Solved

2008 r2 Dns missing "domaindnszones" and "forestdnszones" 2003 level AD

Posted on 2014-01-24
23
1,520 Views
Last Modified: 2014-03-17
Hello experts..

under "Mydomain"

the "domainsdnszones" and the "forestdnszones" folders are missing

I can create the delegation  but they remain grayed out.

our domain was upgrade from 2000 to 2003 and now its all 2008 r2 controllers.

when i introduce the 2008 r2 DC. the _msdsc.mydomain was never created.

So i deleted it and manually created  the "Mydomain _Msdsc delegation which is now also grayed out.

I understand that this should be the right behavior. but notice that there was no "domaindnszones" or "forestdnszones".

All my DNS server are now 2008 r2 so question would be do I even need to worry about this..

network and domain functions does not seem to be affected...

attached is a screen shot of my dns zones

thanks expert
dns-001.png
0
Comment
Question by:jahatcher
  • 13
  • 10
23 Comments
 

Author Comment

by:jahatcher
ID: 39811854
I ran a dnscmd /directorypartitioninfo domaindnszones.mydomain and forestdnszones.mydomain and below is the output:

seems like the partitions are there but just now appearing in DNS.

any help will be appreciated...



Directory partition info:

  DNS root:   DomainDnsZones.VICKI_VERSA
  Flags:      0x15 Enlisted Auto Domain
  State:      0
  Zone count: 1
  DP head:    DC=DomainDnsZones,DC=VICKI_VERSA
  Crossref:   CN=597a0748-da9f-497f-a35c-670599f0efe9,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.


C:\Users\davidssa>dnscmd /directorypartitioninfo forestdnszones.vicki_versa /det
ails

Directory partition info:

  DNS root:   ForestDnsZones.VICKI_VERSA
  Flags:      0x19 Enlisted Auto Forest
  State:      0
  Zone count: 0
  DP head:    DC=ForestDnsZones,DC=VICKI_VERSA
  Crossref:   CN=3e0dfca9-ab8c-4700-9dcb-4da6cc908b23,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39824374
What is VICKI_VERSA? It appears to be a single-label domain name. Is that the DNS name of your AD domain?
0
 

Author Comment

by:jahatcher
ID: 39835539
HI Dave..

yes this was created way back in the NT days.....and it is the dns name of our AD domain
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39871803
Sorry for disappearing! I have no excuse; I simply forgot about this.

The single-label domain name is going to cause headaches from time to time. In the long run, you'll be better off either renaming the domain (which may not be possible, depending on your environment) or creating a new domain with a proper FQDN and using the AD Migration Tool to migrate everything to it.

In the meantime, you can try to recreate the DomainDnsZones and ForestDnsZones partitions as suggested here. Let me know if it doesn't work.
0
 

Author Comment

by:jahatcher
ID: 39873223
Hi Sage..

I use adsiedit to delete the domain and forest partitions and then recreated them..however the Domaindnszones and foresdnszones are still not showing up in DNS.
 
i use the setps outlined in this thread

http://social.technet.microsoft.com/Forums/windowsserver/en-US/b5551ad5-65ec-48f7-81b2-2a00bbd93def/msdcs-doesnt-exist?forum=winserverNIS&prof=required

funny thing is that all seems normal. replication is fine and dcdiag does not show any errors.

should i even be worrying about this
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39874026
I've been thinking about this, and I'll bet I know why it's not affecting replication. Check the properties of your lookup zones in the DNS console. Specifically, look at the replication scope. If it's set to "All domain controllers in this domain," those directory partitions aren't being used for replication. There's a good chance that this is the case, since you mentioned that the domain was upgraded from Windows 2000 (that's the Windows 2000-compatible replication scope). In fact, since the output you posted above says "Zone count: 0" for each partition, I can almost guarantee that this is indeed the case.

Should you worry about it? That's a good question. In its current state, everything should continue to work, even though this may not be an "ideal" configuration. I suppose there's a chance that the Windows 2000-compatible replication scope will be deprecated at some point in the future, and then you'll need to start worrying about it, but until then, it's probably not that critical.

Did you manually create the delegations for DomainDnsZones and ForestDnsZones, or were those automatically created by some process? Also, what name servers are listed in each of those delegations?
0
 

Author Comment

by:jahatcher
ID: 39874655
hi sage..

the dns replication is indeed set to "All domain controllers in this domain".

