Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » replication scope question
replication scope question [message #159405] Wed, 29 July 2009 12:27 Go to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I have a DNS server with three AD integrated zones and one primary zone. That
server is the only DC with DNS installed. There is a member server that has
DNS installed that hosts secondary zones for all four of the zones on the DC.
A replacement for the DC is in place. I would like to install DNS on the
other DCs in the forest root domain and replicate the AD integrated zones.
Currently the zone replication scope is set to "All Domain Controllers in the
Active Directory domain". The current DNS servers are running Windows 2003
SP2 32 bit, the new DC is running 64bit R2. Would there be any advantage to
changing the scope to the default setting "All DNS servers in the Active
Directory domain" or should I leave the replication scope alone? Would there
be any issue due to the differences in operating systems?

Thanks in advance
--
Dudley
MCP, MCDST
RE: replication scope question [message #159407 is a reply to message #159405] Wed, 29 July 2009 13:08 Go to previous messageGo to next message
AceFekayMCT  is currently offline AceFekayMCT
Messages: 4
Registered: July 2009
Junior Member
"Dudley" wrote:

> I have a DNS server with three AD integrated zones and one primary zone. That
> server is the only DC with DNS installed. There is a member server that has
> DNS installed that hosts secondary zones for all four of the zones on the DC.
> A replacement for the DC is in place. I would like to install DNS on the
> other DCs in the forest root domain and replicate the AD integrated zones.
> Currently the zone replication scope is set to "All Domain Controllers in the
> Active Directory domain". The current DNS servers are running Windows 2003
> SP2 32 bit, the new DC is running 64bit R2. Would there be any advantage to
> changing the scope to the default setting "All DNS servers in the Active
> Directory domain" or should I leave the replication scope alone? Would there
> be any issue due to the differences in operating systems?
>
> Thanks in advance
> --
> Dudley
> MCP, MCDST

Hello Dudley,

There are no difference with AD when it comes to either 32bit or 64bit
operating systems. You can change the replication scope to All DNS servers in
the Active Directory domain, which is a 2003 and newer operating system
setting because it takes advantage of the DomainDnsZones application
partition.

The current one you have it set on is for backwards compatibility with
Windows 2000 DCs. I would set that first prior to installing DNS on the other
DCs. Matter of fact, I would recommend all DCs to be DNS servers, and not any
of the member servers. This is because you can take advantage of Secure
Updates, which is only available on DNS servers installed on a DC that are AD
integrated zones, as wella s the fact that the zone is secure because it
exists in the Ad database, and not as a text file in the system32\dns folder,
and automatically replicates (with no zone transfers) to all DCs that have
DNS installed.

In summary, simply install DNS on the other DCs, sit back and wait about a
half hour or so, and the zones will auto-populate. If they don't, then
there's a replication issue. If you try to manually create them, you will
cause a duplicate zone issue. So sit tight and wait...

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging


"Dudley" wrote:

> I have a DNS server with three AD integrated zones and one primary zone. That
> server is the only DC with DNS installed. There is a member server that has
> DNS installed that hosts secondary zones for all four of the zones on the DC.
> A replacement for the DC is in place. I would like to install DNS on the
> other DCs in the forest root domain and replicate the AD integrated zones.
> Currently the zone replication scope is set to "All Domain Controllers in the
> Active Directory domain". The current DNS servers are running Windows 2003
> SP2 32 bit, the new DC is running 64bit R2. Would there be any advantage to
> changing the scope to the default setting "All DNS servers in the Active
> Directory domain" or should I leave the replication scope alone? Would there
> be any issue due to the differences in operating systems?
>
> Thanks in advance
> --
> Dudley
> MCP, MCDST
Re: replication scope question [message #159434 is a reply to message #159405] Wed, 29 July 2009 16:19 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
If all the DCs are in the same domain the scope All Domain Controllers in
the Active Directory domain" should be enough, but if you're talking about
multiple domains you can use Forest replication scope?
BTW, why the primary zone? You can have DNS ADI and still have secondary
zones in a member server.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
>I have a DNS server with three AD integrated zones and one primary zone.
>That
> server is the only DC with DNS installed. There is a member server that
> has
> DNS installed that hosts secondary zones for all four of the zones on the
> DC.
> A replacement for the DC is in place. I would like to install DNS on the
> other DCs in the forest root domain and replicate the AD integrated zones.
> Currently the zone replication scope is set to "All Domain Controllers in
> the
> Active Directory domain". The current DNS servers are running Windows 2003
> SP2 32 bit, the new DC is running 64bit R2. Would there be any advantage
> to
> changing the scope to the default setting "All DNS servers in the Active
> Directory domain" or should I leave the replication scope alone? Would
> there
> be any issue due to the differences in operating systems?
>
> Thanks in advance
> --
> Dudley
> MCP, MCDST
Re: replication scope question [message #159442 is a reply to message #159405] Wed, 29 July 2009 16:41 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Dudley,

Use AD integrated zones on all DCs and if possible, avoid the member server
with secondary zone, if for whatever reason the secondary is only available
no DNS updates are possible because this is a read-only copy.

If you use only DCs for DNS leave it as it is. Doesn't matter if you use
32 or 64 bit architecture.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a DNS server with three AD integrated zones and one primary
> zone. That server is the only DC with DNS installed. There is a member
> server that has DNS installed that hosts secondary zones for all four
> of the zones on the DC. A replacement for the DC is in place. I would
> like to install DNS on the other DCs in the forest root domain and
> replicate the AD integrated zones. Currently the zone replication
> scope is set to "All Domain Controllers in the Active Directory
> domain". The current DNS servers are running Windows 2003 SP2 32 bit,
> the new DC is running 64bit R2. Would there be any advantage to
> changing the scope to the default setting "All DNS servers in the
> Active Directory domain" or should I leave the replication scope
> alone? Would there be any issue due to the differences in operating
> systems?
>
> Thanks in advance
>
Re: replication scope question [message #159525 is a reply to message #159434] Thu, 30 July 2009 16:44 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I changed the primary zone to AD integrated yesterday. I'm not sure why it
was a primary zone, but it makes the most sense to make all of the zones AD
integrated. I received several 4521 warning events immediately after the
change. I found several references to it in a web search, but unlike others
who have recieved this warning, I didn't get other events with it and they
all occured at the same second. Everything seems to fine otherwise.

I didn't think it was necessary to replicate to all DCs in the forest. I
figured if the two outdated DNS servers were adequate three new DNS servers
were fine.
--
Dudley
MCP, MCDST


"Jorge Silva" wrote:

> Hi
> If all the DCs are in the same domain the scope All Domain Controllers in
> the Active Directory domain" should be enough, but if you're talking about
> multiple domains you can use Forest replication scope?
> BTW, why the primary zone? You can have DNS ADI and still have secondary
> zones in a member server.
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
> >I have a DNS server with three AD integrated zones and one primary zone.
> >That
> > server is the only DC with DNS installed. There is a member server that
> > has
> > DNS installed that hosts secondary zones for all four of the zones on the
> > DC.
> > A replacement for the DC is in place. I would like to install DNS on the
> > other DCs in the forest root domain and replicate the AD integrated zones.
> > Currently the zone replication scope is set to "All Domain Controllers in
> > the
> > Active Directory domain". The current DNS servers are running Windows 2003
> > SP2 32 bit, the new DC is running 64bit R2. Would there be any advantage
> > to
> > changing the scope to the default setting "All DNS servers in the Active
> > Directory domain" or should I leave the replication scope alone? Would
> > there
> > be any issue due to the differences in operating systems?
> >
> > Thanks in advance
> > --
> > Dudley
> > MCP, MCDST
>
Re: replication scope question [message #159526 is a reply to message #159442] Thu, 30 July 2009 17:40 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I will be getting rid of the member server in the near future, but need to
keep it for now. By "all" do you mean all DCs in the forest should be DNS
servers? One of the others suggested the same thing.
--
Dudley
MCP, MCDST


"Meinolf Weber [MVP-DS]" wrote:

> Hello Dudley,
>
> Use AD integrated zones on all DCs and if possible, avoid the member server
> with secondary zone, if for whatever reason the secondary is only available
> no DNS updates are possible because this is a read-only copy.
>
> If you use only DCs for DNS leave it as it is. Doesn't matter if you use
> 32 or 64 bit architecture.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I have a DNS server with three AD integrated zones and one primary
> > zone. That server is the only DC with DNS installed. There is a member
> > server that has DNS installed that hosts secondary zones for all four
> > of the zones on the DC. A replacement for the DC is in place. I would
> > like to install DNS on the other DCs in the forest root domain and
> > replicate the AD integrated zones. Currently the zone replication
> > scope is set to "All Domain Controllers in the Active Directory
> > domain". The current DNS servers are running Windows 2003 SP2 32 bit,
> > the new DC is running 64bit R2. Would there be any advantage to
> > changing the scope to the default setting "All DNS servers in the
> > Active Directory domain" or should I leave the replication scope
> > alone? Would there be any issue due to the differences in operating
> > systems?
> >
> > Thanks in advance
> >
>
>
>
Re: replication scope question [message #159529 is a reply to message #159525] Thu, 30 July 2009 18:43 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:2C1EF4BE-8D3F-462B-81C0-DE99E00461BD@microsoft.com...
>I changed the primary zone to AD integrated yesterday. I'm not sure why it
> was a primary zone, but it makes the most sense to make all of the zones
> AD
> integrated. I received several 4521 warning events immediately after the
> change. I found several references to it in a web search, but unlike
> others
> who have recieved this warning, I didn't get other events with it and they
> all occured at the same second. Everything seems to fine otherwise.
>
> I didn't think it was necessary to replicate to all DCs in the forest. I
> figured if the two outdated DNS servers were adequate three new DNS
> servers
> were fine.
> --

With one domain, it doesn't really matter if it's set to forest or domain
replication. That comes into play more with multiple domains, but you can
leave it that way, if you like, or choose domain wide (middle button), which
puts it into the DomainDnsZones partition.

Ace
Re: replication scope question [message #159532 is a reply to message #159525] Thu, 30 July 2009 18:50 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
What?
You deleted the primary zone or you directly convert that zone to AI?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:2C1EF4BE-8D3F-462B-81C0-DE99E00461BD@microsoft.com...
>I changed the primary zone to AD integrated yesterday. I'm not sure why it
> was a primary zone, but it makes the most sense to make all of the zones
> AD
> integrated. I received several 4521 warning events immediately after the
> change. I found several references to it in a web search, but unlike
> others
> who have recieved this warning, I didn't get other events with it and they
> all occured at the same second. Everything seems to fine otherwise.
>
> I didn't think it was necessary to replicate to all DCs in the forest. I
> figured if the two outdated DNS servers were adequate three new DNS
> servers
> were fine.
> --
> Dudley
> MCP, MCDST
>
>
> "Jorge Silva" wrote:
>
>> Hi
>> If all the DCs are in the same domain the scope All Domain Controllers in
>> the Active Directory domain" should be enough, but if you're talking
>> about
>> multiple domains you can use Forest replication scope?
>> BTW, why the primary zone? You can have DNS ADI and still have secondary
>> zones in a member server.
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
>> >I have a DNS server with three AD integrated zones and one primary zone.
>> >That
>> > server is the only DC with DNS installed. There is a member server that
>> > has
>> > DNS installed that hosts secondary zones for all four of the zones on
>> > the
>> > DC.
>> > A replacement for the DC is in place. I would like to install DNS on
>> > the
>> > other DCs in the forest root domain and replicate the AD integrated
>> > zones.
>> > Currently the zone replication scope is set to "All Domain Controllers
>> > in
>> > the
>> > Active Directory domain". The current DNS servers are running Windows
>> > 2003
>> > SP2 32 bit, the new DC is running 64bit R2. Would there be any
>> > advantage
>> > to
>> > changing the scope to the default setting "All DNS servers in the
>> > Active
>> > Directory domain" or should I leave the replication scope alone? Would
>> > there
>> > be any issue due to the differences in operating systems?
>> >
>> > Thanks in advance
>> > --
>> > Dudley
>> > MCP, MCDST
>>
Re: replication scope question [message #159539 is a reply to message #159526] Thu, 30 July 2009 23:29 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Dudley,

Yes, whe have all our DCs in the forest also DNS server. Redundancy and failover.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I will be getting rid of the member server in the near future, but
> need to keep it for now. By "all" do you mean all DCs in the forest
> should be DNS servers? One of the others suggested the same thing.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Dudley,
>>
>> Use AD integrated zones on all DCs and if possible, avoid the member
>> server with secondary zone, if for whatever reason the secondary is
>> only available no DNS updates are possible because this is a
>> read-only copy.
>>
>> If you use only DCs for DNS leave it as it is. Doesn't matter if you
>> use 32 or 64 bit architecture.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I have a DNS server with three AD integrated zones and one primary
>>> zone. That server is the only DC with DNS installed. There is a
>>> member server that has DNS installed that hosts secondary zones for
>>> all four of the zones on the DC. A replacement for the DC is in
>>> place. I would like to install DNS on the other DCs in the forest
>>> root domain and replicate the AD integrated zones. Currently the
>>> zone replication scope is set to "All Domain Controllers in the
>>> Active Directory domain". The current DNS servers are running
>>> Windows 2003 SP2 32 bit, the new DC is running 64bit R2. Would there
>>> be any advantage to changing the scope to the default setting "All
>>> DNS servers in the Active Directory domain" or should I leave the
>>> replication scope alone? Would there be any issue due to the
>>> differences in operating systems?
>>>
>>> Thanks in advance
>>>
Re: replication scope question [message #159544 is a reply to message #159532] Fri, 31 July 2009 07:19 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
The primary zone has been converted to AI. It was not deleted. Are the 4521
events a cause of concern?
--
Dudley
MCP, MCDST


"Jorge Silva" wrote:

> What?
> You deleted the primary zone or you directly convert that zone to AI?
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:2C1EF4BE-8D3F-462B-81C0-DE99E00461BD@microsoft.com...
> >I changed the primary zone to AD integrated yesterday. I'm not sure why it
> > was a primary zone, but it makes the most sense to make all of the zones
> > AD
> > integrated. I received several 4521 warning events immediately after the
> > change. I found several references to it in a web search, but unlike
> > others
> > who have recieved this warning, I didn't get other events with it and they
> > all occured at the same second. Everything seems to fine otherwise.
> >
> > I didn't think it was necessary to replicate to all DCs in the forest. I
> > figured if the two outdated DNS servers were adequate three new DNS
> > servers
> > were fine.
> > --
> > Dudley
> > MCP, MCDST
> >
> >
> > "Jorge Silva" wrote:
> >
> >> Hi
> >> If all the DCs are in the same domain the scope All Domain Controllers in
> >> the Active Directory domain" should be enough, but if you're talking
> >> about
> >> multiple domains you can use Forest replication scope?
> >> BTW, why the primary zone? You can have DNS ADI and still have secondary
> >> zones in a member server.
> >>
> >> --
> >> I hope that the information above helps you.
> >> Have a Nice day.
> >>
> >> Jorge Silva
> >> MVP Directory Services
> >> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> >> news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
> >> >I have a DNS server with three AD integrated zones and one primary zone.
> >> >That
> >> > server is the only DC with DNS installed. There is a member server that
> >> > has
> >> > DNS installed that hosts secondary zones for all four of the zones on
> >> > the
> >> > DC.
> >> > A replacement for the DC is in place. I would like to install DNS on
> >> > the
> >> > other DCs in the forest root domain and replicate the AD integrated
> >> > zones.
> >> > Currently the zone replication scope is set to "All Domain Controllers
> >> > in
> >> > the
> >> > Active Directory domain". The current DNS servers are running Windows
> >> > 2003
> >> > SP2 32 bit, the new DC is running 64bit R2. Would there be any
> >> > advantage
> >> > to
> >> > changing the scope to the default setting "All DNS servers in the
> >> > Active
> >> > Directory domain" or should I leave the replication scope alone? Would
> >> > there
> >> > be any issue due to the differences in operating systems?
> >> >
> >> > Thanks in advance
> >> > --
> >> > Dudley
> >> > MCP, MCDST
> >>
>
Re: replication scope question [message #159548 is a reply to message #159544] Fri, 31 July 2009 08:27 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Yes, now you've duplicated the Zone...
The primary zone is independent and can only be hosted by one server.
Integrated zones are shared and have nothing to do with primary zones. If
you converted a Primary Zone that has the same FQDN to Active Directory
integrated you're duplicating the zones and causing a mess.

