• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2126
  • Last Modified:

2008 r2 Dns missing "domaindnszones" and "forestdnszones" 2003 level AD

Hello experts..

under "Mydomain"

the "domainsdnszones" and the "forestdnszones" folders are missing

I can create the delegation  but they remain grayed out.

our domain was upgrade from 2000 to 2003 and now its all 2008 r2 controllers.

when i introduce the 2008 r2 DC. the _msdsc.mydomain was never created.

So i deleted it and manually created  the "Mydomain _Msdsc delegation which is now also grayed out.

I understand that this should be the right behavior. but notice that there was no "domaindnszones" or "forestdnszones".

All my DNS server are now 2008 r2 so question would be do I even need to worry about this..

network and domain functions does not seem to be affected...

attached is a screen shot of my dns zones

thanks expert
dns-001.png
0
jahatcher
Asked:
jahatcher
  • 13
  • 10
1 Solution
 
jahatcherManager of Information SystemsAuthor Commented:
I ran a dnscmd /directorypartitioninfo domaindnszones.mydomain and forestdnszones.mydomain and below is the output:

seems like the partitions are there but just now appearing in DNS.

any help will be appreciated...



Directory partition info:

  DNS root:   DomainDnsZones.VICKI_VERSA
  Flags:      0x15 Enlisted Auto Domain
  State:      0
  Zone count: 1
  DP head:    DC=DomainDnsZones,DC=VICKI_VERSA
  Crossref:   CN=597a0748-da9f-497f-a35c-670599f0efe9,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.


C:\Users\davidssa>dnscmd /directorypartitioninfo forestdnszones.vicki_versa /det
ails

Directory partition info:

  DNS root:   ForestDnsZones.VICKI_VERSA
  Flags:      0x19 Enlisted Auto Forest
  State:      0
  Zone count: 0
  DP head:    DC=ForestDnsZones,DC=VICKI_VERSA
  Crossref:   CN=3e0dfca9-ab8c-4700-9dcb-4da6cc908b23,CN=Partitions,CN=Configura
tion,DC=VICKI_VERSA
  Replicas:   2
    CN=NTDS Settings,CN=KANGA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
Configuration,DC=VICKI_VERSA
    CN=NTDS Settings,CN=POOH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
onfiguration,DC=VICKI_VERSA

Command completed successfully.
0
 
DrDave242Commented:
What is VICKI_VERSA? It appears to be a single-label domain name. Is that the DNS name of your AD domain?
0
 
jahatcherManager of Information SystemsAuthor Commented:
HI Dave..

yes this was created way back in the NT days.....and it is the dns name of our AD domain
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
DrDave242Commented:
Sorry for disappearing! I have no excuse; I simply forgot about this.

The single-label domain name is going to cause headaches from time to time. In the long run, you'll be better off either renaming the domain (which may not be possible, depending on your environment) or creating a new domain with a proper FQDN and using the AD Migration Tool to migrate everything to it.

In the meantime, you can try to recreate the DomainDnsZones and ForestDnsZones partitions as suggested here. Let me know if it doesn't work.
0
 
jahatcherManager of Information SystemsAuthor Commented:
Hi Sage..

I use adsiedit to delete the domain and forest partitions and then recreated them..however the Domaindnszones and foresdnszones are still not showing up in DNS.
 
i use the setps outlined in this thread

http://social.technet.microsoft.com/Forums/windowsserver/en-US/b5551ad5-65ec-48f7-81b2-2a00bbd93def/msdcs-doesnt-exist?forum=winserverNIS&prof=required

funny thing is that all seems normal. replication is fine and dcdiag does not show any errors.

should i even be worrying about this
0
 
DrDave242Commented:
I've been thinking about this, and I'll bet I know why it's not affecting replication. Check the properties of your lookup zones in the DNS console. Specifically, look at the replication scope. If it's set to "All domain controllers in this domain," those directory partitions aren't being used for replication. There's a good chance that this is the case, since you mentioned that the domain was upgraded from Windows 2000 (that's the Windows 2000-compatible replication scope). In fact, since the output you posted above says "Zone count: 0" for each partition, I can almost guarantee that this is indeed the case.

Should you worry about it? That's a good question. In its current state, everything should continue to work, even though this may not be an "ideal" configuration. I suppose there's a chance that the Windows 2000-compatible replication scope will be deprecated at some point in the future, and then you'll need to start worrying about it, but until then, it's probably not that critical.

Did you manually create the delegations for DomainDnsZones and ForestDnsZones, or were those automatically created by some process? Also, what name servers are listed in each of those delegations?
0
 
jahatcherManager of Information SystemsAuthor Commented:
hi sage..

the dns replication is indeed set to "All domain controllers in this domain".

