Solved

2008 r2 Dns missing "domaindnszones" and "forestdnszones" 2003 level AD

Posted on 2014-01-24
23
1,623 Views
Last Modified: 2014-03-17
Hello experts..

under "Mydomain"

the "domainsdnszones" and the "forestdnszones" folders are missing

I can create the delegation  but they remain grayed out.

our domain was upgrade from 2000 to 2003 and now its all 2008 r2 controllers.

when i introduce the 2008 r2 DC. the _msdsc.mydomain was never created.

So i deleted it and manually created  the "Mydomain _Msdsc delegation which is now also grayed out.

I understand that this should be the right behavior. but notice that there was no "domaindnszones" or "forestdnszones".

All my DNS server are now 2008 r2 so question would be do I even need to worry about this..

network and domain functions does not seem to be affected...

attached is a screen shot of my dns zones

thanks expert
dns-001.png
0
Comment
Question by:jahatcher
  • 13
  • 10
23 Comments
 

Author Comment

by:jahatcher
ID: 39811854
I ran a dnscmd /directorypartitioninfo domaindnszones.mydomain and forestdnszones.mydomain and below is the output:

seems like the partitions are there but just now appearing in DNS.

any help will be appreciated...



Directory partition info:

  DNS root:   DomainDnsZones.VICKI_VERSA
  Flags:      0x15 Enlisted Auto Domain
  State:      0
  Zone count: 1
  DP head:    DC=DomainDnsZones,DC=VICKI_VERSA
  Crossref:   CN=597a0748-da9f-497f-a35c-670599f0efe9,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.


C:\Users\davidssa>dnscmd /directorypartitioninfo forestdnszones.vicki_versa /det
ails

Directory partition info:

  DNS root:   ForestDnsZones.VICKI_VERSA
  Flags:      0x19 Enlisted Auto Forest
  State:      0
  Zone count: 0
  DP head:    DC=ForestDnsZones,DC=VICKI_VERSA
  Crossref:   CN=3e0dfca9-ab8c-4700-9dcb-4da6cc908b23,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39824374
What is VICKI_VERSA? It appears to be a single-label domain name. Is that the DNS name of your AD domain?
0
 

Author Comment

by:jahatcher
ID: 39835539
HI Dave..

yes this was created way back in the NT days.....and it is the dns name of our AD domain
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 26

Expert Comment

by:DrDave242
ID: 39871803
Sorry for disappearing! I have no excuse; I simply forgot about this.

The single-label domain name is going to cause headaches from time to time. In the long run, you'll be better off either renaming the domain (which may not be possible, depending on your environment) or creating a new domain with a proper FQDN and using the AD Migration Tool to migrate everything to it.

In the meantime, you can try to recreate the DomainDnsZones and ForestDnsZones partitions as suggested here. Let me know if it doesn't work.
0
 

Author Comment

by:jahatcher
ID: 39873223
Hi Sage..

I use adsiedit to delete the domain and forest partitions and then recreated them..however the Domaindnszones and foresdnszones are still not showing up in DNS.
 
i use the setps outlined in this thread

http://social.technet.microsoft.com/Forums/windowsserver/en-US/b5551ad5-65ec-48f7-81b2-2a00bbd93def/msdcs-doesnt-exist?forum=winserverNIS&prof=required

funny thing is that all seems normal. replication is fine and dcdiag does not show any errors.

should i even be worrying about this
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39874026
I've been thinking about this, and I'll bet I know why it's not affecting replication. Check the properties of your lookup zones in the DNS console. Specifically, look at the replication scope. If it's set to "All domain controllers in this domain," those directory partitions aren't being used for replication. There's a good chance that this is the case, since you mentioned that the domain was upgraded from Windows 2000 (that's the Windows 2000-compatible replication scope). In fact, since the output you posted above says "Zone count: 0" for each partition, I can almost guarantee that this is indeed the case.

Should you worry about it? That's a good question. In its current state, everything should continue to work, even though this may not be an "ideal" configuration. I suppose there's a chance that the Windows 2000-compatible replication scope will be deprecated at some point in the future, and then you'll need to start worrying about it, but until then, it's probably not that critical.

Did you manually create the delegations for DomainDnsZones and ForestDnsZones, or were those automatically created by some process? Also, what name servers are listed in each of those delegations?
0
 

Author Comment

by:jahatcher
ID: 39874655
hi sage..

the dns replication is indeed set to "All domain controllers in this domain".

