Solved

Changing Zone Replication Scope

Posted on 2010-08-24
22
706 Views
Last Modified: 2012-05-10
This question is an update from a previous post.
Two 2003 Servers: A and B
A- Original DC with FSMO roles, DHCP
B- New DC with DNS added after DC install.

Created matching Zone on B. Everything replicated except A records for domain.
Errors ensued in Server B DNS event log.
Replication Errors in Server A Directory Service Event Logs.

I realize upon closer inspection that Server B Zone properties has the Zone Replication Scope set to: To all DOMAIN CONTROLLERS (third option) where Server A is set to all DNS Servers (second option).  I understand that the third option is chosen when you are using a mixed environment with WIN 2000 controllers.

 Can I just change the setting to option 2 on Server B and see what happens or do I need to uninstall DNS and reinstall? I don't want to mess up Server A. Help really needed and  Error logs available upon request.



0
Comment
Question by:smantz
  • 11
  • 7
  • 2
  • +1
22 Comments
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33511754
You can change this setting without any problem, the new server normaly should complain that it does not get any replication for those partitions.Make sure you Forest and Domain run with 2003 native mode.http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33511849
You shouldn't have had to create the zone on B - it should have replicated itself from A. (Though it sometimes takes a few hours/reboots since DNS was installed)

You may have duplicate zones now (in different AD partitions).  Check the eventlogs for error 4515 to see if it is complaining about duplicates.  If so, removing the duplicate zone should (eventually) fix things.

See http://support.microsoft.com/kb/867464


0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33511896
Thanks @CGretski for pointing to the manually created zone, I forgot this in my post.This zone should be deleted before changing the scope on the old server.Never the less that deleting the addionaly created zone fixes the problem I'd suggest to change it to the 2003 and upwards way for DNS replication within AD.If you add a 2008 (R2) server later to the domain you will get the same problem if you did not change it.
0
 

Author Comment

by:smantz
ID: 33512119
I had one 4515 when I rebooted Server B yesterday.  I'll check out the above links but I may some questions.
--Thanks for the help
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33512186
Most of the time you now select all Domain Controllers if your DNS zones are AD integrated which they should be.
0
 

Author Comment

by:smantz
ID: 33512256
I have read the kb867464 link and assume that I want to run adsiedit on Server B and follow option 3 directions.  I guess my next question is, should Server B be disconnected from the network until all operations are completed?
0
 

Author Comment

by:smantz
ID: 33513088
OK I am running adsiedit on both servers and this is what I see on both.
Domain [ServerA.mydomain.net]
I drill down to CN=MicrosoftDNS and all I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).
What exactly am I looking for or is what I am seeing normal?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33513172
I would not change anything within adsiedit.If you have a configured and working dns zone on one DNS server and a empty one on the other DNS server.Delete the empty zone, I'd assume on the new server.Afterwards doublecheck you forest and domain functional level that both are 2003 native as you said you don't have any older DCs.If this is done change your replication for DNS to "All Domain Controller within AD Domain" and check if it does replicate now.Over all I'd suggest to run a full backup for the old domain controller before you start. This makes sure you've a working state.
0
 

Author Comment

by:smantz
ID: 33514563
OK everyone, here is the 4515 error on Server B:
The zone smhscs.net was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.smhscs.net. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
 
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.
 
To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

From ADSIEDIT there is in the DomainDNSZones a CN=MicrosoftDNS having under it a DC=mydomain.net.
Within it are records with names, class,and distinguished names. This appears to have LDAP, Kerberos, and all the information you see under DNS management on Server A (the original).
This corresponds to option 2 in KB867464.

Also from ADSIEDIT there is in DC=mydomain,DC=net -> CN=System -> CN=MicrosoftDNS.  I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).  In DNS management on Server B has only Reverse Lookup records, 3 Forward Lookup Records- SOA (pointing to itself), NS Record listing itself, and one Host A record (itself).

What am I to delete in ADSIEDIT to correct the error on bootup. Which is the "new copy of the Zone" the DNS Server ignoring?
0
 

Author Comment

by:smantz
ID: 33514678
Sorry, didn't see your post before sending mine.  At this point, couldn't I just uninstall DNS on Server B, delete the NTDS and ntfrs folders, reboot the Server and reinstall DNS.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33516653
You can try to uninstall DNS but this will keep the zone within you AD partitions.

I asume you've the the state I more or less described above:

Server A:
working DNS setting, including Server and Client A-Records.

Server B:
the more or less emtpy DNS zone you described above, SOA Records, NS records and one or two A records.

I'd realy suggest to delete the "empty" zone on server B.
Afterwards you can uninstall DNS and reinstall it to make sure it is kept at a clear point.

