funasset
asked on
DCDIAG /test:DNS error message explanations?
I have a Windows 2008 domain with 2 DCs. Many moons ago this was actually a Windows 2003 domain which was upgraded to 2008 as per MS's instructions. Pre-upgrade the 'main' DC/DNS server was a box called OLDSERVER.
Running DCDIAG /TEST:DNS on both 2008 DCs there are a couple of errors shown - same 2 on each server - and I don't know what they mean or how to resolve them. They are
1. Root zone on this DC/DNS server was not found
2. TEST: Delegations (Del)
Delegation information for the zone: domain.company.com.
Delegated domain name: _msdcs.domain.company.com.
Warning: Delegation of DNS server OLDSERVER.domain.company.c om. is broken on IP:<OLDSERVER's IP>
Error: DNS server: OLDSERVER.domain.company.c om.
IP:<OLDSERVER's IP>[Broken delegation]
I used ADSI Edit to take a look around and if I go to Properties of the folder 'DC=domain,DC=company,DC=c om' under Default Naming Context I see that there is a value in the Attribute Editor tab called 'domainReplica' which has the value 'OLDSERvER' - I've no idea if that is a clue but I'm guessing it should be there as OLDSERvER is (or should be) an old server acting as a file store and nothing else.
I might be stating the obvious but in the registry under HKLM-System--CurrentContro lSet--Serv ices--NTDS --Paramete rs there is also a key labelled 'Src Root Domain Srv' with the value of the FQDN of the OLDSERVER.
Can anyone advise on a suitable course of action to tidy this up a bit safely?
Thanks in advance.
Running DCDIAG /TEST:DNS on both 2008 DCs there are a couple of errors shown - same 2 on each server - and I don't know what they mean or how to resolve them. They are
1. Root zone on this DC/DNS server was not found
2. TEST: Delegations (Del)
Delegation information for the zone: domain.company.com.
Delegated domain name: _msdcs.domain.company.com.
Warning: Delegation of DNS server OLDSERVER.domain.company.c
Error: DNS server: OLDSERVER.domain.company.c
IP:<OLDSERVER's IP>[Broken delegation]
I used ADSI Edit to take a look around and if I go to Properties of the folder 'DC=domain,DC=company,DC=c
I might be stating the obvious but in the registry under HKLM-System--CurrentContro
Can anyone advise on a suitable course of action to tidy this up a bit safely?
Thanks in advance.
ASKER
1. Thanks - one less thing for me to worry about!
2. I see the Name Servers and yes it does have that old server listed there. Should I just remove that or substitute it with the names of the 2 current DCs? What does that tab represent?
As for the tests you suggested the latter completed with all things Successful on both DCs. The former gave one error on both which is
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DCOne.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=domai n,DC=compa ny,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai n,DC=compa ny,DC=com
* Security Permissions Check for
DC=DomainDnsZones,DC=domai n,DC=compa ny,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai n,DC=compa ny,DC=com
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=domain ,DC=compan y,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain ,DC=compan y,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=company,DC=co m
(Domain,Version 3)
Every other test on DCDIAG /V passed OK. I might be getting somewhere at last!
I appreciate the help.
2. I see the Name Servers and yes it does have that old server listed there. Should I just remove that or substitute it with the names of the 2 current DCs? What does that tab represent?
As for the tests you suggested the latter completed with all things Successful on both DCs. The former gave one error on both which is
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DCOne.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=domai
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domai
* Security Permissions Check for
DC=DomainDnsZones,DC=domai
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domai
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=domain
(Configuration,Version 3)
* Security Permissions Check for
DC=domain,DC=company,DC=co
(Domain,Version 3)
Every other test on DCDIAG /V passed OK. I might be getting somewhere at last!
I appreciate the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many thanks.
I've removed the old reference, replaced it with the current DCs and ran DCDIAG again - all would seem to be well.
Many thanks for the help.
I've removed the old reference, replaced it with the current DCs and ran DCDIAG again - all would seem to be well.
Many thanks for the help.
You're welcome.
2. In the DNS Management console, right click the delegation (you will see the entry for _msdcs under the zone domain.company.com), and select properties. Update the name servers listed there.
Don't worry about the domainReplica attribute.
http://msdn.microsoft.com/en-us/library/cc219870.aspx
Do you have any errors from running dcdiag /v or repadmin /showrepl? If not, then there's probably nothing to clean up.