DCDIAG /test:DNS error message explanations?

I have a Windows 2008 domain with 2 DCs. Many moons ago this was actually a Windows 2003 domain which was upgraded to 2008 as per MS's instructions. Pre-upgrade the 'main' DC/DNS server was a box called OLDSERVER.

Running DCDIAG /TEST:DNS on both 2008 DCs there are a couple of errors shown - same 2 on each server - and I don't know what they mean or how to resolve them.  They are

1.  Root zone on this DC/DNS server was not found

2. TEST: Delegations (Del)
Delegation information for the zone: domain.company.com.
Delegated domain name: _msdcs.domain.company.com.
Warning: Delegation of DNS server OLDSERVER.domain.company.com. is broken on IP:<OLDSERVER's IP>
Error: DNS server: OLDSERVER.domain.company.com.
IP:<OLDSERVER's IP>[Broken delegation]

I used ADSI Edit to take a look around and if I go to Properties of the folder 'DC=domain,DC=company,DC=com' under Default Naming Context I see that there is a value in the Attribute Editor tab called 'domainReplica' which has the value 'OLDSERvER' - I've no idea if that is a clue but I'm guessing it should be there as OLDSERvER is (or should be) an old server acting as a file store and nothing else.

I might be stating the obvious but in the registry under HKLM-System--CurrentControlSet--Services--NTDS--Parameters there is also a key labelled 'Src Root Domain Srv' with the value of the FQDN of the OLDSERVER.

Can anyone advise on a suitable course of action to tidy this up a bit safely?

Thanks in advance.
funassetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
1.  That is not an error.  Unless you want your server to think it knows everything about the internet you shouldn't have a root zone.  If your DNS server is serving clients that are trying to reach the internet this is how it should be, it uses root hints or forwarders for names it has no knowledge of.

2. In the DNS Management console, right click the delegation (you will see the entry for _msdcs under the zone domain.company.com), and select properties.  Update the name servers listed there.

Don't worry about the domainReplica attribute.
http://msdn.microsoft.com/en-us/library/cc219870.aspx

Do you have any errors from running dcdiag /v or repadmin /showrepl?  If not, then there's probably nothing to clean up.
0
funassetAuthor Commented:
1. Thanks - one less thing for me to worry about!

2. I see the Name Servers and yes it does have that old server listed there. Should I just remove that or substitute it with the names of the 2 current DCs? What does that tab represent?

As for the tests you suggested the latter completed with all things Successful on both DCs. The former gave one error on both which is

Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC DCOne.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=domain,DC=company,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=domain,DC=company,DC=com
         * Security Permissions Check for
           DC=DomainDnsZones,DC=domain,DC=company,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=domain,DC=company,DC=com
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=domain,DC=company,DC=com
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=domain,DC=company,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=domain,DC=company,DC=com
            (Domain,Version 3)

Every other test on DCDIAG /V passed OK. I might be getting somewhere at last!

I appreciate the help.
0
footechCommented:
I would suggest updating the delegation to include all your current DNS servers and remove any that are invalid.  The tab shows which DNS servers have info about a zone.  Delegations are used more for child domains in a multi-domain forest, but it also applies to the _msdcs zone.
http://technet.microsoft.com/en-us/library/cc771640.aspx

The NCSecDesc error is expected if you haven't run adprep /rodcprep.  You can ignore it if you don't plan on introducing read-only domain controllers, or just run the command so you're not bothered by it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
funassetAuthor Commented:
Many thanks.

I've removed the old reference, replaced it with the current DCs and ran DCDIAG again - all would seem to be well.

Many thanks for the help.
0
footechCommented:
You're welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.