator.

http://www.chicagotech.net/browser.htm#How%20to%20disable%20servers%20from%20becoming%20browser%20servers
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question