Link to home
Start Free TrialLog in
Avatar of KeepSloanWeird
KeepSloanWeirdFlag for United States of America

asked on

Unable to remove a corrupt AD DNS zone

After performing a long round of recovery on a Server 2008R2 domain controller my one lingering issue is a corrupt primary DNS zone. This is a single DC environment with only the one primary DNS zone.

I am attempting to delete the zone and recreate it, then run a DCDiag to help put the pieces back together but running into the following error when trying to delete the zone:

The zone cannot be deleted.
The Active Directory service is not available.

All AD services are running and serving logon requests, but knowing now reliant on DNS AD is I'm guessing it's the corruption in DNS that's keeping me from deleting the zone.

I did attempt to remove the zone via ADSIEdit but it doesn't show up in the console, so it's really jacked up. And, unfortunately, a good back up is not available to restore from (that's a tongue lashing for another day).

And thoughts on how to force the zone deletion?
Avatar of ieden

can you try this from a Command prompt? Right click the C:\ and choose run as Administrator then click yes. At the prompt type "dnscmd (ServerName) /ZoneDelete (ZoneName) /DsDel /f" do not include quotes or parens, include your ServerName and ZoneName.
Avatar of KeepSloanWeird



DNS_ERROR_DS_UNAVAILABLE     9717   0x25f5
Just Googled that error message and see a couple of hits for a possible registry issue. As a side note, during recovery I did have to pull the SYSTEM and SOFTWARE reg files from RegBack to get the system back in service.

Ideas on where to look in the registry? The first couple of responses on Google require downloading a "recovery tool". Not keen on going down that road quite yet.
In DNS management mmc is the zone listed as a Primary Zone AD integrated? Try swithing it to a secondary zone and disable AD integration first then try deleting again.
Yep, already tried that path too. That gets this error:
Operation cannot be performed because this zone is shutdown.
can you add a server record to the zone?
sometimes you need to go backward before going forward...
Avatar of Darius Ghassem
Is the your server pointing to itself for DNS in the TCP\IP properties?

Here is the reg key to check.
ieden: unable to add anything, zone has a big red X just giving me the middle finger.

dariusq: It is pointing to itself via And this is the only DNS server on a network of two servers. (Note to self: add DNS services to second server when fixed).

I went to the noted reg key and don't seen any references to old domains or old controllers. I only see the one I'm trying to fix. Should the reg keys be deleted anyway?
No, I would try to go ahead and create another DNS zone on another DC see if the zone is create since it is stored in AD.
Accept that this is a single DC environment. My only option there would be to create one on the existing DC.
I was trying to avoid talking about it since you mentioned one DC. If you can temporarily load even a workstation with 2008 (yes, a 2008 DC can join a 2008r2 domain) promote it, and see if the Zone replicates to the new server. If no, then you can temporarily seize the roles, demote the Primary, remove it's account from AD/DNS/etc... Then reload the Primary from scratch with the same name as before, promote it, seize the roles and demote the temporary server.
That is what I was trying to get create a new domain controller allow replication to take place this should allow to replicate the zone over to the new server. I believe the issue is not with AD but instead the server itself.
I was thinking that was coming next.

There is a 2008r2 RDC server that I had originally toyed with the idea of promoting to a DC as a backup but didn't because its primary role as an end-user RDC system. Looks like I don't really have a choice now.

Quick question before pulling the trigger: If the DNS zone is corrupt won't the DCPromo run in to issues? Or should DNS services be added first and create a fresh copy of the zone the promote?
You can try either way but this is really a good shot.

I wouldn't install a DC on your RDS system. I would install a temp system just to do this.
Avatar of ieden

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I told you NO above I meant Yes. You should delete any DNS Zone listed in this part of the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones
Ok, I'm going to start with dariusg's suggestion and dump the zone keys from the registery, restart DNS, and see if that'll let me create a fresh zone.

If that doesn't work then I'll move forward with putting a temp 2008 workstation/server in place.

Thanks for all of the help so far.............VERY much appreciated!!

FYI - I'll be later this afternoon before I get back to troubleshooting this issue so I won't post any updates for a little while.
FYI - I haven't abandoned this issue yet. Just got to a point to where I needed to burn a call to MS support.

I'll post their fix when we get it.

Thanks again to your help thus far! VERY much appreciated.
For those still following this one here's what MS has done:

1. Added DNS role to secondary server
2. Created matching zone
3. Pointed DNS in the network properties for the corrupt DNS server to the secondary DNS server
4. ipconfig /flushdns
5. ipconfig /registerdns - that forced the DC to register all of its service records with the new zone
6. Removed the DNS role from the corrupt server
7. Using a combination of adsiedit and ntdsutil the borked AD integrated zone was able to be removed but we're hitting a road block with the reverse DNS zone. The directory services team has been engaged and they are researching.

Just by adding the DNS role, pointing DNS to the secondary server, and re-registering the records fixed a lot of issues. Once the last corrupt zone is deleted the DNS role can be added back and zones recreated.
That is what i was trying to tell you when I was saying create another secondary server put DNS on this server.
dariusg - I completely agree with you and you'll get credit for making that suggestion as getting a temporary DNS server has helped get us closer to resolution.
I know I don't really care about the points I just wanted to make sure we were on the same page
Oh yeah, we're on the same page. The only thing holding up final resolution is corruption hiding deep in the AD directory services partition that won't allow the deletion of the reverse lookup zone. Unfortunately because this is a singe DC environment, and a viable backup isn't available, getting to the root of the problem is proving difficult. The MS Directory Services team has been engaged and started looking for a fix last night. But considering what we're up against I won't be surprised if your other recommendation to put a temp DC on the network ends up happening.
Any success with MS in decommissioning that batched zone?
Oh good grief. Completely forgot I had this question hanging out there.

MS had a number of different teams working on the issue by the time we wrapped it up. A flaky RAID controller ended up being the culprit and ultimately kept the issue from being resolved with out rebuilding the server.

Final resolution was to install a temporary AD/DNS server, transfer all of the roles, force a the removal of the problem server, do a metadata clean up, then rebuild the box after the RAID controller was replaced and put it back into service.

So ieden - your suggestion early on ended up being the winner.
Only thing that ended up being added was that the problem server had to be forced out of it's role as DC followed by a metadata clean up.