I manually created the delegations Domaindnszones and forestdnszones. no matter what I try those would not create themselves. I dug around and tried all kind of things..some of which i linked here..but nothing seems to allow the system to automatically create these two partitions

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-09/msg00419.html

http://www.more2know.nl/tag/fsmoroleowner/

http://www.tomshardware.com/forum/196043-46-forestdnszones-domaindnszones-listed



im kind of stump on this one....... the name servers are correct....
its my two dns servers
0
 
DrDave242Commented:
I don't think those delegations should be there at all. Those directory partitions typically show up in DNS as subdomains (subfolders) inside the domain forward lookup zone rather than delegations.

Try deleting the delegations from DNS (which won't hurt anything) and restarting the Netlogon service on your DCs. Give it a minute and see if the DomainDnsZones and ForestDnsZones appear.

If they don't, create the folders manually: just right-click the domain forward lookup zone and select New Domain to create each one. Make sure you get the names right. Once they're created, restart the Netlogon service again and wait a few minutes to see if the appropriate records get populated in the folders.

Let me know the results!
0
 
jahatcherManager of Information SystemsAuthor Commented:
Hi sage

weird..after deleting the delegation and creating the Domain "domaindnszones" and "foresdomaindns" zones manually. I restarted the netlogon and dns service. waited a few minutes. and notice that the newly created domain "domaindnszones" and "foresdomaindns" are gone? im thinking Dns sees these partitions already although not visible in the DNS console and just deletes them...

any thoughts??
0
 
DrDave242Commented:
Does the output of the dnscmd /directorypartitioninfo <partition> commands still look the same as above?
0
 
jahatcherManager of Information SystemsAuthor Commented:
I've posted the screen shot..

I don't see any errors...

aa
0
 
DrDave242Commented:
Hmmmmm...

The zones certainly appear to be where they should be, but they're not registering in DNS for some reason. Would you be willing to try deleting them using the dnscmd /deletedirectorypartition command, then recreating them using either the dnscmd /createbuiltindirectorypartitions command or by right-clicking one of your DNS servers in the DNS console and selecting Create Default Application Directory Partitions?
0
 
jahatcherManager of Information SystemsAuthor Commented:
I can do that.....can you give me the right synax.

is it dnscmd /deletedirectorypartition domaindnszones? and same for forestdnszones?

thanks
0
 
DrDave242Commented:
It looks like you need to supply the FQDN of each partition, so it would be dnscmd /deletedirectorypartition domaindnszones.vicki_versa and dnscmd /deletedirectorypartition forestdnszones.vicki_versa.
0
 
jahatcherManager of Information SystemsAuthor Commented:
Sage I might of fixed this..

 rt-clicking the zone, new domain, type in DomainDnsZones. Then run
dcdia  /fix.

after that I rt-click on the DomainDnsZones in the dns console and created two srv records

_ldap and on _kerberos pointing them to our main DC

here is a screen shot of what the zones looks like expanded..does this look correct?dnsupdated
0
 
jahatcherManager of Information SystemsAuthor Commented:
update...if you can post a correct snap shot of what the folder structure under the domainndszones and forestdnszones and the correct srv records. i can then compare..

thanks

DAve
0
 
DrDave242Commented:
The folder structure can be seen here:
DNS application partition folder structureEach of the _tcp folders contains _ldap SRV records for each DC, and that's it. (There aren't any _kerberos SRV records in this folder hierarchy.)

This next shot shows the contents of the DomainDnsZones folder. There are blank host records corresponding to each DC/DNS server that hosts the partition:
DomainDnsZones contentsSince I've only got one domain in this forest, the ForestDnsZones folder looks identical to this.
0
 
jahatcherManager of Information SystemsAuthor Commented:
Hi sage. so far the creation of these two partitions and the manual creation of the subfolders and srv records are holding.

one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??

thanks
0
 
jahatcherManager of Information SystemsAuthor Commented:
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???

thanks again
0
 
DrDave242Commented:
one other question..under DomainDnsZones  _tcp

what srv records are in there? is it just the _ldap srv records to the dc..??
Yep, just an _ldap SRV record for each DC:
Contents of the DomainDnsZones\_tcp folder
also how can i validate, test, confirm that these partitions are indeed working properly and that all the necessary records are there???
There are several dcdiag tests (CheckSDRefDom, VerifyReplicas, and CrossRefValidation) that will test various aspects of application partitions. Unfortunately, I don't see one that checks to make sure the partitions' DNS records are all there.
0
 
jahatcherManager of Information SystemsAuthor Commented:
thanks

I ran a dcdiag and everything passed. replication is ok. I'll monitor it and see if anything new changes...

thanks for all your help

Dave
0
 
DrDave242Commented:
How's it looking?
0
 
jahatcherManager of Information SystemsAuthor Commented:
thanks guys
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now