To fix that I first need to know if the primary zone that was converted to
AI is equal to the existing DNS AI Zone???!!!

For example, your DNSAI zone is yourdomain.local, and primary zone was
yourdomain.local as well. Is that the case?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:F2BF08C8-AEC0-4F5C-8716-C828E8311670@microsoft.com...
> The primary zone has been converted to AI. It was not deleted. Are the
> 4521
> events a cause of concern?
> --
> Dudley
> MCP, MCDST
>
>
> "Jorge Silva" wrote:
>
>> What?
>> You deleted the primary zone or you directly convert that zone to AI?
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> news:2C1EF4BE-8D3F-462B-81C0-DE99E00461BD@microsoft.com...
>> >I changed the primary zone to AD integrated yesterday. I'm not sure why
>> >it
>> > was a primary zone, but it makes the most sense to make all of the
>> > zones
>> > AD
>> > integrated. I received several 4521 warning events immediately after
>> > the
>> > change. I found several references to it in a web search, but unlike
>> > others
>> > who have recieved this warning, I didn't get other events with it and
>> > they
>> > all occured at the same second. Everything seems to fine otherwise.
>> >
>> > I didn't think it was necessary to replicate to all DCs in the forest.
>> > I
>> > figured if the two outdated DNS servers were adequate three new DNS
>> > servers
>> > were fine.
>> > --
>> > Dudley
>> > MCP, MCDST
>> >
>> >
>> > "Jorge Silva" wrote:
>> >
>> >> Hi
>> >> If all the DCs are in the same domain the scope All Domain Controllers
>> >> in
>> >> the Active Directory domain" should be enough, but if you're talking
>> >> about
>> >> multiple domains you can use Forest replication scope?
>> >> BTW, why the primary zone? You can have DNS ADI and still have
>> >> secondary
>> >> zones in a member server.
>> >>
>> >> --
>> >> I hope that the information above helps you.
>> >> Have a Nice day.
>> >>
>> >> Jorge Silva
>> >> MVP Directory Services
>> >> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> >> news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
>> >> >I have a DNS server with three AD integrated zones and one primary
>> >> >zone.
>> >> >That
>> >> > server is the only DC with DNS installed. There is a member server
>> >> > that
>> >> > has
>> >> > DNS installed that hosts secondary zones for all four of the zones
>> >> > on
>> >> > the
>> >> > DC.
>> >> > A replacement for the DC is in place. I would like to install DNS on
>> >> > the
>> >> > other DCs in the forest root domain and replicate the AD integrated
>> >> > zones.
>> >> > Currently the zone replication scope is set to "All Domain
>> >> > Controllers
>> >> > in
>> >> > the
>> >> > Active Directory domain". The current DNS servers are running
>> >> > Windows
>> >> > 2003
>> >> > SP2 32 bit, the new DC is running 64bit R2. Would there be any
>> >> > advantage
>> >> > to
>> >> > changing the scope to the default setting "All DNS servers in the
>> >> > Active
>> >> > Directory domain" or should I leave the replication scope alone?
>> >> > Would
>> >> > there
>> >> > be any issue due to the differences in operating systems?
>> >> >
>> >> > Thanks in advance
>> >> > --
>> >> > Dudley
>> >> > MCP, MCDST
>> >>
>>
Re: replication scope question [message #159555 is a reply to message #159548] Fri, 31 July 2009 11:47 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I opened the "Change Zone Type" window accessed through the "General" tab of
the zone's properties box on to place a check in the "store the zone in
Active Directory..." check box. Is that something that should only be used as
a zone is created? That was the second zone that I had made that change to
this week. The first zone was changed before my initial post. One was a
forward and the other was a reverse. Neither accepts dynamic updates. There
are information events in the DNS event log stating that "An administrator
has moved the zone domain.com to a new location in Active Directory". There
is only one copy of each zone in the DNS console. At this point DNS is still
running on one DC with secondary zones on one member server.

I appreciate any help you can offer.
--
Dudley
MCP, MCDST


"Jorge Silva" wrote:

> Yes, now you've duplicated the Zone...
> The primary zone is independent and can only be hosted by one server.
> Integrated zones are shared and have nothing to do with primary zones. If
> you converted a Primary Zone that has the same FQDN to Active Directory
> integrated you're duplicating the zones and causing a mess.
>
> To fix that I first need to know if the primary zone that was converted to
> AI is equal to the existing DNS AI Zone???!!!
>
> For example, your DNSAI zone is yourdomain.local, and primary zone was
> yourdomain.local as well. Is that the case?
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:F2BF08C8-AEC0-4F5C-8716-C828E8311670@microsoft.com...
> > The primary zone has been converted to AI. It was not deleted. Are the
> > 4521
> > events a cause of concern?
> > --
> > Dudley
> > MCP, MCDST
> >
> >
> > "Jorge Silva" wrote:
> >
> >> What?
> >> You deleted the primary zone or you directly convert that zone to AI?
> >>
> >> --
> >> I hope that the information above helps you.
> >> Have a Nice day.
> >>
> >> Jorge Silva
> >> MVP Directory Services
> >> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> >> news:2C1EF4BE-8D3F-462B-81C0-DE99E00461BD@microsoft.com...
> >> >I changed the primary zone to AD integrated yesterday. I'm not sure why
> >> >it
> >> > was a primary zone, but it makes the most sense to make all of the
> >> > zones
> >> > AD
> >> > integrated. I received several 4521 warning events immediately after
> >> > the
> >> > change. I found several references to it in a web search, but unlike
> >> > others
> >> > who have recieved this warning, I didn't get other events with it and
> >> > they
> >> > all occured at the same second. Everything seems to fine otherwise.
> >> >
> >> > I didn't think it was necessary to replicate to all DCs in the forest.
> >> > I
> >> > figured if the two outdated DNS servers were adequate three new DNS
> >> > servers
> >> > were fine.
> >> > --
> >> > Dudley
> >> > MCP, MCDST
> >> >
> >> >
> >> > "Jorge Silva" wrote:
> >> >
> >> >> Hi
> >> >> If all the DCs are in the same domain the scope All Domain Controllers
> >> >> in
> >> >> the Active Directory domain" should be enough, but if you're talking
> >> >> about
> >> >> multiple domains you can use Forest replication scope?
> >> >> BTW, why the primary zone? You can have DNS ADI and still have
> >> >> secondary
> >> >> zones in a member server.
> >> >>
> >> >> --
> >> >> I hope that the information above helps you.
> >> >> Have a Nice day.
> >> >>
> >> >> Jorge Silva
> >> >> MVP Directory Services
> >> >> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> >> >> news:78DA541F-A2E1-4E14-8D83-1042EB8A2C9D@microsoft.com...
> >> >> >I have a DNS server with three AD integrated zones and one primary
> >> >> >zone.
> >> >> >That
> >> >> > server is the only DC with DNS installed. There is a member server
> >> >> > that
> >> >> > has
> >> >> > DNS installed that hosts secondary zones for all four of the zones
> >> >> > on
> >> >> > the
> >> >> > DC.
> >> >> > A replacement for the DC is in place. I would like to install DNS on
> >> >> > the
> >> >> > other DCs in the forest root domain and replicate the AD integrated
> >> >> > zones.
> >> >> > Currently the zone replication scope is set to "All Domain
> >> >> > Controllers
> >> >> > in
> >> >> > the
> >> >> > Active Directory domain". The current DNS servers are running
> >> >> > Windows
> >> >> > 2003
> >> >> > SP2 32 bit, the new DC is running 64bit R2. Would there be any
> >> >> > advantage
> >> >> > to
> >> >> > changing the scope to the default setting "All DNS servers in the
> >> >> > Active
> >> >> > Directory domain" or should I leave the replication scope alone?
> >> >> > Would
> >> >> > there
> >> >> > be any issue due to the differences in operating systems?
> >> >> >
> >> >> > Thanks in advance
> >> >> > --
> >> >> > Dudley
> >> >> > MCP, MCDST
> >> >>
> >>
>
Re: replication scope question [message #159558 is a reply to message #159555] Fri, 31 July 2009 14:18 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
>I opened the "Change Zone Type" window accessed through the "General" tab
>of
> the zone's properties box on to place a check in the "store the zone in
> Active Directory..." check box. Is that something that should only be used
> as
> a zone is created? That was the second zone that I had made that change to
> this week. The first zone was changed before my initial post. One was a
> forward and the other was a reverse. Neither accepts dynamic updates.
> There
> are information events in the DNS event log stating that "An administrator
> has moved the zone domain.com to a new location in Active Directory".
> There
> is only one copy of each zone in the DNS console. At this point DNS is
> still
> running on one DC with secondary zones on one member server.
>
> I appreciate any help you can offer.
> --

Just to catch up where you're at with DNS installed on the DCs, did you
install DNS on the other DCs?

If you did, did you change the zone to AD Integrated only on one server, or
more than one server?

Ace
Re: replication scope question [message #159559 is a reply to message #159548] Fri, 31 July 2009 14:24 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
> Yes, now you've duplicated the Zone...
> The primary zone is independent and can only be hosted by one server.
> Integrated zones are shared and have nothing to do with primary zones. If
> you converted a Primary Zone that has the same FQDN to Active Directory
> integrated you're duplicating the zones and causing a mess.
>
> To fix that I first need to know if the primary zone that was converted
> to AI is equal to the existing DNS AI Zone???!!!
>
> For example, your DNSAI zone is yourdomain.local, and primary zone was
> yourdomain.local as well. Is that the case?
>


Jorge,

If only one DC has a Primary standard zone, and the others have secondaries,
converting it to AD integrated should be no problem. The other DCs with
secondaries (that is if he did previously configure/create secondaries prior
to converting the zone to AD integrated), should convert them to Ad
integrated automatically, IIRC, because it recognizes them in the AD
database. However, if he changed the zone on more than one DC, then that
would cause a duplicate zone issue.

One easy way to tell is look in ADSI Edit if there are dupes. Of course if
there are, they would need to be deleted. I'm posting (below) a procedure to
help Dudley determine if there are any zone dupes in AD.

============================================================ ======
Conflicting or duplicate AD Integrated DNS zones
By Ace Fekay, MCSE 2003, MCT
First published 3/2006, updated accordingly

You may have a duplicate zone if a zone either exists in both the Domain NC
and one of the Application Partitions, if you get an unusal error message
stating, "The name limit for the local computer network adapter card was
exceeded," or you installed DNS on another DC and manually created the AD
zone and didn't wait for it to automatically populate.

Dupe zone errata:
A quick explanation: When you have an AD integrated zone, the DNS data is
stored in the actual AD database and is replicated to all DCs and will be
available to any DC that has DNS installed, depending on the zone
replication scope setting. If rep scope is set to the bottom button, it will
be store in the DomainNC partition of the AD database and compatible with
Windows 2000. If the middle button, it will be stored in the DomainDnsZones
and only works with Windows 2003 and newer DCs. These two scope types will
be replicated to all DCs only in the domain it exists in. The third type,
the top buttton, is stored in the ForestDnsZones application partition and
is available to ALL DCs in the whole forest. The data in any of the AD
integrated zone types are truly secured since you can;t get at them without
the proper tools.

If you have an AD integrated zone existing on a DC and you install DNS on
another DC in the domain or forest, depending what zone type, it will
automatically appear on the new DNS installation without any interaction on
your part. If you attempted to manually create the zone, then you pretty
much just introduced a duplicate in the AD database, which will cause
problems and other issues as well.

A Primary or Secondary zone that is not stored in AD is stored in a text
file in the system32\dns folder. This type of zone storage has nothing to do
with the above types ONLY unless it is truly a secondary with the Master
being a DC transferring a copy of the zone. This types of zone storage is
obviously not secure.

Now **IF** you did manually create a zone on one DC while it already existed
on another DC, then you may have a duplicate. If this is the case, you can
use ADSI Edit and look for zone data that starts with a "CNF..." in front of
it. Delete them and you;re good to go.

Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.

In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS servers in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS servers in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"


If you have a duplicate, that's indicating there is a zone that exists in
the DomainNC and in the DomainDnsZones Application partition. This means at
one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

To view the DomainDnsZones or the ForestDnsZones partitions, follow these
steps:

[ForestDNSZones]
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type the
following text in the list, and then click OK:
DC=ForestDNSZones, DC=contoso, DC=com
In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
now be able to view the DNS records which exist in this DNS partition. If
you desire to remove this partition, right-click on contoso.com and then
click Delete.

Note Deleting a zone is a destructive operation. Please confirm that a
duplicate zone exists before you perform a deletion.
If you have deleted a zone, restart the DNS service. To do this, follow
these steps:
Click Start, point to All Programs, point to Administrative Tools, and then
click DNS.
In the console tree, right-click contoso.com, point to All Tasks, and then
click Restart.

