DomainDNSZones
(1)
ForestDnsZones
(1)
Database
(1)
Metadata
(1)
Windows
(1)
Trainer
(1)
Netdiag
(1)
Adprep
(1)
DomainDNSZones child domain DNS entries missing
Asked By WayCoolkennel
19-Nov-09 02:46 PM
Trying to run /RODC and have a child domain that is failing. The error
is
LDAP API ldap_search_s finished, return code is 0xa
Adprep could not contact a replica for partition
DC=DomainDnsZones,DC=childdomain,DC=mydomain,DC=domain,DC=com.
Error code: 0x0. Server extended error code: 0x0, Server error message:
(null).
Ok.. so I have read the KB (script to set the FSMO, this script fails
with "a referral was returned" and I have read the similar thread here
http://forums.techarena.in/server-dns/503672.htm .. I have determined
that DomainDNSZones partition exists for the child domain. The child
domain DNS is set to "Replicate to all DNS servers in the Forest" But
there are no DomainDNSZones.childdomain.mydomain.domain.com DNS entries
.
The child domain is delegated in the root DNS.
So.. I need to get the child domain to recreate the DNS entries .. but
I cant seem to figure it out.
I saw that someone suggested creating the domain "DomainDNSZones" then
running Netdiag /v /fix
Is this the correct procedure ?
Thanks for any help !
--Steve
--
WayCoolkennel
------------------------------------------------------------------------
WayCoolkennel's Profile: http://forums.techarena.in/members/153308.htm
View this thread: http://forums.techarena.in/server-dns/1273143.htm
http://forums.techarena.in
Refer to http://support.microsoft.com/kb/949257hthMarcin
Marcin replied to WayCoolkennel
19-Nov-09 07:00 PM
Refer to http://support.microsoft.com/kb/949257
hth
Marcin
Thanks for the reply... but...As I stated in my OP..
WayCoolkennel replied to Marcin
20-Nov-09 03:42 PM
Thanks for the reply... but...
As I stated in my OP.. I have attempted to use the fixfsmo.vbs and it
returns an error.. right now that error is:
fixfsmo.vbs(21, 5) (null): The specified domain either does not exist
or could not be contacted.
So I am assuming that it cannot do a DNS lookup for something.. ?
--
WayCoolkennel
------------------------------------------------------------------------
WayCoolkennel's Profile: http://forums.techarena.in/members/153308.htm
View this thread: http://forums.techarena.in/server-dns/1273143.htm
http://forums.techarena.in
A 'domain does not exist or cannot be contacted' is normally rooted with
Ace Fekay [MCT] replied to WayCoolkennel
20-Nov-09 10:39 PM
A 'domain does not exist or cannot be contacted' is normally rooted with DNS
problems or DNS misconfigurations. How is your current DNS infrastructure
setup regarding the forest root domain and child domains, if any exist?
What zone replication scope are the _msdcs.yourdomain.local and the
yourdomain.local in?
Can you post an ipconfig /all of two of the DCs in your domain, please?
Have you ever had a DC that failed that you pulled off the network without
demoting it or performing a Metadata Cleanup? To make sure no DCs are still
in AD, please take a look at this following article that shows how to use
ntdsutil to see what is in the actual AD database, which you can use to
remove any data (DCs, domains, etc), that no longer belong.
It could also be due to a duplicate zone scope in AD. Please read the
following to find out if this is the case, and how to fix it.
Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
A 'domain does not exist or cannot be contacted' is normally rooted with
WayCoolkennel replied to Ace Fekay [MCT]
23-Nov-09 05:24 PM
A 'domain does not exist or cannot be contacted' is normally rooted with DNS
problems or DNS misconfigurations. How is your current DNS infrastructure
setup regarding the forest root domain and child domains, if any exist?
What zone replication scope are the _msdcs.yourdomain.local and the
yourdomain.local in?
[/QUOTE Wrote:
--
WayCoolkennel
------------------------------------------------------------------------
WayCoolkennel's Profile: http://forums.techarena.in/members/153308.htm
View this thread: http://forums.techarena.in/server-dns/1273143.htm
http://forums.techarena.in
Ok, let us take a look at your original post.
Ace Fekay [MCT] replied to WayCoolkennel
23-Nov-09 07:31 PM
Ok, let us take a look at your original post. You said:
I can see why there are (or is?) no entries for the child domain in the
DomainDnsZones partition . If you have the zone set to the ForestDnsZones
partition, why would it exist in the DomainDnsZones partition?
That explains it further. In a parent-child delegation, you delegate the
child zone from the parent zone to the child domain's DNS servers. In order
to properly do that, you need to change the parent zone (if not already set)
to DomainDnsZones partition, then create a zone on one (yes, just ONE of the
DCs or you will create a duplicate & conflicting zone scenario) of the child
domain DNS servers and put it in the DomainDnsZones partition. Then you go
back to one of the parent domain DNS servers, and create the delegation.
