Windows 2003 Active Directory - DNS records deleted and requires restore

Hello to everyone,

I have a bit of an odd situation here and looking for suggestions.

We've got two servers (e.g DC1 & DC2) in an Active Directory, both are domain controllers.
For a while, the replication between the two stopped working, however no one failed to notice the issue.  DC1 holds all FSMO roles.

Because of various problems, someone went to DC1 and performed a DNS Scavenge which deleted most of the 'Forward Lookup Zones -- _msdcs.dlm.local' entries and this has cause a number of problems.

The DC2 DNS server however does still contain the entries deleted on DC1's DNS Server.

My question is how can I copy the 'Forward Lookup Zones -- _msdcs.dlm.local' from DC2 to DC1 without causing any problems, and then start the replication between the DC's again?

I've tried netdiag, dcdiag fix, but they have failed to provide a working solution.

Any help or suggestion is much appreciated.

Thank you.
kosmasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AnuroopsunddCommented:
It seems you have integrated DNS. if yes it should populate again back. also you can set on DNS of DC1 to replicate from DC2.
kosmasAuthor Commented:
Anuroopsundd,

You are correct, it is integrated DNS.

Can you please explain the exact steps required to replicated DC1 from DC2 ?

Thank you.
AnuroopsunddCommented:
Just create back the _msdcs.dlm.local forward lookup zone and it will start populating.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

kosmasAuthor Commented:
Anuroopsundd,

You mean on the DC1, delete the _msdcs.domain.local and create another one?

How is this going to work when AD replication is not working between the two DC's ?

Again, we want to replicate DC2's zone to DC1.  DC1 is the FSMO domain controller.

Thanks.
AnuroopsunddCommented:
if you are facing the ad replication.. first thing is put the Primary DNS server on DC1 network setting to DC2 ip. atleast the replication and other things will continue.
AnuroopsunddCommented:
ones your replication of DC completes ...right click on _msdcs.domain.com and try to reload.
Mike KlineCommented:
How long did your DCs not replicate,   I'm not agreeing with the advice you are getting here, just changing the DNS settings on DC1 is not going to start replication.

If they didn't replicate within the tombstone lifetime then you will have to cleanup DC1 (metadata cleanup)

Thanks

Mike
kosmasAuthor Commented:
Mike,

The Replication has been offline for a long time - over 60 days (toombstone) and possibly more.  I believe enabling replication after such a long time will only introduce new problems in the active directory schema,

Any ideas suggestions?
AnuroopsunddCommented:
that's long time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
You won't be able to enable replication if they have been offline that long.

You can

1.  dcpromo forceremoval on the bad DC
2.  Clean up the DC from AD (http://www.petri.co.il/delete_failed_dcs_from_ad.htm)
3.  If the box held FSMO roles you seize the roles to the other DC
4.  You can then join the computer back to the domain and promote it again.


Same steps for cleaning up usn rollbacks  http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx   - I just included that so you can see the steps (same as what I wrote above)

Thanks

Mike
Prashant GirennavarCommented:
Check Replication is working fine between domain controllers first.

I agree with Mike , if few AD Objects crossed the tombstone life you will have to demote DC1 and promote it back. ( As they will create lingering objects in your AD , which will cause problem in replication).

I would suggest you to run dcdiag /q and repadmin /replsum on the domain controllers and post the result here.

Regards,

_Prashant_
Mike KlineCommented:
He already knows replication is not working.

Thanks

Mike
AnuroopsunddCommented:
I have put the link which can be of help to replicate one side due to the lingering objects.
kosmasAuthor Commented:
Further looking in to this, it seems replication is not going to work as Mike suggested.

Breaking this problem into two pieces, I have the following:

1) AC replication not working between DC's
2) DNS scavenge on DC1 caused a number of problems.

So here is my thought:

1) Import DC2's DNS server records to DC1 to overcome the problem caused by the scavenging of DC1's DNS server

2) Backup the DC's and proceed with the cleanup a bit later on.

So, my question would be, how can I safely copy DC2's DNS server records to DC1's DNS server?

Thanks to all for their input!
Leon FesterSenior Solutions ArchitectCommented:
You can export from DC2 and then delete the DNS zone on DC1 and create a new zone file from the exported file.

You can use the DNSCMD /zoneexport command, then look in the %windir%\system32\dns\ folder for the file.
On DC2
run dnscmd /zoneexport dlm.local dlm.local.txt

The TXT file of the ZONE Export is in the same format as a flat Primary DNS zone.  
Change extenstion from .txt to .dns and you can simply specify that file name on the new DNS server as the primary zone file when you re-create the DNS zone on your DC.

DNSCMD should be available in the Windows Support Tool and Windows Resource Kit.

then run
ipconfig /registerdns
netdiag /fix
dcdiag /fix
repladmin /syncall

Finish it off with a dcdiag /v and look for any additional errors in Active Directory.
AnuroopsunddCommented:
it will be good to change DC1 DNS as secondary and allow zone transfer on DC2.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.