[DomainDNSZones]
Click Start, click Run, type adsiedit.msc, and then click OK.
In the console tree, right-click ADSI Edit, and then click Connect to.
Click Select or type a Distinguished Name or Naming Context, type the
following text in the list, and then click OK:
DC=DomainDNSZones,DC=contoso,DC=com.
In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
now be able to view the DNS records which exist in this DNS partition. If
you desire to remove this partition, right-click on contoso.com and then
click Delete.

Note Deleting a zone is a destructive operation. Please confirm that a
duplicate zone exists before you perform a deletion.
If you have deleted a zone, restart the DNS service. To do this, follow
these steps:
Click Start, point to All Programs, point to Administrative Tools, and then
click DNS.
In the console tree, right-click contoso.com, point to All Tasks, and then
click Restart.

Some reading for you...

Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that
says
"In Progress...." or "CNF" with a long GUID number after it, delete them
too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helps!
============================================================ ======

Ace
Re: replication scope question [message #159561 is a reply to message #159558] Fri, 31 July 2009 14:41 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi Dudley,
- Just to get things clear, at this moment where do you have (in which DCs)
DNS AI Zones?
- Do you still have Secondary Zones? IF yes, Where (DCs)?



--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:O7c1ZwhEKHA.4168@TK2MSFTNGP05.phx.gbl...
> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
>>I opened the "Change Zone Type" window accessed through the "General" tab
>>of
>> the zone's properties box on to place a check in the "store the zone in
>> Active Directory..." check box. Is that something that should only be
>> used as
>> a zone is created? That was the second zone that I had made that change
>> to
>> this week. The first zone was changed before my initial post. One was a
>> forward and the other was a reverse. Neither accepts dynamic updates.
>> There
>> are information events in the DNS event log stating that "An
>> administrator
>> has moved the zone domain.com to a new location in Active Directory".
>> There
>> is only one copy of each zone in the DNS console. At this point DNS is
>> still
>> running on one DC with secondary zones on one member server.
>>
>> I appreciate any help you can offer.
>> --
>
> Just to catch up where you're at with DNS installed on the DCs, did you
> install DNS on the other DCs?
>
> If you did, did you change the zone to AD Integrated only on one server,
> or more than one server?
>
> Ace
>
>
Re: replication scope question [message #159562 is a reply to message #159558] Fri, 31 July 2009 14:43 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
DNS is still only installed on one DC. Jorge said in his last post that I had
duplicated the zone, but I think there is some misunderstanding because the
server seems to be fine. I did receive 4521 warning events after I change the
replication scope, and after changing the zone types to AD integrated on two
zones, but there aren't any reoccuring warnings or errors. In fact, no DNS
events of any kind in over 23 hours.
--
Dudley
MCP, MCDST


"Ace Fekay [MCT]" wrote:

> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
> >I opened the "Change Zone Type" window accessed through the "General" tab
> >of
> > the zone's properties box on to place a check in the "store the zone in
> > Active Directory..." check box. Is that something that should only be used
> > as
> > a zone is created? That was the second zone that I had made that change to
> > this week. The first zone was changed before my initial post. One was a
> > forward and the other was a reverse. Neither accepts dynamic updates.
> > There
> > are information events in the DNS event log stating that "An administrator
> > has moved the zone domain.com to a new location in Active Directory".
> > There
> > is only one copy of each zone in the DNS console. At this point DNS is
> > still
> > running on one DC with secondary zones on one member server.
> >
> > I appreciate any help you can offer.
> > --
>
> Just to catch up where you're at with DNS installed on the DCs, did you
> install DNS on the other DCs?
>
> If you did, did you change the zone to AD Integrated only on one server, or
> more than one server?
>
> Ace
>
>
>
Re: replication scope question [message #159564 is a reply to message #159559] Fri, 31 July 2009 14:46 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Don't be so sure about Automatically converting Secondary Zones to DNSAI,
more than once I saw that things don't work that way and the result were
lots of errors untill you manually delete the secondary zone and force
replication with a DC that has DNSAI.

If I'm not mistaken, the errors that Dudley sees may be result of a scenario
like that.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:u$B10zhEKHA.4824@TK2MSFTNGP05.phx.gbl...
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
>> Yes, now you've duplicated the Zone...
>> The primary zone is independent and can only be hosted by one server.
>> Integrated zones are shared and have nothing to do with primary zones. If
>> you converted a Primary Zone that has the same FQDN to Active Directory
>> integrated you're duplicating the zones and causing a mess.
>>
>> To fix that I first need to know if the primary zone that was converted
>> to AI is equal to the existing DNS AI Zone???!!!
>>
>> For example, your DNSAI zone is yourdomain.local, and primary zone was
>> yourdomain.local as well. Is that the case?
>>
>
>
> Jorge,
>
> If only one DC has a Primary standard zone, and the others have
> secondaries, converting it to AD integrated should be no problem. The
> other DCs with secondaries (that is if he did previously configure/create
> secondaries prior to converting the zone to AD integrated), should convert
> them to Ad integrated automatically, IIRC, because it recognizes them in
> the AD database. However, if he changed the zone on more than one DC, then
> that would cause a duplicate zone issue.
>
> One easy way to tell is look in ADSI Edit if there are dupes. Of course if
> there are, they would need to be deleted. I'm posting (below) a procedure
> to help Dudley determine if there are any zone dupes in AD.
>
> ============================================================ ======
> Conflicting or duplicate AD Integrated DNS zones
> By Ace Fekay, MCSE 2003, MCT
> First published 3/2006, updated accordingly
>
> You may have a duplicate zone if a zone either exists in both the Domain
> NC and one of the Application Partitions, if you get an unusal error
> message stating, "The name limit for the local computer network adapter
> card was exceeded," or you installed DNS on another DC and manually
> created the AD zone and didn't wait for it to automatically populate.
>
> Dupe zone errata:
> A quick explanation: When you have an AD integrated zone, the DNS data is
> stored in the actual AD database and is replicated to all DCs and will be
> available to any DC that has DNS installed, depending on the zone
> replication scope setting. If rep scope is set to the bottom button, it
> will be store in the DomainNC partition of the AD database and compatible
> with Windows 2000. If the middle button, it will be stored in the
> DomainDnsZones and only works with Windows 2003 and newer DCs. These two
> scope types will be replicated to all DCs only in the domain it exists in.
> The third type, the top buttton, is stored in the ForestDnsZones
> application partition and is available to ALL DCs in the whole forest. The
> data in any of the AD integrated zone types are truly secured since you
> can;t get at them without the proper tools.
>
> If you have an AD integrated zone existing on a DC and you install DNS on
> another DC in the domain or forest, depending what zone type, it will
> automatically appear on the new DNS installation without any interaction
> on your part. If you attempted to manually create the zone, then you
> pretty much just introduced a duplicate in the AD database, which will
> cause problems and other issues as well.
>
> A Primary or Secondary zone that is not stored in AD is stored in a text
> file in the system32\dns folder. This type of zone storage has nothing to
> do with the above types ONLY unless it is truly a secondary with the
> Master being a DC transferring a copy of the zone. This types of zone
> storage is obviously not secure.
>
> Now **IF** you did manually create a zone on one DC while it already
> existed on another DC, then you may have a duplicate. If this is the case,
> you can use ADSI Edit and look for zone data that starts with a "CNF..."
> in front of it. Delete them and you;re good to go.
>
> Under Windows 2000, the physcial AD database is broken up into 3 logical
> partitions, the DomainNC (Domain Name Context, or some call the Domain
> Name Container), the Configuration Partition, and the Schema Partition.
> The Schema and Config partitions replicate to all DCs in a forest.
> However, the DomainNC is specific only to the domain the DC belongs to.
> That's where a user, domain local or global group is stored. The DomainNC
> only replicates to the DCs of that specific domain. When you create an AD
> INtegrated zone in Win 2000, it gets stored in the DomainNC. This causes a
> limitation if you want this zone to be available on a DC/DNS server that
> belongs to a different domain. The only way to get around that is for a
> little creative designing using either delegation, or secondary zones.
> This was a challenge for the _msdcs zone, which must be available forest
> wide to resolve the forest root domain, which contains the Schema and
> Domain Name Masters FSMO roles.
>
> In Windows 2003, there were two additional partitions added, they are
> called the DomainDnsZones and ForestDnsZones Application Partitions,
> specifically to store DNS data. They were conceived to overcome the
> limitation of Windows 2000's AD Integrated zones. Now you can store an AD
> Integrated zone in either of these new partitions instead of the DomainNC.
> If stored in the DomainDnsZones app partition, it is available only in
> that domain's DomainDnsZones partition. If you store it in the
> ForestDnsZones app partition, it will be available to any DC/DNS server in
> the whole forest. This opens many more design options. It also ensures the
> availability of the _msdcs zone to all DCs in the forest. By default in
> Win 2003, the _msdcs zone is stored in the ForestDnsZones application
> partition.
>
> When selecting a zone replication scope in Win2003, in the zone's
> properties, click on the "Change" button. Under that you will see 3
> options:
> To choose the ForestDnsZones:
> "To all DNS servers in the AD forest example.com"
>
> To choose DomainDnsZones:
> "To all DNS servers in the AD domain example.com"
>
> To choose the DomainNC (only for compatibility with Win2000):
> "To all domain controllers in the AD domain example.com"
>
>
> If you have a duplicate, that's indicating there is a zone that exists in
> the DomainNC and in the DomainDnsZones Application partition. This means
> at one time, or currently, you have a mixed Win2000/2003 environment and
> you have DNS installed on both operating systems. On Win2000, if the zone
> is AD Integrated, it is in the DomainNC, and should be set the same in
> Win2003's DC/DNS server to keep compatible. Someone must have attempted to
> change it in Win2003 DNS to put it in the DomainDnsZones partition no
> realizing the implications, hence the duplicate. In a scenario such as
> this where you want to use the Win2003 app partitions, you then must
> insure the zone on the Win2003 is set to the DomainNC, then uninstall DNS
> off the Win2000 machine, then once that's done, you can then go to the
> Win2003 DNS and change the partition's replication scope to one of the app
> partitions.
>
> In ADSI Edit, you can view all five partitions. You were viewing the app
> partitions, but not the main partitions. You need to add the DomainNC
> partition in order to delete that zone. But you must uninstall DNS off the
> Win2000 server first, unless you want to keep the zone in the DomainNC.
> But that wouldn't make much sense if you want to take advantage of the
> _msdcs zone being available forest wide in the ForestDnsZones partition,
> which you should absolutley NOT delete. I would just use the Win2003 DNS
> servers only.
>
> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point
> click on "Well known Naming Context", then in the drop-down box, select
> "Domain". Drill down to CN=System. Under that you will see
> CN=MicrosoftDNS. You will see the zone in there.
>
> But make sure to decide FIRST which way to go before you delete anything.
>
> To view the DomainDnsZones or the ForestDnsZones partitions, follow these
> steps:
>
> [ForestDNSZones]
> Click Start, click Run, type adsiedit.msc, and then click OK.
> In the console tree, right-click ADSI Edit, and then click Connect to.
> Click Select or type a Distinguished Name or Naming Context, type the
> following text in the list, and then click OK:
> DC=ForestDNSZones, DC=contoso, DC=com
> In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
> now be able to view the DNS records which exist in this DNS partition. If
> you desire to remove this partition, right-click on contoso.com and then
> click Delete.
>
> Note Deleting a zone is a destructive operation. Please confirm that a
> duplicate zone exists before you perform a deletion.
> If you have deleted a zone, restart the DNS service. To do this, follow
> these steps:
> Click Start, point to All Programs, point to Administrative Tools, and
> then click DNS.
> In the console tree, right-click contoso.com, point to All Tasks, and then
> click Restart.
>
> [DomainDNSZones]
> Click Start, click Run, type adsiedit.msc, and then click OK.
> In the console tree, right-click ADSI Edit, and then click Connect to.
> Click Select or type a Distinguished Name or Naming Context, type the
> following text in the list, and then click OK:
> DC=DomainDNSZones,DC=contoso,DC=com.
> In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
> now be able to view the DNS records which exist in this DNS partition. If
> you desire to remove this partition, right-click on contoso.com and then
> click Delete.
>
> Note Deleting a zone is a destructive operation. Please confirm that a
> duplicate zone exists before you perform a deletion.
> If you have deleted a zone, restart the DNS service. To do this, follow
> these steps:
> Click Start, point to All Programs, point to Administrative Tools, and
> then click DNS.
> In the console tree, right-click contoso.com, point to All Tasks, and then
> click Restart.
>
> Some reading for you...
>
> Directory Partitions:
> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp
>
> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
> partitions issues:
> http://www.kbalertz.com/kb_867464.aspx
>
>
> How to fix it?
> -------------
>
> What I've done in a few cases with my clients that have issues with
> 'duplicate' zone entries in AD (because the zone name was in the Domain NC
> (Name Container) Partition, and also in the DomainDnsZones App partition),
> was first to change the zone on one of the DCs to a Primary zone, and
> allowed zone transfers. Then I went to the other DCs and changed the zone
> to
> a Secondary, and using the first DC as the Master. Then I went into ADSI
> Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
> reference to the domain name. Then I added the DomainDnsZones partition to
> the ADSI Edit console, and deleted any reference to the zone name in there
> as well. If you see anything saying something to the extent of a phrase
> that says
> "In Progress...." or "CNF" with a long GUID number after it, delete them
> too. Everytime
> you may have tried tochange the replication scope, it creates one of them.
> Delete them all.
>
> Then I forced replication. If there were Sites configured, I juggled
> around
> the servers and subnet objects so all of the servers are now in one site,
> then I forced replication (so I didn't have to wait for the next site
> replication schedule). Once I've confirmed that replication occured, and
> the
> zones no longer existed in either the Domain NC or DomainDnsZones, then I
> changed the zone on the first server back to AD Integrated, choosing the
> middle button for it's replication scope (which puts it in the
> DomainDnsZones app partition). Then I went to the other servers and
> changed
> the zone to AD Integrated choosing the same replication scope. Then I
> reset
> the sites and subnet objects, and everything was good to go.
>
> Keep in mind, I left the _msdcs... zone alone, since that wasn't causing
> any
> problems and is located in the ForestDnsZones (default) in all of my
> client
> cases I've come across with so far.
>
> It seems like alot of steps, but not really. Just read it over a few times
> to get familiar with the procedure. You may even want to change it into a
> numbered step by step list if you like. If you only have one DC, and one
> Site, then it's much easier since you don't have to mess with secondaries
> or
> play with the site objects.
>
> I hope that helps!
> ============================================================ ======
>
> Ace
>
>
>
Re: replication scope question [message #159565 is a reply to message #159562] Fri, 31 July 2009 14:58 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Ok, great, what about the secondary zones?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:105D5AC1-276F-458C-8994-C34CD8A2BC80@microsoft.com...
> DNS is still only installed on one DC. Jorge said in his last post that I
> had
> duplicated the zone, but I think there is some misunderstanding because
> the
> server seems to be fine. I did receive 4521 warning events after I change
> the
> replication scope, and after changing the zone types to AD integrated on
> two
> zones, but there aren't any reoccuring warnings or errors. In fact, no DNS
> events of any kind in over 23 hours.
> --
> Dudley
> MCP, MCDST
>
>
> "Ace Fekay [MCT]" wrote:
>
>> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
>> >I opened the "Change Zone Type" window accessed through the "General"
>> >tab
>> >of
>> > the zone's properties box on to place a check in the "store the zone in
>> > Active Directory..." check box. Is that something that should only be
>> > used
>> > as
>> > a zone is created? That was the second zone that I had made that change
>> > to
>> > this week. The first zone was changed before my initial post. One was a
>> > forward and the other was a reverse. Neither accepts dynamic updates.
>> > There
>> > are information events in the DNS event log stating that "An
>> > administrator
>> > has moved the zone domain.com to a new location in Active Directory".
>> > There
>> > is only one copy of each zone in the DNS console. At this point DNS is
>> > still
>> > running on one DC with secondary zones on one member server.
>> >
>> > I appreciate any help you can offer.
>> > --
>>
>> Just to catch up where you're at with DNS installed on the DCs, did you
>> install DNS on the other DCs?
>>
>> If you did, did you change the zone to AD Integrated only on one server,
>> or
>> more than one server?
>>
>> Ace
>>
>>
>>
Re: replication scope question [message #159566 is a reply to message #159561] Fri, 31 July 2009 15:26 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
One forest root DC has the four zones. Currently, all four are DNS AI zones.
I have three secondary zones on a member server, two of which are reverse
lookup zones that don't appear to be receiving zone transfers from the zones
on the DC. I believe the issue there is that settings on the zone transfer
tab need to be reconfigured. I'm not overly concerned with the secondary
zones so long as the forward zone is working. The member server is due for
retirement.
--
Dudley
MCP, MCDST


