cyber_birkeland
asked on
How to convert a DNS domain folder to a zone
We have inhereited an existing environment that we are trying to manage and setup correctly. DNS was not setup correctly for one of the domains that is our production environment, but it has been functionable and working.
We have a Forest, let's call it Company.com and 2 domains; Commstor.company.com & Lab.company.com we recently added using dcpromo on a windows 2008r2 DC.
When we are on the new DC for lab.company.com, we are seeing the DNS structure of the Commstor DNS. For some reason, it looks like it was created as a new domain subfolder under Company.com and not as a 'zone' as the dcpromo automatically does.
How do we convert the commstor domain subfolder to a new zone so the lab DC does not have access to see content of the other commstor domain DNS?
DNS.JPG
We have a Forest, let's call it Company.com and 2 domains; Commstor.company.com & Lab.company.com we recently added using dcpromo on a windows 2008r2 DC.
When we are on the new DC for lab.company.com, we are seeing the DNS structure of the Commstor DNS. For some reason, it looks like it was created as a new domain subfolder under Company.com and not as a 'zone' as the dcpromo automatically does.
How do we convert the commstor domain subfolder to a new zone so the lab DC does not have access to see content of the other commstor domain DNS?
DNS.JPG
ASKER
We have a lot of work ahead of us. Thank you for getting us a good starting point, greatly appreciated!
I confirmed Company.com is an AD-integrated zone.
Unfortuantely, when I ran some dcdiag /test:replication, I am getting this on 2 of our 2003 DC's (1 in company.com, 1 in commstor.company.com). I think the 2003 DC's were P2V'd, which may cause this replication issue.
Domain Controller Diagnosis
Performing initial setup:
***ERROR: There is an inconsistency in the
few moments, perhaps on a different DC.
The 2008 DC's returned successful results for replication. We are still on a 2003 forest level, until we can decomission the 2 -2003 dc's and raise the forest to 2008R2 (another project phase).
Currently we have 6 DC's
1-2003 DC in company.com
2-2008r2 DC's in company.com
1-2003 DC in commstor.company.com
2-2008r2 DC's in commstor.company.com
The FSMO roles are all held on the 2008 DC's:
schema/domain master at company.com
pdc/rid/infra at commstor.company.com
Any suggestions what we could see being an issue with those 2 not replicating correctly when we change the zone and try to propagate?
I confirmed Company.com is an AD-integrated zone.
Unfortuantely, when I ran some dcdiag /test:replication, I am getting this on 2 of our 2003 DC's (1 in company.com, 1 in commstor.company.com). I think the 2003 DC's were P2V'd, which may cause this replication issue.
Domain Controller Diagnosis
Performing initial setup:
***ERROR: There is an inconsistency in the
few moments, perhaps on a different DC.
The 2008 DC's returned successful results for replication. We are still on a 2003 forest level, until we can decomission the 2 -2003 dc's and raise the forest to 2008R2 (another project phase).
Currently we have 6 DC's
1-2003 DC in company.com
2-2008r2 DC's in company.com
1-2003 DC in commstor.company.com
2-2008r2 DC's in commstor.company.com
The FSMO roles are all held on the 2008 DC's:
schema/domain master at company.com
pdc/rid/infra at commstor.company.com
Any suggestions what we could see being an issue with those 2 not replicating correctly when we change the zone and try to propagate?
***ERROR: There is an inconsistency in theIs something missing there? It appears a line may have been skipped, as "an inconsistency in the few moments" doesn't make sense.
few moments, perhaps on a different DC.
ASKER
Performing initial setup:
***ERROR: There is an inconsistency in the DS, suggest you run dcdiag in a
few moments, perhaps on a different DC.
I also ran repadmin.exe /showrepl dc* /verbose /all /intersite:
Repadmin experienced the following error trying to resolve the DC_NAME: dc*
Error: An error occured:
Win32 Error 8419(0x20e3): The DSA object could not be found.
I can ping their DSA GUID for both 2003 DC's fine and ping by dns names, all resolving. I ran repadmin /showrepl - all successful. I ran replsummary, 0 fails, no errors.
***ERROR: There is an inconsistency in the DS, suggest you run dcdiag in a
few moments, perhaps on a different DC.
I also ran repadmin.exe /showrepl dc* /verbose /all /intersite:
Repadmin experienced the following error trying to resolve the DC_NAME: dc*
Error: An error occured:
Win32 Error 8419(0x20e3): The DSA object could not be found.
I can ping their DSA GUID for both 2003 DC's fine and ping by dns names, all resolving. I ran repadmin /showrepl - all successful. I ran replsummary, 0 fails, no errors.
Are there any errors in the Directory Service event logs on the DCs that get the dcdiag error?
ASKER
We get source error NTDS KCC Event ID 1550. The following site has no NTDS Site Settings child object.
See attached screen shot.
See attached screen shot.
I don't see a screenshot attached.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you for the help. Unfortunately, there is no option for "new" when I right click on the "europe" site to create it. When I right click on the HQ-Corporate site, it does give me the new option, but it already has an NTDS settings. Europe is the one that is missing NTDS settings. I am on the DC that has the errors.
ASKER
Figured it out, for some reason domain admins and enterprise admins permissions were not full control for that site. Once applied, we got the 'new' option. Thanks...will see how the new NTDS settings will aleviate the replication errors.
If company.com is an AD-integrated zone, make a system-state backup of one of its DCs/DNS servers, just in case. (If it's not AD-integrated, just copy the zone file somewhere safe, then spend at least a few seconds wondering why it wasn't AD-integrated.)
If there are any manually-created (static) records in the commstor subdomain, make a note of them. Then delete the commstor subdomain from one of the company.com DCs. The deletion should propagate quickly if all of your DCs are in the same site and there aren't any AD replication issues. Next, on one of the commstor.company.com DCs/DNS servers, create a new forward lookup zone named commstor.company.com. Make it AD-integrated and configure it to replicate to every DNS server in the domain (not every DNS server in the forest). This will ensure that it doesn't get replicated to the company.com or lab.company.com DNS servers.
Temporarily configure each commstor DC to use only that server (the one on which you just created the new zone) for DNS, and run the following four commands on each one:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
If all goes according to plan, this should repopulate the commstor.company.com zone with all of the DCs' host and SRV records. It may take a minute or two for all of the records to appear. The zone should also replicate to all commstor DCs at this point. Assuming it does, you can now reconfigure the commstor DCs to use each other for DNS according to whatever arrangement you had in place previously. Domain members should slowly begin re-registering their records as well, or you can run ipconfig /flushdns and ipconfig /registerdns on them in order to expedite the process. This would also be a good time to recreate whatever manually-created records you noted earlier.
One more thing needs to be done: on a company.com DNS server, within the company.com forward lookup zone, you'll need to create a new delegation record for the commstor subdomain. When creating the delegation, specify the commstor.company.com DNS servers as nameservers. This will ensure that any queries for commstor.company.com that hit the company.com servers can be properly answered.
I don't think I've forgotten anything, but if anyone notices that I have, please jump in.