Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 759
  • Last Modified:

Changing Zone Replication Scope

This question is an update from a previous post.
Two 2003 Servers: A and B
A- Original DC with FSMO roles, DHCP
B- New DC with DNS added after DC install.

Created matching Zone on B. Everything replicated except A records for domain.
Errors ensued in Server B DNS event log.
Replication Errors in Server A Directory Service Event Logs.

I realize upon closer inspection that Server B Zone properties has the Zone Replication Scope set to: To all DOMAIN CONTROLLERS (third option) where Server A is set to all DNS Servers (second option).  I understand that the third option is chosen when you are using a mixed environment with WIN 2000 controllers.

 Can I just change the setting to option 2 on Server B and see what happens or do I need to uninstall DNS and reinstall? I don't want to mess up Server A. Help really needed and  Error logs available upon request.



0
smantz
Asked:
smantz
  • 11
  • 7
  • 2
  • +1
1 Solution
 
SGrossmannCommented:
You can change this setting without any problem, the new server normaly should complain that it does not get any replication for those partitions.Make sure you Forest and Domain run with 2003 native mode.http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm
0
 
CGretskiCommented:
You shouldn't have had to create the zone on B - it should have replicated itself from A. (Though it sometimes takes a few hours/reboots since DNS was installed)

You may have duplicate zones now (in different AD partitions).  Check the eventlogs for error 4515 to see if it is complaining about duplicates.  If so, removing the duplicate zone should (eventually) fix things.

See http://support.microsoft.com/kb/867464


0
 
SGrossmannCommented:
Thanks @CGretski for pointing to the manually created zone, I forgot this in my post.This zone should be deleted before changing the scope on the old server.Never the less that deleting the addionaly created zone fixes the problem I'd suggest to change it to the 2003 and upwards way for DNS replication within AD.If you add a 2008 (R2) server later to the domain you will get the same problem if you did not change it.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
smantzAuthor Commented:
I had one 4515 when I rebooted Server B yesterday.  I'll check out the above links but I may some questions.
--Thanks for the help
0
 
Darius GhassemCommented:
Most of the time you now select all Domain Controllers if your DNS zones are AD integrated which they should be.
0
 
smantzAuthor Commented:
I have read the kb867464 link and assume that I want to run adsiedit on Server B and follow option 3 directions.  I guess my next question is, should Server B be disconnected from the network until all operations are completed?
0
 
smantzAuthor Commented:
OK I am running adsiedit on both servers and this is what I see on both.
Domain [ServerA.mydomain.net]
I drill down to CN=MicrosoftDNS and all I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).
What exactly am I looking for or is what I am seeing normal?
0
 
SGrossmannCommented:
I would not change anything within adsiedit.If you have a configured and working dns zone on one DNS server and a empty one on the other DNS server.Delete the empty zone, I'd assume on the new server.Afterwards doublecheck you forest and domain functional level that both are 2003 native as you said you don't have any older DCs.If this is done change your replication for DNS to "All Domain Controller within AD Domain" and check if it does replicate now.Over all I'd suggest to run a full backup for the old domain controller before you start. This makes sure you've a working state.
0
 
smantzAuthor Commented:
OK everyone, here is the 4515 error on Server B:
The zone smhscs.net was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.smhscs.net. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible.
 
If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server.
 
If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict.
 
To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

From ADSIEDIT there is in the DomainDNSZones a CN=MicrosoftDNS having under it a DC=mydomain.net.
Within it are records with names, class,and distinguished names. This appears to have LDAP, Kerberos, and all the information you see under DNS management on Server A (the original).
This corresponds to option 2 in KB867464.

Also from ADSIEDIT there is in DC=mydomain,DC=net -> CN=System -> CN=MicrosoftDNS.  I see is two folders: DC=20.172.in-addr.arpa and DC=RootDNSServers (which is empty).  In DNS management on Server B has only Reverse Lookup records, 3 Forward Lookup Records- SOA (pointing to itself), NS Record listing itself, and one Host A record (itself).

What am I to delete in ADSIEDIT to correct the error on bootup. Which is the "new copy of the Zone" the DNS Server ignoring?
0
 
smantzAuthor Commented:
Sorry, didn't see your post before sending mine.  At this point, couldn't I just uninstall DNS on Server B, delete the NTDS and ntfrs folders, reboot the Server and reinstall DNS.
0
 
SGrossmannCommented:
You can try to uninstall DNS but this will keep the zone within you AD partitions.

I asume you've the the state I more or less described above:

Server A:
working DNS setting, including Server and Client A-Records.

Server B:
the more or less emtpy DNS zone you described above, SOA Records, NS records and one or two A records.