"Jorge Silva" wrote:

> Hi Dudley,
> - Just to get things clear, at this moment where do you have (in which DCs)
> DNS AI Zones?
> - Do you still have Secondary Zones? IF yes, Where (DCs)?
>
>
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:O7c1ZwhEKHA.4168@TK2MSFTNGP05.phx.gbl...
> > "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> > news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
> >>I opened the "Change Zone Type" window accessed through the "General" tab
> >>of
> >> the zone's properties box on to place a check in the "store the zone in
> >> Active Directory..." check box. Is that something that should only be
> >> used as
> >> a zone is created? That was the second zone that I had made that change
> >> to
> >> this week. The first zone was changed before my initial post. One was a
> >> forward and the other was a reverse. Neither accepts dynamic updates.
> >> There
> >> are information events in the DNS event log stating that "An
> >> administrator
> >> has moved the zone domain.com to a new location in Active Directory".
> >> There
> >> is only one copy of each zone in the DNS console. At this point DNS is
> >> still
> >> running on one DC with secondary zones on one member server.
> >>
> >> I appreciate any help you can offer.
> >> --
> >
> > Just to catch up where you're at with DNS installed on the DCs, did you
> > install DNS on the other DCs?
> >
> > If you did, did you change the zone to AD Integrated only on one server,
> > or more than one server?
> >
> > Ace
> >
> >
>
Re: replication scope question [message #159567 is a reply to message #159566] Fri, 31 July 2009 15:34 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Ok, great.
Regarding to reverse lookup zones not being transferred, I also think that
is a question of configuration, check that and you should be fine.

--
I hope that the information above helps you.
Have a Nice day.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:76523F9F-AE14-40CD-AD38-7E2403C5D5E5@microsoft.com...
> One forest root DC has the four zones. Currently, all four are DNS AI
> zones.
> I have three secondary zones on a member server, two of which are reverse
> lookup zones that don't appear to be receiving zone transfers from the
> zones
> on the DC. I believe the issue there is that settings on the zone transfer
> tab need to be reconfigured. I'm not overly concerned with the secondary
> zones so long as the forward zone is working. The member server is due for
> retirement.
> --
> Dudley
> MCP, MCDST
>
>
> "Jorge Silva" wrote:
>
>> Hi Dudley,
>> - Just to get things clear, at this moment where do you have (in which
>> DCs)
>> DNS AI Zones?
>> - Do you still have Secondary Zones? IF yes, Where (DCs)?
>>
>>
>>
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
>> news:O7c1ZwhEKHA.4168@TK2MSFTNGP05.phx.gbl...
>> > "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> > news:2A077679-7BFD-4EC8-B591-B6B460CF8D2B@microsoft.com...
>> >>I opened the "Change Zone Type" window accessed through the "General"
>> >>tab
>> >>of
>> >> the zone's properties box on to place a check in the "store the zone
>> >> in
>> >> Active Directory..." check box. Is that something that should only be
>> >> used as
>> >> a zone is created? That was the second zone that I had made that
>> >> change
>> >> to
>> >> this week. The first zone was changed before my initial post. One was
>> >> a
>> >> forward and the other was a reverse. Neither accepts dynamic updates.
>> >> There
>> >> are information events in the DNS event log stating that "An
>> >> administrator
>> >> has moved the zone domain.com to a new location in Active Directory".
>> >> There
>> >> is only one copy of each zone in the DNS console. At this point DNS is
>> >> still
>> >> running on one DC with secondary zones on one member server.
>> >>
>> >> I appreciate any help you can offer.
>> >> --
>> >
>> > Just to catch up where you're at with DNS installed on the DCs, did you
>> > install DNS on the other DCs?
>> >
>> > If you did, did you change the zone to AD Integrated only on one
>> > server,
>> > or more than one server?
>> >
>> > Ace
>> >
>> >
>>
Re: replication scope question [message #159569 is a reply to message #159559] Fri, 31 July 2009 16:53 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I used ADSI Edit to check for duplicates in DomainDNSZones and
ForestDNSZones. There are three of the DNS AI zones there, plus a fourth
called RootDNSServers, but one of the reverse lookup zones is not there. In
taking a closer look at that zone using the DNS console i think it can be
deleted. A former employee here created a subnet using public IP space. The
zone has incorrect PTR records in it. Some of the records are for DCs, so I
am certain that they are wrong. I will have to check with my network guy to
see if he can give any background on that zone.

During these posts it was recommended twice that I use the replication scope
for the forest instead on the root domain. At this point would it be safe to
change to that setting while I have DNS on one DC only? I'm thinking that
would allow me to put DNS on the child domain DCs if I choose to do so later.

--
Dudley
MCP, MCDST


"Ace Fekay [MCT]" wrote:

> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
> > Yes, now you've duplicated the Zone...
> > The primary zone is independent and can only be hosted by one server.
> > Integrated zones are shared and have nothing to do with primary zones. If
> > you converted a Primary Zone that has the same FQDN to Active Directory
> > integrated you're duplicating the zones and causing a mess.
> >
> > To fix that I first need to know if the primary zone that was converted
> > to AI is equal to the existing DNS AI Zone???!!!
> >
> > For example, your DNSAI zone is yourdomain.local, and primary zone was
> > yourdomain.local as well. Is that the case?
> >
>
>
> Jorge,
>
> If only one DC has a Primary standard zone, and the others have secondaries,
> converting it to AD integrated should be no problem. The other DCs with
> secondaries (that is if he did previously configure/create secondaries prior
> to converting the zone to AD integrated), should convert them to Ad
> integrated automatically, IIRC, because it recognizes them in the AD
> database. However, if he changed the zone on more than one DC, then that
> would cause a duplicate zone issue.
>
> One easy way to tell is look in ADSI Edit if there are dupes. Of course if
> there are, they would need to be deleted. I'm posting (below) a procedure to
> help Dudley determine if there are any zone dupes in AD.
>
> ============================================================ ======
> Conflicting or duplicate AD Integrated DNS zones
> By Ace Fekay, MCSE 2003, MCT
> First published 3/2006, updated accordingly
>
> You may have a duplicate zone if a zone either exists in both the Domain NC
> and one of the Application Partitions, if you get an unusal error message
> stating, "The name limit for the local computer network adapter card was
> exceeded," or you installed DNS on another DC and manually created the AD
> zone and didn't wait for it to automatically populate.
>
> Dupe zone errata:
> A quick explanation: When you have an AD integrated zone, the DNS data is
> stored in the actual AD database and is replicated to all DCs and will be
> available to any DC that has DNS installed, depending on the zone
> replication scope setting. If rep scope is set to the bottom button, it will
> be store in the DomainNC partition of the AD database and compatible with
> Windows 2000. If the middle button, it will be stored in the DomainDnsZones
> and only works with Windows 2003 and newer DCs. These two scope types will
> be replicated to all DCs only in the domain it exists in. The third type,
> the top buttton, is stored in the ForestDnsZones application partition and
> is available to ALL DCs in the whole forest. The data in any of the AD
> integrated zone types are truly secured since you can;t get at them without
> the proper tools.
>
> If you have an AD integrated zone existing on a DC and you install DNS on
> another DC in the domain or forest, depending what zone type, it will
> automatically appear on the new DNS installation without any interaction on
> your part. If you attempted to manually create the zone, then you pretty
> much just introduced a duplicate in the AD database, which will cause
> problems and other issues as well.
>
> A Primary or Secondary zone that is not stored in AD is stored in a text
> file in the system32\dns folder. This type of zone storage has nothing to do
> with the above types ONLY unless it is truly a secondary with the Master
> being a DC transferring a copy of the zone. This types of zone storage is
> obviously not secure.
>
> Now **IF** you did manually create a zone on one DC while it already existed
> on another DC, then you may have a duplicate. If this is the case, you can
> use ADSI Edit and look for zone data that starts with a "CNF..." in front of
> it. Delete them and you;re good to go.
>
> Under Windows 2000, the physcial AD database is broken up into 3 logical
> partitions, the DomainNC (Domain Name Context, or some call the Domain Name
> Container), the Configuration Partition, and the Schema Partition. The
> Schema and Config partitions replicate to all DCs in a forest. However, the
> DomainNC is specific only to the domain the DC belongs to. That's where a
> user, domain local or global group is stored. The DomainNC only replicates
> to the DCs of that specific domain. When you create an AD INtegrated zone in
> Win 2000, it gets stored in the DomainNC. This causes a limitation if you
> want this zone to be available on a DC/DNS server that belongs to a
> different domain. The only way to get around that is for a little creative
> designing using either delegation, or secondary zones. This was a challenge
> for the _msdcs zone, which must be available forest wide to resolve the
> forest root domain, which contains the Schema and Domain Name Masters FSMO
> roles.
>
> In Windows 2003, there were two additional partitions added, they are called
> the DomainDnsZones and ForestDnsZones Application Partitions, specifically
> to store DNS data. They were conceived to overcome the limitation of Windows
> 2000's AD Integrated zones. Now you can store an AD Integrated zone in
> either of these new partitions instead of the DomainNC. If stored in the
> DomainDnsZones app partition, it is available only in that domain's
> DomainDnsZones partition. If you store it in the ForestDnsZones app
> partition, it will be available to any DC/DNS server in the whole forest.
> This opens many more design options. It also ensures the availability of the
> _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
> zone is stored in the ForestDnsZones application partition.
>
> When selecting a zone replication scope in Win2003, in the zone's
> properties, click on the "Change" button. Under that you will see 3 options:
> To choose the ForestDnsZones:
> "To all DNS servers in the AD forest example.com"
>
> To choose DomainDnsZones:
> "To all DNS servers in the AD domain example.com"
>
> To choose the DomainNC (only for compatibility with Win2000):
> "To all domain controllers in the AD domain example.com"
>
>
> If you have a duplicate, that's indicating there is a zone that exists in
> the DomainNC and in the DomainDnsZones Application partition. This means at
> one time, or currently, you have a mixed Win2000/2003 environment and you
> have DNS installed on both operating systems. On Win2000, if the zone is AD
> Integrated, it is in the DomainNC, and should be set the same in Win2003's
> DC/DNS server to keep compatible. Someone must have attempted to change it
> in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
> implications, hence the duplicate. In a scenario such as this where you want
> to use the Win2003 app partitions, you then must insure the zone on the
> Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
> then once that's done, you can then go to the Win2003 DNS and change the
> partition's replication scope to one of the app partitions.
>
> In ADSI Edit, you can view all five partitions. You were viewing the app
> partitions, but not the main partitions. You need to add the DomainNC
> partition in order to delete that zone. But you must uninstall DNS off the
> Win2000 server first, unless you want to keep the zone in the DomainNC. But
> that wouldn't make much sense if you want to take advantage of the _msdcs
> zone being available forest wide in the ForestDnsZones partition, which you
> should absolutley NOT delete. I would just use the Win2003 DNS servers only.
>
> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
> on "Well known Naming Context", then in the drop-down box, select "Domain".
> Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
> see the zone in there.
>
> But make sure to decide FIRST which way to go before you delete anything.
>
> To view the DomainDnsZones or the ForestDnsZones partitions, follow these
> steps:
>
> [ForestDNSZones]
> Click Start, click Run, type adsiedit.msc, and then click OK.
> In the console tree, right-click ADSI Edit, and then click Connect to.
> Click Select or type a Distinguished Name or Naming Context, type the
> following text in the list, and then click OK:
> DC=ForestDNSZones, DC=contoso, DC=com
> In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
> now be able to view the DNS records which exist in this DNS partition. If
> you desire to remove this partition, right-click on contoso.com and then
> click Delete.
>
> Note Deleting a zone is a destructive operation. Please confirm that a
> duplicate zone exists before you perform a deletion.
> If you have deleted a zone, restart the DNS service. To do this, follow
> these steps:
> Click Start, point to All Programs, point to Administrative Tools, and then
> click DNS.
> In the console tree, right-click contoso.com, point to All Tasks, and then
> click Restart.
>
> [DomainDNSZones]
> Click Start, click Run, type adsiedit.msc, and then click OK.
> In the console tree, right-click ADSI Edit, and then click Connect to.
> Click Select or type a Distinguished Name or Naming Context, type the
> following text in the list, and then click OK:
> DC=DomainDNSZones,DC=contoso,DC=com.
> In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You should
> now be able to view the DNS records which exist in this DNS partition. If
> you desire to remove this partition, right-click on contoso.com and then
> click Delete.
>
> Note Deleting a zone is a destructive operation. Please confirm that a
> duplicate zone exists before you perform a deletion.
> If you have deleted a zone, restart the DNS service. To do this, follow
> these steps:
> Click Start, point to All Programs, point to Administrative Tools, and then
> click DNS.
> In the console tree, right-click contoso.com, point to All Tasks, and then
> click Restart.
>
> Some reading for you...
>
> Directory Partitions:
> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp
>
> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
> issues:
> http://www.kbalertz.com/kb_867464.aspx
>
>
> How to fix it?
> -------------
>
> What I've done in a few cases with my clients that have issues with
> 'duplicate' zone entries in AD (because the zone name was in the Domain NC
> (Name Container) Partition, and also in the DomainDnsZones App partition),
> was first to change the zone on one of the DCs to a Primary zone, and
> allowed zone transfers. Then I went to the other DCs and changed the zone to
> a Secondary, and using the first DC as the Master. Then I went into ADSI
> Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
> reference to the domain name. Then I added the DomainDnsZones partition to
> the ADSI Edit console, and deleted any reference to the zone name in there
> as well. If you see anything saying something to the extent of a phrase that
> says
> "In Progress...." or "CNF" with a long GUID number after it, delete them
> too. Everytime
> you may have tried tochange the replication scope, it creates one of them.
> Delete them all.
>
> Then I forced replication. If there were Sites configured, I juggled around
> the servers and subnet objects so all of the servers are now in one site,
> then I forced replication (so I didn't have to wait for the next site
> replication schedule). Once I've confirmed that replication occured, and the
> zones no longer existed in either the Domain NC or DomainDnsZones, then I
> changed the zone on the first server back to AD Integrated, choosing the
> middle button for it's replication scope (which puts it in the
> DomainDnsZones app partition). Then I went to the other servers and changed
> the zone to AD Integrated choosing the same replication scope. Then I reset
> the sites and subnet objects, and everything was good to go.
>
> Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
> problems and is located in the ForestDnsZones (default) in all of my client
> cases I've come across with so far.
>
> It seems like alot of steps, but not really. Just read it over a few times
> to get familiar with the procedure. You may even want to change it into a
> numbered step by step list if you like. If you only have one DC, and one
> Site, then it's much easier since you don't have to mess with secondaries or
> play with the site objects.
>
> I hope that helps!
> ============================================================ ======
>
> Ace
>
>
>
>
Re: replication scope question [message #159570 is a reply to message #159564] Fri, 31 July 2009 17:01 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:6B22AF77-7572-4874-B8EE-7FF36945836D@microsoft.com...
> Don't be so sure about Automatically converting Secondary Zones to DNSAI,
> more than once I saw that things don't work that way and the result were
> lots of errors untill you manually delete the secondary zone and force
> replication with a DC that has DNSAI.
>
> If I'm not mistaken, the errors that Dudley sees may be result of a
> scenario like that.