I manually created the delegations Domaindnszones and forestdnszones. no matter what I try those would not create themselves. I dug around and tried all kind of things..some of which i linked here..but nothing seems to allow the system to automatically create these two partitions

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-09/msg00419.html

http://www.more2know.nl/tag/fsmoroleowner/

http://www.tomshardware.com/forum/196043-46-forestdnszones-domaindnszones-listed



im kind of stump on this one....... the name servers are correct....
its my two dns servers
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39875588
I don't think those delegations should be there at all. Those directory partitions typically show up in DNS as subdomains (subfolders) inside the domain forward lookup zone rather than delegations.

Try deleting the delegations from DNS (which won't hurt anything) and restarting the Netlogon service on your DCs. Give it a minute and see if the DomainDnsZones and ForestDnsZones appear.

If they don't, create the folders manually: just right-click the domain forward lookup zone and select New Domain to create each one. Make sure you get the names right. Once they're created, restart the Netlogon service again and wait a few minutes to see if the appropriate records get populated in the folders.

Let me know the results!
0
 

Author Comment

by:jahatcher
ID: 39876459
Hi sage

weird..after deleting the delegation and creating the Domain "domaindnszones" and "foresdomaindns" zones manually. I restarted the netlogon and dns service. waited a few minutes. and notice that the newly created domain "domaindnszones" and "foresdomaindns" are gone? im thinking Dns sees these partitions already although not visible in the DNS console and just deletes them...

any thoughts??
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39877046
Does the output of the dnscmd /directorypartitioninfo <partition> commands still look the same as above?
0
 

Author Comment

by:jahatcher
ID: 39877140
I've posted the screen shot..

I don't see any errors...

aa
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 25

Expert Comment

by:DrDave242
ID: 39883302
Hmmmmm...

The zones certainly appear to be where they should be, but they're not registering in DNS for some reason. Would you be willing to try deleting them using the dnscmd /deletedirectorypartition command, then recreating them using either the dnscmd /createbuiltindirectorypartitions command or by right-clicking one of your DNS servers in the DNS console and selecting Create Default Application Directory Partitions?
0
 

Author Comment

by:jahatcher
ID: 39883333
I can do that.....can you give me the right synax.

is it dnscmd /deletedirectorypartition domaindnszones? and same for forestdnszones?

thanks
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39883369
It looks like you need to supply the FQDN of each partition, so it would be dnscmd /deletedirectorypartition domaindnszones.vicki_versa and dnscmd /deletedirectorypartition forestdnszones.vicki_versa.
0
 

Author Comment

by:jahatcher
ID: 39883434
Sage I might of fixed this..

 rt-clicking the zone, new domain, type in DomainDnsZones. Then run
dcdia  /fix.

after that I rt-click on the DomainDnsZones in the dns console and created two srv records

_ldap and on _kerberos pointing them to our main DC

here is a screen shot of what the zones looks like expanded..does this look correct?dnsupdated
0
 

Author Comment

by:jahatcher
ID: 39883504
update...if you can post a correct snap shot of what the folder structure under the domainndszones and forestdnszones and the correct srv records. i can then compare..

thanks

DAve
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39883976
The folder structure can be seen here:
DNS application partition folder structureEach of the _tcp folders contains _ldap SRV records for each DC, and that's it. (There aren't any _kerberos SRV records in this folder hierarchy.)

This next shot shows the contents of the DomainDnsZones folder. There are blank host records corresponding to each DC/DNS server that hosts the partition:
DomainDnsZones contentsSince I've only got one domain in this forest, the ForestDnsZones folder looks identical to this.
0
 

Author Comment

by:jahatcher
ID: 39885905
Hi sage. so far the creation of these two partitions and the manual creation of the subfolders and srv records are holding.

one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??

thanks
0
 

Author Comment

by:jahatcher
ID: 39885909
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???

thanks again
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39886301
one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??
Yep, just an _ldap SRV record for each DC:
Contents of the DomainDnsZones\_tcp folder
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???
There are several dcdiag tests (CheckSDRefDom, VerifyReplicas, and CrossRefValidation) that will test various aspects of application partitions. Unfortunately, I don't see one that checks to make sure the partitions' DNS records are all there.
0
 

Author Comment

by:jahatcher
ID: 39889184
thanks

I ran a dcdiag and everything passed. replication is ok. I'll monitor it and see if anything new changes...

thanks for all your help

Dave
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 39900776
How's it looking?
0
 

Author Closing Comment

by:jahatcher
ID: 39934949
thanks guys
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now