Solved

Windows 2003 Active Directory - DNS records deleted and requires restore

Posted on 2012-03-31
17
370 Views
Last Modified: 2012-06-27
Hello to everyone,

I have a bit of an odd situation here and looking for suggestions.

We've got two servers (e.g DC1 & DC2) in an Active Directory, both are domain controllers.
For a while, the replication between the two stopped working, however no one failed to notice the issue.  DC1 holds all FSMO roles.

Because of various problems, someone went to DC1 and performed a DNS Scavenge which deleted most of the 'Forward Lookup Zones -- _msdcs.dlm.local' entries and this has cause a number of problems.

The DC2 DNS server however does still contain the entries deleted on DC1's DNS Server.

My question is how can I copy the 'Forward Lookup Zones -- _msdcs.dlm.local' from DC2 to DC1 without causing any problems, and then start the replication between the DC's again?

I've tried netdiag, dcdiag fix, but they have failed to provide a working solution.

Any help or suggestion is much appreciated.

Thank you.
0
Comment
Question by:kosmas
  • 8
  • 4
  • 3
  • +2
17 Comments
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790784
It seems you have integrated DNS. if yes it should populate again back. also you can set on DNS of DC1 to replicate from DC2.
0
 

Author Comment

by:kosmas
ID: 37790794
Anuroopsundd,

You are correct, it is integrated DNS.

Can you please explain the exact steps required to replicated DC1 from DC2 ?

Thank you.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790797
Just create back the _msdcs.dlm.local forward lookup zone and it will start populating.
0
 

Author Comment

by:kosmas
ID: 37790805
Anuroopsundd,

You mean on the DC1, delete the _msdcs.domain.local and create another one?

How is this going to work when AD replication is not working between the two DC's ?

Again, we want to replicate DC2's zone to DC1.  DC1 is the FSMO domain controller.

Thanks.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790813
if you are facing the ad replication.. first thing is put the Primary DNS server on DC1 network setting to DC2 ip. atleast the replication and other things will continue.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790817
ones your replication of DC completes ...right click on _msdcs.domain.com and try to reload.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37790820
How long did your DCs not replicate,   I'm not agreeing with the advice you are getting here, just changing the DNS settings on DC1 is not going to start replication.

If they didn't replicate within the tombstone lifetime then you will have to cleanup DC1 (metadata cleanup)

Thanks

Mike
0
 

Author Comment

by:kosmas
ID: 37790826
Mike,

The Replication has been offline for a long time - over 60 days (toombstone) and possibly more.  I believe enabling replication after such a long time will only introduce new problems in the active directory schema,

Any ideas suggestions?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790829
that's long time.
0
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37790830
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37790831
You won't be able to enable replication if they have been offline that long.

You can

1.  dcpromo forceremoval on the bad DC
2.  Clean up the DC from AD (http://www.petri.co.il/delete_failed_dcs_from_ad.htm)
3.  If the box held FSMO roles you seize the roles to the other DC
4.  You can then join the computer back to the domain and promote it again.


Same steps for cleaning up usn rollbacks  http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx   - I just included that so you can see the steps (same as what I wrote above)

Thanks

Mike
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37790832
Check Replication is working fine between domain controllers first.

I agree with Mike , if few AD Objects crossed the tombstone life you will have to demote DC1 and promote it back. ( As they will create lingering objects in your AD , which will cause problem in replication).

I would suggest you to run dcdiag /q and repadmin /replsum on the domain controllers and post the result here.

Regards,

_Prashant_
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37790836
He already knows replication is not working.

Thanks

Mike
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790849
I have put the link which can be of help to replicate one side due to the lingering objects.
0
 

Author Comment

by:kosmas
ID: 37790860
Further looking in to this, it seems replication is not going to work as Mike suggested.

Breaking this problem into two pieces, I have the following:

1) AC replication not working between DC's
2) DNS scavenge on DC1 caused a number of problems.

So here is my thought:

1) Import DC2's DNS server records to DC1 to overcome the problem caused by the scavenging of DC1's DNS server

2) Backup the DC's and proceed with the cleanup a bit later on.

So, my question would be, how can I safely copy DC2's DNS server records to DC1's DNS server?

Thanks to all for their input!
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37792073
You can export from DC2 and then delete the DNS zone on DC1 and create a new zone file from the exported file.

You can use the DNSCMD /zoneexport command, then look in the %windir%\system32\dns\ folder for the file.
On DC2
run dnscmd /zoneexport dlm.local dlm.local.txt

The TXT file of the ZONE Export is in the same format as a flat Primary DNS zone.  
Change extenstion from .txt to .dns and you can simply specify that file name on the new DNS server as the primary zone file when you re-create the DNS zone on your DC.

DNSCMD should be available in the Windows Support Tool and Windows Resource Kit.

then run
ipconfig /registerdns
netdiag /fix
dcdiag /fix
repladmin /syncall

Finish it off with a dcdiag /v and look for any additional errors in Active Directory.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37792272
it will be good to change DC1 DNS as secondary and allow zone transfer on DC2.
0

Join & Write a Comment

Suggested Solutions

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now