I think you may be possibly right, but then again, if the secondaries are
only on member servers, it would be a moot point.

I think (possibly) what you may have saw ifthere was a problem with
secondaries on a DC after converting the primary, is possibly that
replication may not have occured. From my testing, and mind you only in a
classroom situation, that secondary zones on the other DCs automatically
change over to ADI, but I have not nor never done this with production DCs
at customer sites.

I agree, about deleting them, because that is what I would normally do on
all DCs holding secondaries prior to deleting them just so that I don't
introduce any complications.

However, if I understand Dudley's infrastructure and scenario, none of the
other DCs have DNS installed yet, unless I missed something?

If he doesn't have DNS installed, I would say it's safe to convert them, and
simply install DNS on the other DCs, and await replication to auto-populate
the zones. Sound good?

Ace
Re: replication scope question [message #159571 is a reply to message #159569] Fri, 31 July 2009 17:23 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:58EF3887-22B5-4438-A1D9-EFD2B8643B32@microsoft.com...
>I used ADSI Edit to check for duplicates in DomainDNSZones and
> ForestDNSZones. There are three of the DNS AI zones there, plus a fourth
> called RootDNSServers, but one of the reverse lookup zones is not there.
> In
> taking a closer look at that zone using the DNS console i think it can be
> deleted. A former employee here created a subnet using public IP space.
> The
> zone has incorrect PTR records in it. Some of the records are for DCs, so
> I
> am certain that they are wrong. I will have to check with my network guy
> to
> see if he can give any background on that zone.
>
> During these posts it was recommended twice that I use the replication
> scope
> for the forest instead on the root domain. At this point would it be safe
> to
> change to that setting while I have DNS on one DC only? I'm thinking that
> would allow me to put DNS on the child domain DCs if I choose to do so
> later.
>

More than likely you're not using the public reverse zone, unless of course
you've been delegated by the ISP and are hosting the public reverse zone,
which more than likely not, since many ISPs have stopped that practice. So I
would assume it's ok to go ahead and delete it, of course with your network
team's blessings.

If ADSI Edit, based on looking at the three possible locations it may exist
(DomainNC, DomainDnsZones, and ForestDnsZones) partition doesn't show any
dupes (that start with "CNF..." or "InProgress..." then you should be ok
knowing no dupes exist.

As for the ForestDnsZone replication scope, if you plan to share the zone
across all DNS servers in the forest (child and parent), and you have no
plans on delegating the child zone to the child domain's DCs at their
locations, meaning you plan on having complete control of the forest DNS
zones, then using a forest wide scope actually makes it easier to administer
and control.

Now if you plan on delegating the child zone to the child domain DCs, then
no, I would choose the middle button.

Keep in mind, that if setup properly, the _mscds.domain.com zone is forest
wide by default. Don't change that.

Ace
Re: replication scope question [message #159572 is a reply to message #159570] Fri, 31 July 2009 18:26 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
What can I say... the related issues that I saw in prod environments were
result of that config, and yes, replication already occurred otherwise no
errors would be show, in fact if I recall correctly this was a known issue
back in 2000 days that was changed with some SP that I don't recall. I agree
that with only one DC/DNS this shouldn’t represent a problem and that I
initially thought that this change was made at more than one DC and that’s
why I ask to double check.


--
I hope that the information above helps you.
Have a Nice day.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Jorge Silva
MVP Directory Services
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23jBhLLjEKHA.4184@TK2MSFTNGP02.phx.gbl...
> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> news:6B22AF77-7572-4874-B8EE-7FF36945836D@microsoft.com...
>> Don't be so sure about Automatically converting Secondary Zones to DNSAI,
>> more than once I saw that things don't work that way and the result were
>> lots of errors untill you manually delete the secondary zone and force
>> replication with a DC that has DNSAI.
>>
>> If I'm not mistaken, the errors that Dudley sees may be result of a
>> scenario like that.
>
>
> I think you may be possibly right, but then again, if the secondaries are
> only on member servers, it would be a moot point.
>
> I think (possibly) what you may have saw ifthere was a problem with
> secondaries on a DC after converting the primary, is possibly that
> replication may not have occured. From my testing, and mind you only in a
> classroom situation, that secondary zones on the other DCs automatically
> change over to ADI, but I have not nor never done this with production DCs
> at customer sites.
>
> I agree, about deleting them, because that is what I would normally do on
> all DCs holding secondaries prior to deleting them just so that I don't
> introduce any complications.
>
> However, if I understand Dudley's infrastructure and scenario, none of the
> other DCs have DNS installed yet, unless I missed something?
>
> If he doesn't have DNS installed, I would say it's safe to convert them,
> and simply install DNS on the other DCs, and await replication to
> auto-populate the zones. Sound good?
>
> Ace
Re: replication scope question [message #159573 is a reply to message #159569] Fri, 31 July 2009 18:33 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Ok, great.
Regarding to Forest scope replication, in Single domain/forest makes no
difference because either way the zone is replicated across all DC/DNS, if
you plan to introduce child domains, You need to think twice before starting
to replicate all the Zones with all information in it across your wan links,
in some scenarios this can make the deference regarding to the amount of
information to be replicated plus normal network traffic.
--
I hope that the information above helps you.
Have a Nice day.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:58EF3887-22B5-4438-A1D9-EFD2B8643B32@microsoft.com...
>I used ADSI Edit to check for duplicates in DomainDNSZones and
> ForestDNSZones. There are three of the DNS AI zones there, plus a fourth
> called RootDNSServers, but one of the reverse lookup zones is not there.
> In
> taking a closer look at that zone using the DNS console i think it can be
> deleted. A former employee here created a subnet using public IP space.
> The
> zone has incorrect PTR records in it. Some of the records are for DCs, so
> I
> am certain that they are wrong. I will have to check with my network guy
> to
> see if he can give any background on that zone.
>
> During these posts it was recommended twice that I use the replication
> scope
> for the forest instead on the root domain. At this point would it be safe
> to
> change to that setting while I have DNS on one DC only? I'm thinking that
> would allow me to put DNS on the child domain DCs if I choose to do so
> later.
>
> --
> Dudley
> MCP, MCDST
>
>
> "Ace Fekay [MCT]" wrote:
>
>> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>> news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
>> > Yes, now you've duplicated the Zone...
>> > The primary zone is independent and can only be hosted by one server.
>> > Integrated zones are shared and have nothing to do with primary zones.
>> > If
>> > you converted a Primary Zone that has the same FQDN to Active Directory
>> > integrated you're duplicating the zones and causing a mess.
>> >
>> > To fix that I first need to know if the primary zone that was
>> > converted
>> > to AI is equal to the existing DNS AI Zone???!!!
>> >
>> > For example, your DNSAI zone is yourdomain.local, and primary zone was
>> > yourdomain.local as well. Is that the case?
>> >
>>
>>
>> Jorge,
>>
>> If only one DC has a Primary standard zone, and the others have
>> secondaries,
>> converting it to AD integrated should be no problem. The other DCs with
>> secondaries (that is if he did previously configure/create secondaries
>> prior
>> to converting the zone to AD integrated), should convert them to Ad
>> integrated automatically, IIRC, because it recognizes them in the AD
>> database. However, if he changed the zone on more than one DC, then that
>> would cause a duplicate zone issue.
>>
>> One easy way to tell is look in ADSI Edit if there are dupes. Of course
>> if
>> there are, they would need to be deleted. I'm posting (below) a procedure
>> to
>> help Dudley determine if there are any zone dupes in AD.
>>
>> ============================================================ ======
>> Conflicting or duplicate AD Integrated DNS zones
>> By Ace Fekay, MCSE 2003, MCT
>> First published 3/2006, updated accordingly
>>
>> You may have a duplicate zone if a zone either exists in both the Domain
>> NC
>> and one of the Application Partitions, if you get an unusal error message
>> stating, "The name limit for the local computer network adapter card was
>> exceeded," or you installed DNS on another DC and manually created the AD
>> zone and didn't wait for it to automatically populate.
>>
>> Dupe zone errata:
>> A quick explanation: When you have an AD integrated zone, the DNS data is
>> stored in the actual AD database and is replicated to all DCs and will be
>> available to any DC that has DNS installed, depending on the zone
>> replication scope setting. If rep scope is set to the bottom button, it
>> will
>> be store in the DomainNC partition of the AD database and compatible with
>> Windows 2000. If the middle button, it will be stored in the
>> DomainDnsZones
>> and only works with Windows 2003 and newer DCs. These two scope types
>> will
>> be replicated to all DCs only in the domain it exists in. The third type,
>> the top buttton, is stored in the ForestDnsZones application partition
>> and
>> is available to ALL DCs in the whole forest. The data in any of the AD
>> integrated zone types are truly secured since you can;t get at them
>> without
>> the proper tools.
>>
>> If you have an AD integrated zone existing on a DC and you install DNS on
>> another DC in the domain or forest, depending what zone type, it will
>> automatically appear on the new DNS installation without any interaction
>> on
>> your part. If you attempted to manually create the zone, then you pretty
>> much just introduced a duplicate in the AD database, which will cause
>> problems and other issues as well.
>>
>> A Primary or Secondary zone that is not stored in AD is stored in a text
>> file in the system32\dns folder. This type of zone storage has nothing to
>> do
>> with the above types ONLY unless it is truly a secondary with the Master
>> being a DC transferring a copy of the zone. This types of zone storage is
>> obviously not secure.
>>
>> Now **IF** you did manually create a zone on one DC while it already
>> existed
>> on another DC, then you may have a duplicate. If this is the case, you
>> can
>> use ADSI Edit and look for zone data that starts with a "CNF..." in front
>> of
>> it. Delete them and you;re good to go.
>>
>> Under Windows 2000, the physcial AD database is broken up into 3 logical
>> partitions, the DomainNC (Domain Name Context, or some call the Domain
>> Name
>> Container), the Configuration Partition, and the Schema Partition. The
>> Schema and Config partitions replicate to all DCs in a forest. However,
>> the
>> DomainNC is specific only to the domain the DC belongs to. That's where a
>> user, domain local or global group is stored. The DomainNC only
>> replicates
>> to the DCs of that specific domain. When you create an AD INtegrated zone
>> in
>> Win 2000, it gets stored in the DomainNC. This causes a limitation if you
>> want this zone to be available on a DC/DNS server that belongs to a
>> different domain. The only way to get around that is for a little
>> creative
>> designing using either delegation, or secondary zones. This was a
>> challenge
>> for the _msdcs zone, which must be available forest wide to resolve the
>> forest root domain, which contains the Schema and Domain Name Masters
>> FSMO
>> roles.
>>
>> In Windows 2003, there were two additional partitions added, they are
>> called
>> the DomainDnsZones and ForestDnsZones Application Partitions,
>> specifically
>> to store DNS data. They were conceived to overcome the limitation of
>> Windows
>> 2000's AD Integrated zones. Now you can store an AD Integrated zone in
>> either of these new partitions instead of the DomainNC. If stored in the
>> DomainDnsZones app partition, it is available only in that domain's
>> DomainDnsZones partition. If you store it in the ForestDnsZones app
>> partition, it will be available to any DC/DNS server in the whole forest.
>> This opens many more design options. It also ensures the availability of
>> the
>> _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
>> zone is stored in the ForestDnsZones application partition.
>>
>> When selecting a zone replication scope in Win2003, in the zone's
>> properties, click on the "Change" button. Under that you will see 3
>> options:
>> To choose the ForestDnsZones:
>> "To all DNS servers in the AD forest example.com"
>>
>> To choose DomainDnsZones:
>> "To all DNS servers in the AD domain example.com"
>>
>> To choose the DomainNC (only for compatibility with Win2000):
>> "To all domain controllers in the AD domain example.com"
>>
>>
>> If you have a duplicate, that's indicating there is a zone that exists in
>> the DomainNC and in the DomainDnsZones Application partition. This means
>> at
>> one time, or currently, you have a mixed Win2000/2003 environment and you
>> have DNS installed on both operating systems. On Win2000, if the zone is
>> AD
>> Integrated, it is in the DomainNC, and should be set the same in
>> Win2003's
>> DC/DNS server to keep compatible. Someone must have attempted to change
>> it
>> in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
>> implications, hence the duplicate. In a scenario such as this where you
>> want
>> to use the Win2003 app partitions, you then must insure the zone on the
>> Win2003 is set to the DomainNC, then uninstall DNS off the Win2000
>> machine,
>> then once that's done, you can then go to the Win2003 DNS and change the
>> partition's replication scope to one of the app partitions.
>>
>> In ADSI Edit, you can view all five partitions. You were viewing the app
>> partitions, but not the main partitions. You need to add the DomainNC
>> partition in order to delete that zone. But you must uninstall DNS off
>> the
>> Win2000 server first, unless you want to keep the zone in the DomainNC.
>> But
>> that wouldn't make much sense if you want to take advantage of the _msdcs
>> zone being available forest wide in the ForestDnsZones partition, which
>> you
>> should absolutley NOT delete. I would just use the Win2003 DNS servers
>> only.
>>
>> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point
>> click
>> on "Well known Naming Context", then in the drop-down box, select
>> "Domain".
>> Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You
>> will
>> see the zone in there.
>>
>> But make sure to decide FIRST which way to go before you delete anything.
>>
>> To view the DomainDnsZones or the ForestDnsZones partitions, follow these
>> steps:
>>
>> [ForestDNSZones]
>> Click Start, click Run, type adsiedit.msc, and then click OK.
>> In the console tree, right-click ADSI Edit, and then click Connect to.
>> Click Select or type a Distinguished Name or Naming Context, type the
>> following text in the list, and then click OK:
>> DC=ForestDNSZones, DC=contoso, DC=com
>> In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
>> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
>> should
>> now be able to view the DNS records which exist in this DNS partition. If
>> you desire to remove this partition, right-click on contoso.com and then
>> click Delete.
>>
>> Note Deleting a zone is a destructive operation. Please confirm that a
>> duplicate zone exists before you perform a deletion.
>> If you have deleted a zone, restart the DNS service. To do this, follow
>> these steps:
>> Click Start, point to All Programs, point to Administrative Tools, and
>> then
>> click DNS.
>> In the console tree, right-click contoso.com, point to All Tasks, and
>> then
>> click Restart.
>>
>> [DomainDNSZones]
>> Click Start, click Run, type adsiedit.msc, and then click OK.
>> In the console tree, right-click ADSI Edit, and then click Connect to.
>> Click Select or type a Distinguished Name or Naming Context, type the
>> following text in the list, and then click OK:
>> DC=DomainDNSZones,DC=contoso,DC=com.
>> In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
>> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
>> should
>> now be able to view the DNS records which exist in this DNS partition. If
>> you desire to remove this partition, right-click on contoso.com and then
>> click Delete.
>>
>> Note Deleting a zone is a destructive operation. Please confirm that a
>> duplicate zone exists before you perform a deletion.
>> If you have deleted a zone, restart the DNS service. To do this, follow
>> these steps:
>> Click Start, point to All Programs, point to Administrative Tools, and
>> then
>> click DNS.
>> In the console tree, right-click contoso.com, point to All Tasks, and
>> then
>> click Restart.
>>
>> Some reading for you...
>>
>> Directory Partitions:
>> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp
>>
>> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
>> partitions
>> issues:
>> http://www.kbalertz.com/kb_867464.aspx
>>
>>
>> How to fix it?
>> -------------
>>
>> What I've done in a few cases with my clients that have issues with
>> 'duplicate' zone entries in AD (because the zone name was in the Domain
>> NC
>> (Name Container) Partition, and also in the DomainDnsZones App
>> partition),
>> was first to change the zone on one of the DCs to a Primary zone, and
>> allowed zone transfers. Then I went to the other DCs and changed the zone
>> to
>> a Secondary, and using the first DC as the Master. Then I went into ADSI
>> Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
>> reference to the domain name. Then I added the DomainDnsZones partition
>> to
>> the ADSI Edit console, and deleted any reference to the zone name in
>> there
>> as well. If you see anything saying something to the extent of a phrase
>> that
>> says
>> "In Progress...." or "CNF" with a long GUID number after it, delete them
>> too. Everytime
>> you may have tried tochange the replication scope, it creates one of
>> them.
>> Delete them all.
>>
>> Then I forced replication. If there were Sites configured, I juggled
>> around
>> the servers and subnet objects so all of the servers are now in one site,
>> then I forced replication (so I didn't have to wait for the next site
>> replication schedule). Once I've confirmed that replication occured, and
>> the
>> zones no longer existed in either the Domain NC or DomainDnsZones, then I
>> changed the zone on the first server back to AD Integrated, choosing the
>> middle button for it's replication scope (which puts it in the
>> DomainDnsZones app partition). Then I went to the other servers and
>> changed
>> the zone to AD Integrated choosing the same replication scope. Then I
>> reset
>> the sites and subnet objects, and everything was good to go.
>>
>> Keep in mind, I left the _msdcs... zone alone, since that wasn't causing
>> any
>> problems and is located in the ForestDnsZones (default) in all of my
>> client
>> cases I've come across with so far.
>>
>> It seems like alot of steps, but not really. Just read it over a few
>> times
>> to get familiar with the procedure. You may even want to change it into a
>> numbered step by step list if you like. If you only have one DC, and one
>> Site, then it's much easier since you don't have to mess with secondaries
>> or
>> play with the site objects.
>>
>> I hope that helps!
>> ============================================================ ======
>>
>> Ace
>>
>>
>>
>>
Re: replication scope question [message #159574 is a reply to message #159572] Fri, 31 July 2009 19:33 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
news:03869B37-67FA-494F-AA02-B177BF24D0D3@microsoft.com...
> What can I say... the related issues that I saw in prod environments were
> result of that config, and yes, replication already occurred otherwise no
> errors would be show, in fact if I recall correctly this was a known issue
> back in 2000 days that was changed with some SP that I don't recall. I
> agree that with only one DC/DNS this shouldn’t represent a problem and
> that I initially thought that this change was made at more than one DC and
> that’s why I ask to double check.
>
>