Don't create any zones within the server B now and wait what will be loaded after replication.

When everything is working as expected or at least not zone is loaded within server B check you functional level and change the replication behaviour on server A to "All DNS Server within the domain".

Make sure not to reboot server A for now if this is poissble because server A would as well find two zones within AD and would load one of them, and this might be the wrong/"empty" one.

Hope this pointed out the steps, if not keep asking you question.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:smantz
ID: 33517178
You given some great input.  So on Server B, I delete the whole zone, --- Forward and Reverse lookup and the _msdcs --I forgot to mention it populated(I think this is what it is called, at home now).  Hopefully this will clear it out. Stay clear of using ADSIEDIT and hope for the best.  Once I delete the zone, I should see only one MicrosoftDNS zone in one partition, my guess the DomainDNSZone  rather than the one in the System.  Hope for the best.  Could I delete the Zone with the server unplugged, see what it does on Server B before letting it replicate back to Server A (if it will)?
0
 

Author Comment

by:smantz
ID: 33517192
Is MS backup System State O.K. for the backup?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33518990
Check the zones you've created manually on server B if there are any entries except for his own and SOA records, hopefully there aren't any other entries.

Then you can even delete them unplugged but the point comes when the two server are replicating the changes.

Sure MS Backup System State is perfect.
0
 
LVL 7

Expert Comment

by:CGretski
ID: 33519159
be careful with _msdcs that is a separate zone holding active directory info.
Before you delete it make sure it is a duplicate copy of the zone and not a successful replica.
Otherwise if you delete it from B, it will replicate the deletion to A



0
 

Author Comment

by:smantz
ID: 33520926
O.K ---I'm  heading in to work and will update when I get there however, as I recall:  I created the mydomain.net on Server B.  I didn't create anything else.  The forward lookup appeared immediately (I don't think I created it although in a bit could have).  I kept checking and eventually, the _msdcs and reverse lookup appeared and populated.  I'm pretty sure they replicated to the zone.  It sounds like all I should do is delete the forward lookup and not anything else. Maybe I'm confused and will look closer.
0
 

Author Comment

by:smantz
ID: 33522217
Server B:  Forward Lookup has: _msdcs.mydomain.net and mydomain.net.  The mydomain has the 3 records previously mentioned.  The _msdcs.mydomain.net replicated from server A.  What do I do? I'm pretty sure I don't want to delete the whole Zone.  Should I try just deleting the mydomain.net in the Forward Zone?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33522705
yes don't delete the _msdcs zone that is replicated this zone is absolutely critical for AD.

Only remove the empty zone for mydomain.net on sever B
0
 

Author Comment

by:smantz
ID: 33523768
Hey thanks and I think I understand the error looking with ADSIEDIT (interesting tool).
On server B and only Server B the following. Connected to (ServerA.mydomain.net) DomainDNSZones, MicrosoftDNS and see DC=mydomain.net (filled with all the domain goodies).  Good so far.
I then Connect to just ServerB and drill down to the MicrosoftDNS under system and see DC=20.172.in-addr-arpa (expected), DC=RootDNSServers (expected) and DC=mydomain.net (not expected and has just the ServerB info. in it)
I am pretty sure that this is the culprit.  On bootup, it finds two of the DC=mydomain.net, gives and error and loads the Local info.
I am hoping removing mydomain.net from the Zone will clear the error or I can remove it using ADSIEDIT.
Your thoughts and what would be the right procedure to get this controller back on track?
0
 
LVL 8

Accepted Solution

by:
SGrossmann earned 500 total points
ID: 33528924
Delete the zone in the DNS management console on server B
Afterward wait some minutes and restart the DNS service or the whole server and recheck DNS.


I had a similar problem with one of my customers and within DNS I did not need to use ADSIEdit to fix them.
0
 

Author Comment

by:smantz
ID: 33557960
Sorry it's taken a while to get back.  I think that did the trick.   I had Server B only connected for a few minutes Thursday before I had to leave and will be back this morning. The only thing I noticed now is a mrxSmb 8003 on Server A.  Not sure how to approach this as Server be thinks it's a Master Browser and maybe it is. Should I post this separately?
--SM
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33558289
If the server is not the server holding the PDC fsmo role then it should not be the master browser.

How to enable servers becoming browser servers

To encourage singlehomed computers to become the browser servers, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and change the value of this key to yes, quit Registry Editor, and then restart your computer. NOTE: The registry settings in this article do not work on a Windows 2000 DC if it is the PDC emulator.

http://www.chicagotech.net/browser.htm#How%20to%20disable%20servers%20from%20becoming%20browser%20servers
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now