I'd realy suggest to delete the "empty" zone on server B.
Afterwards you can uninstall DNS and reinstall it to make sure it is kept at a clear point.

Don't create any zones within the server B now and wait what will be loaded after replication.

When everything is working as expected or at least not zone is loaded within server B check you functional level and change the replication behaviour on server A to "All DNS Server within the domain".

Make sure not to reboot server A for now if this is poissble because server A would as well find two zones within AD and would load one of them, and this might be the wrong/"empty" one.

Hope this pointed out the steps, if not keep asking you question.
0
 
smantzAuthor Commented:
You given some great input.  So on Server B, I delete the whole zone, --- Forward and Reverse lookup and the _msdcs --I forgot to mention it populated(I think this is what it is called, at home now).  Hopefully this will clear it out. Stay clear of using ADSIEDIT and hope for the best.  Once I delete the zone, I should see only one MicrosoftDNS zone in one partition, my guess the DomainDNSZone  rather than the one in the System.  Hope for the best.  Could I delete the Zone with the server unplugged, see what it does on Server B before letting it replicate back to Server A (if it will)?
0
 
smantzAuthor Commented:
Is MS backup System State O.K. for the backup?
0
 
SGrossmannCommented:
Check the zones you've created manually on server B if there are any entries except for his own and SOA records, hopefully there aren't any other entries.

Then you can even delete them unplugged but the point comes when the two server are replicating the changes.

Sure MS Backup System State is perfect.
0
 
CGretskiCommented:
be careful with _msdcs that is a separate zone holding active directory info.
Before you delete it make sure it is a duplicate copy of the zone and not a successful replica.
Otherwise if you delete it from B, it will replicate the deletion to A



0
 
smantzAuthor Commented:
O.K ---I'm  heading in to work and will update when I get there however, as I recall:  I created the mydomain.net on Server B.  I didn't create anything else.  The forward lookup appeared immediately (I don't think I created it although in a bit could have).  I kept checking and eventually, the _msdcs and reverse lookup appeared and populated.  I'm pretty sure they replicated to the zone.  It sounds like all I should do is delete the forward lookup and not anything else. Maybe I'm confused and will look closer.
0
 
smantzAuthor Commented:
Server B:  Forward Lookup has: _msdcs.mydomain.net and mydomain.net.  The mydomain has the 3 records previously mentioned.  The _msdcs.mydomain.net replicated from server A.  What do I do? I'm pretty sure I don't want to delete the whole Zone.  Should I try just deleting the mydomain.net in the Forward Zone?
0
 
SGrossmannCommented:
yes don't delete the _msdcs zone that is replicated this zone is absolutely critical for AD.

Only remove the empty zone for mydomain.net on sever B
0
 
smantzAuthor Commented:
Hey thanks and I think I understand the error looking with ADSIEDIT (interesting tool).
On server B and only Server B the following. Connected to (ServerA.mydomain.net) DomainDNSZones, MicrosoftDNS and see DC=mydomain.net (filled with all the domain goodies).  Good so far.
I then Connect to just ServerB and drill down to the MicrosoftDNS under system and see DC=20.172.in-addr-arpa (expected), DC=RootDNSServers (expected) and DC=mydomain.net (not expected and has just the ServerB info. in it)
I am pretty sure that this is the culprit.  On bootup, it finds two of the DC=mydomain.net, gives and error and loads the Local info.
I am hoping removing mydomain.net from the Zone will clear the error or I can remove it using ADSIEDIT.
Your thoughts and what would be the right procedure to get this controller back on track?
0
 
SGrossmannCommented:
Delete the zone in the DNS management console on server B
Afterward wait some minutes and restart the DNS service or the whole server and recheck DNS.


I had a similar problem with one of my customers and within DNS I did not need to use ADSIEdit to fix them.
0
 
smantzAuthor Commented:
Sorry it's taken a while to get back.  I think that did the trick.   I had Server B only connected for a few minutes Thursday before I had to leave and will be back this morning. The only thing I noticed now is a mrxSmb 8003 on Server A.  Not sure how to approach this as Server be thinks it's a Master Browser and maybe it is. Should I post this separately?
--SM
0
 
Darius GhassemCommented:
If the server is not the server holding the PDC fsmo role then it should not be the master browser.

How to enable servers becoming browser servers

To encourage singlehomed computers to become the browser servers, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster and change the value of this key to yes, quit Registry Editor, and then restart your computer. NOTE: The registry settings in this article do not work on a Windows 2000 DC if it is the PDC emulator.

http://www.chicagotech.net/browser.htm#How%20to%20disable%20servers%20from%20becoming%20browser%20servers
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 11
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now