You know what, SP2 comes to mind with that. :-) I do remember something
about that. It was right around the time of the Island issue, which I think
was also SP2?

Anyway, I thought he had changed it on multiple DCs, too, so I went back
into the thread to try to dig it out and re-read it a few times to get a
better picture of what's going on. The bigger a thread gets, the more
difficult it's to keep track of, and well, you know what I mean. :-)

Cheers!

Ace
Re: replication scope question [message #159599 is a reply to message #159571] Sat, 01 August 2009 13:18 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
I found the missing reverse lookup zone under DomainNC, so I guess that one
is older.

I am planning on moving ahead with the forest replication scope change, but
I'll discuss it with coworkers before doing so.

You've mentioned not moving the _mscds.domain.com zone. I see that there is
a _msdcs directory under domain.local in the DNS console, but I do not see
_mscds.domain.com in ADSI Edit. Am I not looking in the right place or is
there a problem?


--
Dudley
MCP, MCDST


"Ace Fekay [MCT]" wrote:

> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:58EF3887-22B5-4438-A1D9-EFD2B8643B32@microsoft.com...
> >I used ADSI Edit to check for duplicates in DomainDNSZones and
> > ForestDNSZones. There are three of the DNS AI zones there, plus a fourth
> > called RootDNSServers, but one of the reverse lookup zones is not there.
> > In
> > taking a closer look at that zone using the DNS console i think it can be
> > deleted. A former employee here created a subnet using public IP space.
> > The
> > zone has incorrect PTR records in it. Some of the records are for DCs, so
> > I
> > am certain that they are wrong. I will have to check with my network guy
> > to
> > see if he can give any background on that zone.
> >
> > During these posts it was recommended twice that I use the replication
> > scope
> > for the forest instead on the root domain. At this point would it be safe
> > to
> > change to that setting while I have DNS on one DC only? I'm thinking that
> > would allow me to put DNS on the child domain DCs if I choose to do so
> > later.
> >
>
> More than likely you're not using the public reverse zone, unless of course
> you've been delegated by the ISP and are hosting the public reverse zone,
> which more than likely not, since many ISPs have stopped that practice. So I
> would assume it's ok to go ahead and delete it, of course with your network
> team's blessings.
>
> If ADSI Edit, based on looking at the three possible locations it may exist
> (DomainNC, DomainDnsZones, and ForestDnsZones) partition doesn't show any
> dupes (that start with "CNF..." or "InProgress..." then you should be ok
> knowing no dupes exist.
>
> As for the ForestDnsZone replication scope, if you plan to share the zone
> across all DNS servers in the forest (child and parent), and you have no
> plans on delegating the child zone to the child domain's DCs at their
> locations, meaning you plan on having complete control of the forest DNS
> zones, then using a forest wide scope actually makes it easier to administer
> and control.
>
> Now if you plan on delegating the child zone to the child domain DCs, then
> no, I would choose the middle button.
>
> Keep in mind, that if setup properly, the _mscds.domain.com zone is forest
> wide by default. Don't change that.
>
> Ace
>
>
Re: replication scope question [message #159600 is a reply to message #159573] Sat, 01 August 2009 13:30 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
The WAN links between buildings that have DCs in them are gigabit
connections. All the buildings are in a relatively close area. Wouldn't
additional DNS servers reduce network traffic? The DNS requests from clients
wouldn't have to travel as far to be resolved and with AD integration there
wouldn't be zone transfers, just replication of changed records.
--
Dudley
MCP, MCDST


"Jorge Silva" wrote:

