Link to home
Start Free TrialLog in
Avatar of kosmas
kosmasFlag for Greece

asked on

Windows 2003 Active Directory - DNS records deleted and requires restore

Hello to everyone,

I have a bit of an odd situation here and looking for suggestions.

We've got two servers (e.g DC1 & DC2) in an Active Directory, both are domain controllers.
For a while, the replication between the two stopped working, however no one failed to notice the issue.  DC1 holds all FSMO roles.

Because of various problems, someone went to DC1 and performed a DNS Scavenge which deleted most of the 'Forward Lookup Zones -- _msdcs.dlm.local' entries and this has cause a number of problems.

The DC2 DNS server however does still contain the entries deleted on DC1's DNS Server.

My question is how can I copy the 'Forward Lookup Zones -- _msdcs.dlm.local' from DC2 to DC1 without causing any problems, and then start the replication between the DC's again?

I've tried netdiag, dcdiag fix, but they have failed to provide a working solution.

Any help or suggestion is much appreciated.

Thank you.
Avatar of Anuroopsundd
Anuroopsundd
Flag of India image

It seems you have integrated DNS. if yes it should populate again back. also you can set on DNS of DC1 to replicate from DC2.
Avatar of kosmas

ASKER

Anuroopsundd,

You are correct, it is integrated DNS.

Can you please explain the exact steps required to replicated DC1 from DC2 ?

Thank you.
Just create back the _msdcs.dlm.local forward lookup zone and it will start populating.
Avatar of kosmas

ASKER

Anuroopsundd,

You mean on the DC1, delete the _msdcs.domain.local and create another one?

How is this going to work when AD replication is not working between the two DC's ?

Again, we want to replicate DC2's zone to DC1.  DC1 is the FSMO domain controller.

Thanks.
if you are facing the ad replication.. first thing is put the Primary DNS server on DC1 network setting to DC2 ip. atleast the replication and other things will continue.
ones your replication of DC completes ...right click on _msdcs.domain.com and try to reload.
Avatar of Mike Kline
How long did your DCs not replicate,   I'm not agreeing with the advice you are getting here, just changing the DNS settings on DC1 is not going to start replication.

If they didn't replicate within the tombstone lifetime then you will have to cleanup DC1 (metadata cleanup)

Thanks

Mike
Avatar of kosmas

ASKER

Mike,

The Replication has been offline for a long time - over 60 days (toombstone) and possibly more.  I believe enabling replication after such a long time will only introduce new problems in the active directory schema,

Any ideas suggestions?
that's long time.
ASKER CERTIFIED SOLUTION
Avatar of Anuroopsundd
Anuroopsundd
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You won't be able to enable replication if they have been offline that long.

You can

1.  dcpromo forceremoval on the bad DC
2.  Clean up the DC from AD (http://www.petri.co.il/delete_failed_dcs_from_ad.htm)
3.  If the box held FSMO roles you seize the roles to the other DC
4.  You can then join the computer back to the domain and promote it again.


Same steps for cleaning up usn rollbacks  http://blogs.technet.com/b/askds/archive/2009/06/05/dc-s-and-vm-s-avoiding-the-do-over.aspx   - I just included that so you can see the steps (same as what I wrote above)

Thanks

Mike
Check Replication is working fine between domain controllers first.

I agree with Mike , if few AD Objects crossed the tombstone life you will have to demote DC1 and promote it back. ( As they will create lingering objects in your AD , which will cause problem in replication).

I would suggest you to run dcdiag /q and repadmin /replsum on the domain controllers and post the result here.

Regards,

_Prashant_
He already knows replication is not working.

Thanks

Mike
I have put the link which can be of help to replicate one side due to the lingering objects.
Avatar of kosmas

ASKER

Further looking in to this, it seems replication is not going to work as Mike suggested.

Breaking this problem into two pieces, I have the following:

1) AC replication not working between DC's
2) DNS scavenge on DC1 caused a number of problems.

So here is my thought:

1) Import DC2's DNS server records to DC1 to overcome the problem caused by the scavenging of DC1's DNS server

2) Backup the DC's and proceed with the cleanup a bit later on.

So, my question would be, how can I safely copy DC2's DNS server records to DC1's DNS server?

Thanks to all for their input!
You can export from DC2 and then delete the DNS zone on DC1 and create a new zone file from the exported file.

You can use the DNSCMD /zoneexport command, then look in the %windir%\system32\dns\ folder for the file.
On DC2
run dnscmd /zoneexport dlm.local dlm.local.txt

The TXT file of the ZONE Export is in the same format as a flat Primary DNS zone.  
Change extenstion from .txt to .dns and you can simply specify that file name on the new DNS server as the primary zone file when you re-create the DNS zone on your DC.

DNSCMD should be available in the Windows Support Tool and Windows Resource Kit.

then run
ipconfig /registerdns
netdiag /fix
dcdiag /fix
repladmin /syncall

Finish it off with a dcdiag /v and look for any additional errors in Active Directory.
it will be good to change DC1 DNS as secondary and allow zone transfer on DC2.