Solved

Unable to remove a corrupt AD DNS zone

Posted on 2010-09-09
27
2,059 Views
Last Modified: 2012-05-10
After performing a long round of recovery on a Server 2008R2 domain controller my one lingering issue is a corrupt primary DNS zone. This is a single DC environment with only the one primary DNS zone.

I am attempting to delete the zone and recreate it, then run a DCDiag to help put the pieces back together but running into the following error when trying to delete the zone:

The zone cannot be deleted.
The Active Directory service is not available.

All AD services are running and serving logon requests, but knowing now reliant on DNS AD is I'm guessing it's the corruption in DNS that's keeping me from deleting the zone.

I did attempt to remove the zone via ADSIEdit but it doesn't show up in the console, so it's really jacked up. And, unfortunately, a good back up is not available to restore from (that's a tongue lashing for another day).

And thoughts on how to force the zone deletion?
0
Comment
Question by:KeepSloanWeird
  • 13
  • 7
  • 7
27 Comments
 
LVL 7

Expert Comment

by:ieden
ID: 33642036
can you try this from a Command prompt? Right click the C:\ and choose run as Administrator then click yes. At the prompt type "dnscmd (ServerName) /ZoneDelete (ZoneName) /DsDel /f" do not include quotes or parens, include your ServerName and ZoneName.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33642060
Failed:

DNS_ERROR_DS_UNAVAILABLE     9717   0x25f5
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33642096
Just Googled that error message and see a couple of hits for a possible registry issue. As a side note, during recovery I did have to pull the SYSTEM and SOFTWARE reg files from RegBack to get the system back in service.

Ideas on where to look in the registry? The first couple of responses on Google require downloading a "recovery tool". Not keen on going down that road quite yet.
0
 
LVL 7

Expert Comment

by:ieden
ID: 33642105
In DNS management mmc is the zone listed as a Primary Zone AD integrated? Try swithing it to a secondary zone and disable AD integration first then try deleting again.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33642132
Yep, already tried that path too. That gets this error:
Operation cannot be performed because this zone is shutdown.
0
 
LVL 7

Expert Comment

by:ieden
ID: 33642167
can you add a server record to the zone?
0
 
LVL 7

Expert Comment

by:ieden
ID: 33642169
sometimes you need to go backward before going forward...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33642232
Is the your server pointing to itself for DNS in the TCP\IP properties?

Here is the reg key to check.

http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/5aac8e33-02d1-48d8-8dba-b3d47220c087
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33642275
ieden: unable to add anything, zone has a big red X just giving me the middle finger.

dariusq: It is pointing to itself via 127.0.0.1. And this is the only DNS server on a network of two servers. (Note to self: add DNS services to second server when fixed).

I went to the noted reg key and don't seen any references to old domains or old controllers. I only see the one I'm trying to fix. Should the reg keys be deleted anyway?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33642321
No, I would try to go ahead and create another DNS zone on another DC see if the zone is create since it is stored in AD.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33642355
Accept that this is a single DC environment. My only option there would be to create one on the existing DC.
0
 
LVL 7

Expert Comment

by:ieden
ID: 33642515
I was trying to avoid talking about it since you mentioned one DC. If you can temporarily load even a workstation with 2008 (yes, a 2008 DC can join a 2008r2 domain) promote it, and see if the Zone replicates to the new server. If no, then you can temporarily seize the roles, demote the Primary, remove it's account from AD/DNS/etc... Then reload the Primary from scratch with the same name as before, promote it, seize the roles and demote the temporary server.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33643038
That is what I was trying to get create a new domain controller allow replication to take place this should allow to replicate the zone over to the new server. I believe the issue is not with AD but instead the server itself.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33643213
I was thinking that was coming next.

There is a 2008r2 RDC server that I had originally toyed with the idea of promoting to a DC as a backup but didn't because its primary role as an end-user RDC system. Looks like I don't really have a choice now.

Quick question before pulling the trigger: If the DNS zone is corrupt won't the DCPromo run in to issues? Or should DNS services be added first and create a fresh copy of the zone the promote?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33645933
You can try either way but this is really a good shot.

I wouldn't install a DC on your RDS system. I would install a temp system just to do this.
0
 
LVL 7

Accepted Solution

by:
ieden earned 500 total points
ID: 33646121
DCPROMO will undoubtedly run into issues. However the ammount of work that it will accomplish for you will go a long way in removing the faulty DC from the domain. In other words, you will have to do less work by hand. Make sure to do a detailed "manual" removal after DCPROMO fails. Sites and Services. DHCP scopes, WINS, DNS Zones on the new DC, Etc...
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33646174
When I told you NO above I meant Yes. You should delete any DNS Zone listed in this part of the registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DNS Server\Zones
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33646254
Ok, I'm going to start with dariusg's suggestion and dump the zone keys from the registery, restart DNS, and see if that'll let me create a fresh zone.

If that doesn't work then I'll move forward with putting a temp 2008 workstation/server in place.

Thanks for all of the help so far.............VERY much appreciated!!

FYI - I'll be later this afternoon before I get back to troubleshooting this issue so I won't post any updates for a little while.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33674292
FYI - I haven't abandoned this issue yet. Just got to a point to where I needed to burn a call to MS support.

I'll post their fix when we get it.

Thanks again to your help thus far! VERY much appreciated.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33677745
For those still following this one here's what MS has done:

1. Added DNS role to secondary server
2. Created matching zone
3. Pointed DNS in the network properties for the corrupt DNS server to the secondary DNS server
4. ipconfig /flushdns
5. ipconfig /registerdns - that forced the DC to register all of its service records with the new zone
6. Removed the DNS role from the corrupt server
7. Using a combination of adsiedit and ntdsutil the borked AD integrated zone was able to be removed but we're hitting a road block with the reverse DNS zone. The directory services team has been engaged and they are researching.

Just by adding the DNS role, pointing DNS to the secondary server, and re-registering the records fixed a lot of issues. Once the last corrupt zone is deleted the DNS role can be added back and zones recreated.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33681647
That is what i was trying to tell you when I was saying create another secondary server put DNS on this server.
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33682299
dariusg - I completely agree with you and you'll get credit for making that suggestion as getting a temporary DNS server has helped get us closer to resolution.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33682395
I know I don't really care about the points I just wanted to make sure we were on the same page
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 33682534
Oh yeah, we're on the same page. The only thing holding up final resolution is corruption hiding deep in the AD directory services partition that won't allow the deletion of the reverse lookup zone. Unfortunately because this is a singe DC environment, and a viable backup isn't available, getting to the root of the problem is proving difficult. The MS Directory Services team has been engaged and started looking for a fix last night. But considering what we're up against I won't be surprised if your other recommendation to put a temp DC on the network ends up happening.
0
 
LVL 7

Expert Comment

by:ieden
ID: 34064416
Any success with MS in decommissioning that batched zone?
0
 
LVL 1

Author Comment

by:KeepSloanWeird
ID: 34069580
Oh good grief. Completely forgot I had this question hanging out there.

MS had a number of different teams working on the issue by the time we wrapped it up. A flaky RAID controller ended up being the culprit and ultimately kept the issue from being resolved with out rebuilding the server.

Final resolution was to install a temporary AD/DNS server, transfer all of the roles, force a the removal of the problem server, do a metadata clean up, then rebuild the box after the RAID controller was replaced and put it back into service.

So ieden - your suggestion early on ended up being the winner.
0
 
LVL 1

Author Closing Comment

by:KeepSloanWeird
ID: 34069589
Only thing that ended up being added was that the problem server had to be forced out of it's role as DC followed by a metadata clean up.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now