> Ok, great.
> Regarding to Forest scope replication, in Single domain/forest makes no
> difference because either way the zone is replicated across all DC/DNS, if
> you plan to introduce child domains, You need to think twice before starting
> to replicate all the Zones with all information in it across your wan links,
> in some scenarios this can make the deference regarding to the amount of
> information to be replicated plus normal network traffic.
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Jorge Silva
> MVP Directory Services
> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:58EF3887-22B5-4438-A1D9-EFD2B8643B32@microsoft.com...
> >I used ADSI Edit to check for duplicates in DomainDNSZones and
> > ForestDNSZones. There are three of the DNS AI zones there, plus a fourth
> > called RootDNSServers, but one of the reverse lookup zones is not there.
> > In
> > taking a closer look at that zone using the DNS console i think it can be
> > deleted. A former employee here created a subnet using public IP space.
> > The
> > zone has incorrect PTR records in it. Some of the records are for DCs, so
> > I
> > am certain that they are wrong. I will have to check with my network guy
> > to
> > see if he can give any background on that zone.
> >
> > During these posts it was recommended twice that I use the replication
> > scope
> > for the forest instead on the root domain. At this point would it be safe
> > to
> > change to that setting while I have DNS on one DC only? I'm thinking that
> > would allow me to put DNS on the child domain DCs if I choose to do so
> > later.
> >
> > --
> > Dudley
> > MCP, MCDST
> >
> >
> > "Ace Fekay [MCT]" wrote:
> >
> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
> >> news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
> >> > Yes, now you've duplicated the Zone...
> >> > The primary zone is independent and can only be hosted by one server.
> >> > Integrated zones are shared and have nothing to do with primary zones.
> >> > If
> >> > you converted a Primary Zone that has the same FQDN to Active Directory
> >> > integrated you're duplicating the zones and causing a mess.
> >> >
> >> > To fix that I first need to know if the primary zone that was
> >> > converted
> >> > to AI is equal to the existing DNS AI Zone???!!!
> >> >
> >> > For example, your DNSAI zone is yourdomain.local, and primary zone was
> >> > yourdomain.local as well. Is that the case?
> >> >
> >>
> >>
> >> Jorge,
> >>
> >> If only one DC has a Primary standard zone, and the others have
> >> secondaries,
> >> converting it to AD integrated should be no problem. The other DCs with
> >> secondaries (that is if he did previously configure/create secondaries
> >> prior
> >> to converting the zone to AD integrated), should convert them to Ad
> >> integrated automatically, IIRC, because it recognizes them in the AD
> >> database. However, if he changed the zone on more than one DC, then that
> >> would cause a duplicate zone issue.
> >>
> >> One easy way to tell is look in ADSI Edit if there are dupes. Of course
> >> if
> >> there are, they would need to be deleted. I'm posting (below) a procedure
> >> to
> >> help Dudley determine if there are any zone dupes in AD.
> >>
> >> ============================================================ ======
> >> Conflicting or duplicate AD Integrated DNS zones
> >> By Ace Fekay, MCSE 2003, MCT
> >> First published 3/2006, updated accordingly
> >>
> >> You may have a duplicate zone if a zone either exists in both the Domain
> >> NC
> >> and one of the Application Partitions, if you get an unusal error message
> >> stating, "The name limit for the local computer network adapter card was
> >> exceeded," or you installed DNS on another DC and manually created the AD
> >> zone and didn't wait for it to automatically populate.
> >>
> >> Dupe zone errata:
> >> A quick explanation: When you have an AD integrated zone, the DNS data is
> >> stored in the actual AD database and is replicated to all DCs and will be
> >> available to any DC that has DNS installed, depending on the zone
> >> replication scope setting. If rep scope is set to the bottom button, it
> >> will
> >> be store in the DomainNC partition of the AD database and compatible with
> >> Windows 2000. If the middle button, it will be stored in the
> >> DomainDnsZones
> >> and only works with Windows 2003 and newer DCs. These two scope types
> >> will
> >> be replicated to all DCs only in the domain it exists in. The third type,
> >> the top buttton, is stored in the ForestDnsZones application partition
> >> and
> >> is available to ALL DCs in the whole forest. The data in any of the AD
> >> integrated zone types are truly secured since you can;t get at them
> >> without
> >> the proper tools.
> >>
> >> If you have an AD integrated zone existing on a DC and you install DNS on
> >> another DC in the domain or forest, depending what zone type, it will
> >> automatically appear on the new DNS installation without any interaction
> >> on
> >> your part. If you attempted to manually create the zone, then you pretty
> >> much just introduced a duplicate in the AD database, which will cause
> >> problems and other issues as well.
> >>
> >> A Primary or Secondary zone that is not stored in AD is stored in a text
> >> file in the system32\dns folder. This type of zone storage has nothing to
> >> do
> >> with the above types ONLY unless it is truly a secondary with the Master
> >> being a DC transferring a copy of the zone. This types of zone storage is
> >> obviously not secure.
> >>
> >> Now **IF** you did manually create a zone on one DC while it already
> >> existed
> >> on another DC, then you may have a duplicate. If this is the case, you
> >> can
> >> use ADSI Edit and look for zone data that starts with a "CNF..." in front
> >> of
> >> it. Delete them and you;re good to go.
> >>
> >> Under Windows 2000, the physcial AD database is broken up into 3 logical
> >> partitions, the DomainNC (Domain Name Context, or some call the Domain
> >> Name
> >> Container), the Configuration Partition, and the Schema Partition. The
> >> Schema and Config partitions replicate to all DCs in a forest. However,
> >> the
> >> DomainNC is specific only to the domain the DC belongs to. That's where a
> >> user, domain local or global group is stored. The DomainNC only
> >> replicates
> >> to the DCs of that specific domain. When you create an AD INtegrated zone
> >> in
> >> Win 2000, it gets stored in the DomainNC. This causes a limitation if you
> >> want this zone to be available on a DC/DNS server that belongs to a
> >> different domain. The only way to get around that is for a little
> >> creative
> >> designing using either delegation, or secondary zones. This was a
> >> challenge
> >> for the _msdcs zone, which must be available forest wide to resolve the
> >> forest root domain, which contains the Schema and Domain Name Masters
> >> FSMO
> >> roles.
> >>
> >> In Windows 2003, there were two additional partitions added, they are
> >> called
> >> the DomainDnsZones and ForestDnsZones Application Partitions,
> >> specifically
> >> to store DNS data. They were conceived to overcome the limitation of
> >> Windows
> >> 2000's AD Integrated zones. Now you can store an AD Integrated zone in
> >> either of these new partitions instead of the DomainNC. If stored in the
> >> DomainDnsZones app partition, it is available only in that domain's
> >> DomainDnsZones partition. If you store it in the ForestDnsZones app
> >> partition, it will be available to any DC/DNS server in the whole forest.
> >> This opens many more design options. It also ensures the availability of
> >> the
> >> _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
> >> zone is stored in the ForestDnsZones application partition.
> >>
> >> When selecting a zone replication scope in Win2003, in the zone's
> >> properties, click on the "Change" button. Under that you will see 3
> >> options:
> >> To choose the ForestDnsZones:
> >> "To all DNS servers in the AD forest example.com"
> >>
> >> To choose DomainDnsZones:
> >> "To all DNS servers in the AD domain example.com"
> >>
> >> To choose the DomainNC (only for compatibility with Win2000):
> >> "To all domain controllers in the AD domain example.com"
> >>
> >>
> >> If you have a duplicate, that's indicating there is a zone that exists in
> >> the DomainNC and in the DomainDnsZones Application partition. This means
> >> at
> >> one time, or currently, you have a mixed Win2000/2003 environment and you
> >> have DNS installed on both operating systems. On Win2000, if the zone is
> >> AD
> >> Integrated, it is in the DomainNC, and should be set the same in
> >> Win2003's
> >> DC/DNS server to keep compatible. Someone must have attempted to change
> >> it
> >> in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
> >> implications, hence the duplicate. In a scenario such as this where you
> >> want
> >> to use the Win2003 app partitions, you then must insure the zone on the
> >> Win2003 is set to the DomainNC, then uninstall DNS off the Win2000
> >> machine,
> >> then once that's done, you can then go to the Win2003 DNS and change the
> >> partition's replication scope to one of the app partitions.
> >>
> >> In ADSI Edit, you can view all five partitions. You were viewing the app
> >> partitions, but not the main partitions. You need to add the DomainNC
> >> partition in order to delete that zone. But you must uninstall DNS off
> >> the
> >> Win2000 server first, unless you want to keep the zone in the DomainNC.
> >> But
> >> that wouldn't make much sense if you want to take advantage of the _msdcs
> >> zone being available forest wide in the ForestDnsZones partition, which
> >> you
> >> should absolutley NOT delete. I would just use the Win2003 DNS servers
> >> only.
> >>
> >> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point
> >> click
> >> on "Well known Naming Context", then in the drop-down box, select
> >> "Domain".
> >> Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You
> >> will
> >> see the zone in there.
> >>
> >> But make sure to decide FIRST which way to go before you delete anything.
> >>
> >> To view the DomainDnsZones or the ForestDnsZones partitions, follow these
> >> steps:
> >>
> >> [ForestDNSZones]
> >> Click Start, click Run, type adsiedit.msc, and then click OK.
> >> In the console tree, right-click ADSI Edit, and then click Connect to.
> >> Click Select or type a Distinguished Name or Naming Context, type the
> >> following text in the list, and then click OK:
> >> DC=ForestDNSZones, DC=contoso, DC=com
> >> In the console tree, double-click DC=ForestDNSZones, DC=contoso, DC=com.
> >> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
> >> should
> >> now be able to view the DNS records which exist in this DNS partition. If
> >> you desire to remove this partition, right-click on contoso.com and then
> >> click Delete.
> >>
> >> Note Deleting a zone is a destructive operation. Please confirm that a
> >> duplicate zone exists before you perform a deletion.
> >> If you have deleted a zone, restart the DNS service. To do this, follow
> >> these steps:
> >> Click Start, point to All Programs, point to Administrative Tools, and
> >> then
> >> click DNS.
> >> In the console tree, right-click contoso.com, point to All Tasks, and
> >> then
> >> click Restart.
> >>
> >> [DomainDNSZones]
> >> Click Start, click Run, type adsiedit.msc, and then click OK.
> >> In the console tree, right-click ADSI Edit, and then click Connect to.
> >> Click Select or type a Distinguished Name or Naming Context, type the
> >> following text in the list, and then click OK:
> >> DC=DomainDNSZones,DC=contoso,DC=com.
> >> In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
> >> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
> >> should
> >> now be able to view the DNS records which exist in this DNS partition. If
> >> you desire to remove this partition, right-click on contoso.com and then
> >> click Delete.
> >>
> >> Note Deleting a zone is a destructive operation. Please confirm that a
> >> duplicate zone exists before you perform a deletion.
> >> If you have deleted a zone, restart the DNS service. To do this, follow
> >> these steps:
> >> Click Start, point to All Programs, point to Administrative Tools, and
> >> then
> >> click DNS.
> >> In the console tree, right-click contoso.com, point to All Tasks, and
> >> then
> >> click Restart.
> >>
> >> Some reading for you...
> >>
> >> Directory Partitions:
> >> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp
> >>
> >> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
> >> partitions
> >> issues:
> >> http://www.kbalertz.com/kb_867464.aspx
> >>
> >>
> >> How to fix it?
> >> -------------
> >>
> >> What I've done in a few cases with my clients that have issues with
> >> 'duplicate' zone entries in AD (because the zone name was in the Domain
> >> NC
> >> (Name Container) Partition, and also in the DomainDnsZones App
> >> partition),
> >> was first to change the zone on one of the DCs to a Primary zone, and
> >> allowed zone transfers. Then I went to the other DCs and changed the zone
Re: replication scope question [message #159603 is a reply to message #159599] Sat, 01 August 2009 14:59 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:1D64B623-7698-4717-84EA-EB31B9C578BB@microsoft.com...
>I found the missing reverse lookup zone under DomainNC, so I guess that one
> is older.
>
> I am planning on moving ahead with the forest replication scope change,
> but
> I'll discuss it with coworkers before doing so.
>
> You've mentioned not moving the _mscds.domain.com zone. I see that there
> is
> a _msdcs directory under domain.local in the DNS console, but I do not see
> _mscds.domain.com in ADSI Edit. Am I not looking in the right place or is
> there a problem?
>

So you're saying you see _msdcs under domain.local and not as a separate
zone? THis is Windows 2003, correct? Was this upgraded from 2000? If it was,
I can understand why Dit's this way. If it was setup new from scratch with
Ad integrated zones, it would have automatically created the zone and
delegation and made it Forest wide.

Actually, this zone is your Forest zone, and the data in this zone must be
availalbe to all DCs and other serveices (such as Exchange) forest wide
because it contains domain and forest GUIDs and GC info, and other services
in the forest root.

I would suggest to create an _msdcs.domain.local zone, set it to Forest wide
replication, and go to your domain.local zone, and delegate "_msdcs" to
itself (the server's own IP).

Read the following, please. I found them googling for '_msdcs.' There were
more hits, but I thought these were pretty good to explain it. I hope that
helps!

How to reconfigure an _msdcs subdomain to a forest-wide DNS ...
This step-by-step article describes how to make the forest-wide locator
records under the _msdcs. DNS zone available on every DNS server in the
forest when ...
http://support.microsoft.com/kb/817470

Q. What's the DNS _msdcs zone for the forest root domain used for?
For that reason, each domain in DNS has an _msdcs subdomain that hosts only
DNS SRV records that are registered by Microsoft-based services. ...
http://windowsitpro.com/article/articleid/43039/q-whats-the- dns-_msdcs-zone-for-the-forest-root-domain-used-for.html

myITforum.com : What is _MSDCS and why should it be made highly ...1 post -
1 author - Last post: May 3, 2004
In an earlier article, found here, I talked about making the _MSDCS Highly
available. However, I was asked "What Are _MSDCS Zones and why do ...
www.myitforum.com/articles/15/view.asp?id=7319

Ace
Re: replication scope question [message #159665 is a reply to message #159600] Mon, 03 August 2009 09:17 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
My post as regarding to Replication Scope, in single domain scenario it
doesn't matter how you define that scope because the DNS info will
replicated anyway, either per forest scope or per domain scope.

- You say that you've GBit links, but most important is to know what
bandwith is available from that link to be used with other stuff.
- Assuming lots of clients on those sites I would rather place a DNS server
locally to respond clients queries than having all clients quering my DNS
servers over the wan link to the main office. Of course, if you only have a
client or two at those remote sites, you "probably" do not want to do that.

--
I hope that the information above helps you.
Have a Nice day.