I manually created the delegations Domaindnszones and forestdnszones. no matter what I try those would not create themselves. I dug around and tried all kind of things..some of which i linked here..but nothing seems to allow the system to automatically create these two partitions

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-09/msg00419.html

http://www.more2know.nl/tag/fsmoroleowner/

http://www.tomshardware.com/forum/196043-46-forestdnszones-domaindnszones-listed



im kind of stump on this one....... the name servers are correct....
its my two dns servers
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39875588
I don't think those delegations should be there at all. Those directory partitions typically show up in DNS as subdomains (subfolders) inside the domain forward lookup zone rather than delegations.

Try deleting the delegations from DNS (which won't hurt anything) and restarting the Netlogon service on your DCs. Give it a minute and see if the DomainDnsZones and ForestDnsZones appear.

If they don't, create the folders manually: just right-click the domain forward lookup zone and select New Domain to create each one. Make sure you get the names right. Once they're created, restart the Netlogon service again and wait a few minutes to see if the appropriate records get populated in the folders.

Let me know the results!
0
 

Author Comment

by:jahatcher
ID: 39876459
Hi sage

weird..after deleting the delegation and creating the Domain "domaindnszones" and "foresdomaindns" zones manually. I restarted the netlogon and dns service. waited a few minutes. and notice that the newly created domain "domaindnszones" and "foresdomaindns" are gone? im thinking Dns sees these partitions already although not visible in the DNS console and just deletes them...

any thoughts??
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39877046
Does the output of the dnscmd /directorypartitioninfo <partition> commands still look the same as above?
0
 

Author Comment

by:jahatcher
ID: 39877140
I've posted the screen shot..

I don't see any errors...

aa
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39883302
Hmmmmm...

The zones certainly appear to be where they should be, but they're not registering in DNS for some reason. Would you be willing to try deleting them using the dnscmd /deletedirectorypartition command, then recreating them using either the dnscmd /createbuiltindirectorypartitions command or by right-clicking one of your DNS servers in the DNS console and selecting Create Default Application Directory Partitions?
0
 

Author Comment

by:jahatcher
ID: 39883333
I can do that.....can you give me the right synax.

is it dnscmd /deletedirectorypartition domaindnszones? and same for forestdnszones?

thanks
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39883369
It looks like you need to supply the FQDN of each partition, so it would be dnscmd /deletedirectorypartition domaindnszones.vicki_versa and dnscmd /deletedirectorypartition forestdnszones.vicki_versa.
0
 

Author Comment

by:jahatcher
ID: 39883434
Sage I might of fixed this..

 rt-clicking the zone, new domain, type in DomainDnsZones. Then run
dcdia  /fix.

after that I rt-click on the DomainDnsZones in the dns console and created two srv records

_ldap and on _kerberos pointing them to our main DC

here is a screen shot of what the zones looks like expanded..does this look correct?dnsupdated
0
 

Author Comment

by:jahatcher
ID: 39883504
update...if you can post a correct snap shot of what the folder structure under the domainndszones and forestdnszones and the correct srv records. i can then compare..

thanks

DAve
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39883976
The folder structure can be seen here:
DNS application partition folder structureEach of the _tcp folders contains _ldap SRV records for each DC, and that's it. (There aren't any _kerberos SRV records in this folder hierarchy.)

This next shot shows the contents of the DomainDnsZones folder. There are blank host records corresponding to each DC/DNS server that hosts the partition:
DomainDnsZones contentsSince I've only got one domain in this forest, the ForestDnsZones folder looks identical to this.
0
 

Author Comment

by:jahatcher
ID: 39885905
Hi sage. so far the creation of these two partitions and the manual creation of the subfolders and srv records are holding.

one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??

thanks
0
 

Author Comment

by:jahatcher
ID: 39885909
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???

thanks again
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39886301
one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??
Yep, just an _ldap SRV record for each DC:
Contents of the DomainDnsZones\_tcp folder
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???
There are several dcdiag tests (CheckSDRefDom, VerifyReplicas, and CrossRefValidation) that will test various aspects of application partitions. Unfortunately, I don't see one that checks to make sure the partitions' DNS records are all there.
0
 

Author Comment

by:jahatcher
ID: 39889184
thanks

I ran a dcdiag and everything passed. replication is ok. I'll monitor it and see if anything new changes...

thanks for all your help

Dave
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 39900776
How's it looking?
0
 

Author Closing Comment

by:jahatcher
ID: 39934949
thanks guys
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question