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Jorge Silva
MVP Directory Services
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:BE23F962-FC5F-485C-B0D2-C8C90D09D4BD@microsoft.com...
> The WAN links between buildings that have DCs in them are gigabit
> connections. All the buildings are in a relatively close area. Wouldn't
> additional DNS servers reduce network traffic? The DNS requests from
> clients
> wouldn't have to travel as far to be resolved and with AD integration
> there
> wouldn't be zone transfers, just replication of changed records.
> --
> Dudley
> MCP, MCDST
>
>
> "Jorge Silva" wrote:
>
>> Ok, great.
>> Regarding to Forest scope replication, in Single domain/forest makes no
>> difference because either way the zone is replicated across all DC/DNS,
>> if
>> you plan to introduce child domains, You need to think twice before
>> starting
>> to replicate all the Zones with all information in it across your wan
>> links,
>> in some scenarios this can make the deference regarding to the amount of
>> information to be replicated plus normal network traffic.
>> --
>> I hope that the information above helps you.
>> Have a Nice day.
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Jorge Silva
>> MVP Directory Services
>> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
>> news:58EF3887-22B5-4438-A1D9-EFD2B8643B32@microsoft.com...
>> >I used ADSI Edit to check for duplicates in DomainDNSZones and
>> > ForestDNSZones. There are three of the DNS AI zones there, plus a
>> > fourth
>> > called RootDNSServers, but one of the reverse lookup zones is not
>> > there.
>> > In
>> > taking a closer look at that zone using the DNS console i think it can
>> > be
>> > deleted. A former employee here created a subnet using public IP space.
>> > The
>> > zone has incorrect PTR records in it. Some of the records are for DCs,
>> > so
>> > I
>> > am certain that they are wrong. I will have to check with my network
>> > guy
>> > to
>> > see if he can give any background on that zone.
>> >
>> > During these posts it was recommended twice that I use the replication
>> > scope
>> > for the forest instead on the root domain. At this point would it be
>> > safe
>> > to
>> > change to that setting while I have DNS on one DC only? I'm thinking
>> > that
>> > would allow me to put DNS on the child domain DCs if I choose to do so
>> > later.
>> >
>> > --
>> > Dudley
>> > MCP, MCDST
>> >
>> >
>> > "Ace Fekay [MCT]" wrote:
>> >
>> >> "Jorge Silva" <jorgesilva_pt@hotmail.com> wrote in message
>> >> news:518BA861-4DCA-4AC7-89E8-72F574AD8A1A@microsoft.com...
>> >> > Yes, now you've duplicated the Zone...
>> >> > The primary zone is independent and can only be hosted by one
>> >> > server.
>> >> > Integrated zones are shared and have nothing to do with primary
>> >> > zones.
>> >> > If
>> >> > you converted a Primary Zone that has the same FQDN to Active
>> >> > Directory
>> >> > integrated you're duplicating the zones and causing a mess.
>> >> >
>> >> > To fix that I first need to know if the primary zone that was
>> >> > converted
>> >> > to AI is equal to the existing DNS AI Zone???!!!
>> >> >
>> >> > For example, your DNSAI zone is yourdomain.local, and primary zone
>> >> > was
>> >> > yourdomain.local as well. Is that the case?
>> >> >
>> >>
>> >>
>> >> Jorge,
>> >>
>> >> If only one DC has a Primary standard zone, and the others have
>> >> secondaries,
>> >> converting it to AD integrated should be no problem. The other DCs
>> >> with
>> >> secondaries (that is if he did previously configure/create secondaries
>> >> prior
>> >> to converting the zone to AD integrated), should convert them to Ad
>> >> integrated automatically, IIRC, because it recognizes them in the AD
>> >> database. However, if he changed the zone on more than one DC, then
>> >> that
>> >> would cause a duplicate zone issue.
>> >>
>> >> One easy way to tell is look in ADSI Edit if there are dupes. Of
>> >> course
>> >> if
>> >> there are, they would need to be deleted. I'm posting (below) a
>> >> procedure
>> >> to
>> >> help Dudley determine if there are any zone dupes in AD.
>> >>
>> >> ============================================================ ======
>> >> Conflicting or duplicate AD Integrated DNS zones
>> >> By Ace Fekay, MCSE 2003, MCT
>> >> First published 3/2006, updated accordingly
>> >>
>> >> You may have a duplicate zone if a zone either exists in both the
>> >> Domain
>> >> NC
>> >> and one of the Application Partitions, if you get an unusal error
>> >> message
>> >> stating, "The name limit for the local computer network adapter card
>> >> was
>> >> exceeded," or you installed DNS on another DC and manually created the
>> >> AD
>> >> zone and didn't wait for it to automatically populate.
>> >>
>> >> Dupe zone errata:
>> >> A quick explanation: When you have an AD integrated zone, the DNS data
>> >> is
>> >> stored in the actual AD database and is replicated to all DCs and will
>> >> be
>> >> available to any DC that has DNS installed, depending on the zone
>> >> replication scope setting. If rep scope is set to the bottom button,
>> >> it
>> >> will
>> >> be store in the DomainNC partition of the AD database and compatible
>> >> with
>> >> Windows 2000. If the middle button, it will be stored in the
>> >> DomainDnsZones
>> >> and only works with Windows 2003 and newer DCs. These two scope types
>> >> will
>> >> be replicated to all DCs only in the domain it exists in. The third
>> >> type,
>> >> the top buttton, is stored in the ForestDnsZones application partition
>> >> and
>> >> is available to ALL DCs in the whole forest. The data in any of the AD
>> >> integrated zone types are truly secured since you can;t get at them
>> >> without
>> >> the proper tools.
>> >>
>> >> If you have an AD integrated zone existing on a DC and you install DNS
>> >> on
>> >> another DC in the domain or forest, depending what zone type, it will
>> >> automatically appear on the new DNS installation without any
>> >> interaction
>> >> on
>> >> your part. If you attempted to manually create the zone, then you
>> >> pretty
>> >> much just introduced a duplicate in the AD database, which will cause
>> >> problems and other issues as well.
>> >>
>> >> A Primary or Secondary zone that is not stored in AD is stored in a
>> >> text
>> >> file in the system32\dns folder. This type of zone storage has nothing
>> >> to
>> >> do
>> >> with the above types ONLY unless it is truly a secondary with the
>> >> Master
>> >> being a DC transferring a copy of the zone. This types of zone storage
>> >> is
>> >> obviously not secure.
>> >>
>> >> Now **IF** you did manually create a zone on one DC while it already
>> >> existed
>> >> on another DC, then you may have a duplicate. If this is the case, you
>> >> can
>> >> use ADSI Edit and look for zone data that starts with a "CNF..." in
>> >> front
>> >> of
>> >> it. Delete them and you;re good to go.
>> >>
>> >> Under Windows 2000, the physcial AD database is broken up into 3
>> >> logical
>> >> partitions, the DomainNC (Domain Name Context, or some call the Domain
>> >> Name
>> >> Container), the Configuration Partition, and the Schema Partition. The
>> >> Schema and Config partitions replicate to all DCs in a forest.
>> >> However,
>> >> the
>> >> DomainNC is specific only to the domain the DC belongs to. That's
>> >> where a
>> >> user, domain local or global group is stored. The DomainNC only
>> >> replicates
>> >> to the DCs of that specific domain. When you create an AD INtegrated
>> >> zone
>> >> in
>> >> Win 2000, it gets stored in the DomainNC. This causes a limitation if
>> >> you
>> >> want this zone to be available on a DC/DNS server that belongs to a
>> >> different domain. The only way to get around that is for a little
>> >> creative
>> >> designing using either delegation, or secondary zones. This was a
>> >> challenge
>> >> for the _msdcs zone, which must be available forest wide to resolve
>> >> the
>> >> forest root domain, which contains the Schema and Domain Name Masters
>> >> FSMO
>> >> roles.
>> >>
>> >> In Windows 2003, there were two additional partitions added, they are
>> >> called
>> >> the DomainDnsZones and ForestDnsZones Application Partitions,
>> >> specifically
>> >> to store DNS data. They were conceived to overcome the limitation of
>> >> Windows
>> >> 2000's AD Integrated zones. Now you can store an AD Integrated zone in
>> >> either of these new partitions instead of the DomainNC. If stored in
>> >> the
>> >> DomainDnsZones app partition, it is available only in that domain's
>> >> DomainDnsZones partition. If you store it in the ForestDnsZones app
>> >> partition, it will be available to any DC/DNS server in the whole
>> >> forest.
>> >> This opens many more design options. It also ensures the availability
>> >> of
>> >> the
>> >> _msdcs zone to all DCs in the forest. By default in Win 2003, the
>> >> _msdcs
>> >> zone is stored in the ForestDnsZones application partition.
>> >>
>> >> When selecting a zone replication scope in Win2003, in the zone's
>> >> properties, click on the "Change" button. Under that you will see 3
>> >> options:
>> >> To choose the ForestDnsZones:
>> >> "To all DNS servers in the AD forest example.com"
>> >>
>> >> To choose DomainDnsZones:
>> >> "To all DNS servers in the AD domain example.com"
>> >>
>> >> To choose the DomainNC (only for compatibility with Win2000):
>> >> "To all domain controllers in the AD domain example.com"
>> >>
>> >>
>> >> If you have a duplicate, that's indicating there is a zone that exists
>> >> in
>> >> the DomainNC and in the DomainDnsZones Application partition. This
>> >> means
>> >> at
>> >> one time, or currently, you have a mixed Win2000/2003 environment and
>> >> you
>> >> have DNS installed on both operating systems. On Win2000, if the zone
>> >> is
>> >> AD
>> >> Integrated, it is in the DomainNC, and should be set the same in
>> >> Win2003's
>> >> DC/DNS server to keep compatible. Someone must have attempted to
>> >> change
>> >> it
>> >> in Win2003 DNS to put it in the DomainDnsZones partition no realizing
>> >> the
>> >> implications, hence the duplicate. In a scenario such as this where
>> >> you
>> >> want
>> >> to use the Win2003 app partitions, you then must insure the zone on
>> >> the
>> >> Win2003 is set to the DomainNC, then uninstall DNS off the Win2000
>> >> machine,
>> >> then once that's done, you can then go to the Win2003 DNS and change
>> >> the
>> >> partition's replication scope to one of the app partitions.
>> >>
>> >> In ADSI Edit, you can view all five partitions. You were viewing the
>> >> app
>> >> partitions, but not the main partitions. You need to add the DomainNC
>> >> partition in order to delete that zone. But you must uninstall DNS off
>> >> the
>> >> Win2000 server first, unless you want to keep the zone in the
>> >> DomainNC.
>> >> But
>> >> that wouldn't make much sense if you want to take advantage of the
>> >> _msdcs
>> >> zone being available forest wide in the ForestDnsZones partition,
>> >> which
>> >> you
>> >> should absolutley NOT delete. I would just use the Win2003 DNS servers
>> >> only.
>> >>
>> >> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point
>> >> click
>> >> on "Well known Naming Context", then in the drop-down box, select
>> >> "Domain".
>> >> Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You
>> >> will
>> >> see the zone in there.
>> >>
>> >> But make sure to decide FIRST which way to go before you delete
>> >> anything.
>> >>
>> >> To view the DomainDnsZones or the ForestDnsZones partitions, follow
>> >> these
>> >> steps:
>> >>
>> >> [ForestDNSZones]
>> >> Click Start, click Run, type adsiedit.msc, and then click OK.
>> >> In the console tree, right-click ADSI Edit, and then click Connect to.
>> >> Click Select or type a Distinguished Name or Naming Context, type the
>> >> following text in the list, and then click OK:
>> >> DC=ForestDNSZones, DC=contoso, DC=com
>> >> In the console tree, double-click DC=ForestDNSZones, DC=contoso,
>> >> DC=com.
>> >> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
>> >> should
>> >> now be able to view the DNS records which exist in this DNS partition.
>> >> If
>> >> you desire to remove this partition, right-click on contoso.com and
>> >> then
>> >> click Delete.
>> >>
>> >> Note Deleting a zone is a destructive operation. Please confirm that a
>> >> duplicate zone exists before you perform a deletion.
>> >> If you have deleted a zone, restart the DNS service. To do this,
>> >> follow
>> >> these steps:
>> >> Click Start, point to All Programs, point to Administrative Tools, and
>> >> then
>> >> click DNS.
>> >> In the console tree, right-click contoso.com, point to All Tasks, and
>> >> then
>> >> click Restart.
>> >>
>> >> [DomainDNSZones]
>> >> Click Start, click Run, type adsiedit.msc, and then click OK.
>> >> In the console tree, right-click ADSI Edit, and then click Connect to.
>> >> Click Select or type a Distinguished Name or Naming Context, type the
>> >> following text in the list, and then click OK:
>> >> DC=DomainDNSZones,DC=contoso,DC=com.
>> >> In the console tree, double-click DC=DomainDNSZones,DC=contoso,DC=com
>> >> Double-click CN=MicrosoftDNS, and click the zone (contoso.com). You
>> >> should
>> >> now be able to view the DNS records which exist in this DNS partition.
>> >> If
>> >> you desire to remove this partition, right-click on contoso.com and
>> >> then
>> >> click Delete.
>> >>
>> >> Note Deleting a zone is a destructive operation. Please confirm that a
>> >> duplicate zone exists before you perform a deletion.
>> >> If you have deleted a zone, restart the DNS service. To do this,
>> >> follow
>> >> these steps:
>> >> Click Start, point to All Programs, point to Administrative Tools, and
>> >> then
>> >> click DNS.
>> >> In the console tree, right-click contoso.com, point to All Tasks, and
>> >> then
>> >> click Restart.
>> >>
>> >> Some reading for you...
>> >>
>> >> Directory Partitions:
>> >> http://www.microsoft.com/resources/documentation/Windows/200 0/server/reskit/en-us/distrib/dsbg_dat_favt.asp
>> >>
>> >> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
>> >> partitions
>> >> issues:
>> >> http://www.kbalertz.com/kb_867464.aspx
>> >>
>> >>
>> >> How to fix it?
>> >> -------------
>> >>
>> >> What I've done in a few cases with my clients that have issues with
>> >> 'duplicate' zone entries in AD (because the zone name was in the
>> >> Domain
>> >> NC
>> >> (Name Container) Partition, and also in the DomainDnsZones App
>> >> partition),
>> >> was first to change the zone on one of the DCs to a Primary zone, and
>> >> allowed zone transfers. Then I went to the other DCs and changed the
>> >> zone
Re: replication scope question [message #159676 is a reply to message #159603] Mon, 03 August 2009 19:11 Go to previous messageGo to next message
Dudley  is currently offline Dudley
Messages: 16
Registered: July 2009
Junior Member
Some of the DCs, including the one with DNS, were upgraded from Windows 2000.
All DCs and DNS servers (DC and member server) are Windows 2003.

I been reviewing your post, and the links, to be sure I'm understaning the
process involved. I have a total of three _msdcs subzones. One under
domain.local, and one additional under the child domains. So, the
domain.local zone has _msdcs and subzones for subdomain1 and subdomain2.
Subzones for subdomain1 and subdomain2 also have _msdcs subzones for their
respective domains. All three _msdcs subzones contain records for the DCs in
their respective doamins.

This is expected, correct? And deleting all three _msdcs subzones is
necessary after creating the _msdcs.domain.local forest replicating primary
AI zone, so that the DCs from all three domains will register their records
in the new zone. Is this also correct?

Btw, the reverse lookup zone with incorrect public addresses has been
deleted.
--
Dudley
MCP, MCDST


"Ace Fekay [MCT]" wrote:

> "Dudley" <Dudley@discussions.microsoft.com> wrote in message
> news:1D64B623-7698-4717-84EA-EB31B9C578BB@microsoft.com...
> >I found the missing reverse lookup zone under DomainNC, so I guess that one
> > is older.
> >
> > I am planning on moving ahead with the forest replication scope change,
> > but
> > I'll discuss it with coworkers before doing so.
> >
> > You've mentioned not moving the _mscds.domain.com zone. I see that there
> > is
> > a _msdcs directory under domain.local in the DNS console, but I do not see
> > _mscds.domain.com in ADSI Edit. Am I not looking in the right place or is
> > there a problem?
> >
>
> So you're saying you see _msdcs under domain.local and not as a separate
> zone? THis is Windows 2003, correct? Was this upgraded from 2000? If it was,
> I can understand why Dit's this way. If it was setup new from scratch with
> Ad integrated zones, it would have automatically created the zone and
> delegation and made it Forest wide.
>
> Actually, this zone is your Forest zone, and the data in this zone must be
> availalbe to all DCs and other serveices (such as Exchange) forest wide
> because it contains domain and forest GUIDs and GC info, and other services
> in the forest root.
>
> I would suggest to create an _msdcs.domain.local zone, set it to Forest wide
> replication, and go to your domain.local zone, and delegate "_msdcs" to
> itself (the server's own IP).
>
> Read the following, please. I found them googling for '_msdcs.' There were
> more hits, but I thought these were pretty good to explain it. I hope that
> helps!
>
> How to reconfigure an _msdcs subdomain to a forest-wide DNS ...
> This step-by-step article describes how to make the forest-wide locator
> records under the _msdcs. DNS zone available on every DNS server in the
> forest when ...
> http://support.microsoft.com/kb/817470
>
> Q. What's the DNS _msdcs zone for the forest root domain used for?
> For that reason, each domain in DNS has an _msdcs subdomain that hosts only
> DNS SRV records that are registered by Microsoft-based services. ...
> http://windowsitpro.com/article/articleid/43039/q-whats-the- dns-_msdcs-zone-for-the-forest-root-domain-used-for.html
>
> myITforum.com : What is _MSDCS and why should it be made highly ...1 post -
> 1 author - Last post: May 3, 2004
> In an earlier article, found here, I talked about making the _MSDCS Highly
> available. However, I was asked "What Are _MSDCS Zones and why do ...
> www.myitforum.com/articles/15/view.asp?id=7319
>
> Ace
>
>
Re: replication scope question [message #159677 is a reply to message #159676] Mon, 03 August 2009 20:40 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Dudley" <Dudley@discussions.microsoft.com> wrote in message
news:0F01B79E-F0EF-4292-AFC2-0B7343F3AFBC@microsoft.com...
> Some of the DCs, including the one with DNS, were upgraded from Windows
> 2000.
> All DCs and DNS servers (DC and member server) are Windows 2003.
>
> I been reviewing your post, and the links, to be sure I'm understaning the
> process involved. I have a total of three _msdcs subzones. One under
> domain.local, and one additional under the child domains. So, the
> domain.local zone has _msdcs and subzones for subdomain1 and subdomain2.
> Subzones for subdomain1 and subdomain2 also have _msdcs subzones for their
> respective domains. All three _msdcs subzones contain records for the DCs
> in
> their respective doamins.
>
> This is expected, correct? And deleting all three _msdcs subzones is
> necessary after creating the _msdcs.domain.local forest replicating
> primary
> AI zone, so that the DCs from all three domains will register their
> records
> in the new zone. Is this also correct?
>
> Btw, the reverse lookup zone with incorrect public addresses has been
> deleted.
> --
> Dudley
> MCP, MCDST
>


Hi Dudley,

Actually the _msdcs.domain.local zone is only under the forest root domain.
Read my response to a similar question regarding the _msdcs zone:
http://forums.techarena.in/active-directory/1149900.htm

Ace
Previous Topic:the effects on running dcpromo to fix anAD issue.
Next Topic:RODC Computers Account Privilges
Goto Forum:
  


Current Time: Tue Jan 16 04:16:16 MST 2018

Total time taken to generate the page: 0.22437 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software