If you have the child zone in the ForestDnsZones partition, then that means
it exists on ALL DCs. Hence it now creates a duplicate or a conflict in the
parent zone. It sees the delegation, meaning to go ask elsewhere, yet it
exists in it is own context. Therefore, it does not know what to do with it,
hence a conflict.
First, you make sure that each child zone (if you have more than one child)
are all set to DomainDnsZones partition, and make sure the parent zone is as
well, allow replication to occur, if it can, that is because tthe conflict
or dupe scenario in your case may cause a problem with replication. Also,
ALL machines in the child domain must ONLY use the child domain DNS servers,
not the parent.
Keep in mind, a delegation is just that, you are telling it that another DNS
Thanks Ace appreciated the help !
WayCoolkennel replied to WayCoolkennel
24-Nov-09 01:49 PM
Thanks Ace appreciated the help ! yes this makes much more sense...
I tried to change the child domain DNS server to set the scope to
DomainDNSZones . .but I receive an error.. "There was a server
failure"
I dont own this child domain btw.. but was granted admin by the admin
for th child domain.. they have had two different consultants work in
this domain.. and well.. I have no idea what all may have been done...
The parent is currently set to DomainDNSZones. All other child DNS
servers are set to DomainDNSZones and they work fine and get updated by
/rodc no problem..
--
WayCoolkennel
------------------------------------------------------------------------
WayCoolkennel's Profile: http://forums.techarena.in/members/153308.htm
View this thread: http://forums.techarena.in/server-dns/1273143.htm
http://forums.techarena.in
You must be Enterprise Admin to make such a change.
Ace Fekay [MCT] replied to WayCoolkennel
24-Nov-09 10:55 PM
You must be Enterprise Admin to make such a change. Remember, you are taking
it out of the ForestDnsZones, which requires the Domain Admin from the
forest root to perform any task with this replication scope.
You're going to need to gather some info of exactly what was done.
Otherwise, the problem will continue until what was done has been
established, and a game plan to resolve it.
The parent zone and child zones are set to DomainDnsZones? That's confusing,
since you said in your original post the child zone is in the ForestDnsZones
partition.
Ace
Thanks for the help Ace.. I am thinking a call to MS is in order...
WayCoolkennel replied to Ace Fekay [MCT]
25-Nov-09 01:30 PM
Thanks for the help Ace.. I am thinking a call to MS is in order...
There is no way for me to know .. or even find out what all has been
done by the consultants in this child domain.
I was attempting to follow your post .. so I changed the parent (root
domain) to DomainDNSZones thats why you are confused. I can change the
child zone on the Parent DNS server to DomainDNSZones but when
replication occurs it dissapears from the Child DNS server. So it seems
the Parent DNS server seems to own the zone ?
Right now everything is back to square one.. the Parent DNS zone
ad.mydomain.com is set to ForestDNSZones AND the child forward zone
(child.ad.mydomain.com) is also set to ForestDNSZones on the parent DNS
Server.
I cant seem to change anything with regard to replication scope on the
child DNS server for the child forward zone.
--
WayCoolkennel
------------------------------------------------------------------------
WayCoolkennel's Profile: http://forums.techarena.in/members/153308.htm
View this thread: http://forums.techarena.in/server-dns/1273143.htm
http://forums.techarena.in
I assume you attempted to change it at the child domain logged on as theforest
Ace Fekay [MCT] replied to WayCoolkennel
25-Nov-09 07:14 PM
I assume you attempted to change it at the child domain logged on as the
forest root domain administrator. One other way to fix it is to pick one of
the DCs, change the zone on it to a Primary zone (uncheck the box that says
store in AD), and allow replication to occur. This strips out of the app
partitions. Then after replication has occured, check the box again and
specify to replicate in the domain.
But it may be better for you to contact Microsoft to assist. Newsgroups can
help so much until there are road blocks, or the time it takes is far
greater where the problems remain.
Let us know how you make out.
Acr
Windows Server DomainDnsZones and ForestDnsZones remaining after DNS server removal Please, would you be able elaborate please? The application partitions are part of the AD database and is replicated throughout the domain or forest, depending on if it is the DomainDnsZones (each domain has one if it was created) or ForestDnsZones partition (if it was created). It is not advised to replica of the specified partition are: remove nc replica dc = DomainDnsZones, dc = contoso, dc = com ServerA.contoso.com remove nc replica dc = ForestDnsZones, dc = contoso, dc = com ServerA.contoso.com You should then the target server when running "repadmin / showreps". Note: Deleting the ForestDnsZones or DomainDnsZones application partition is not supported http: / / support.microsoft.com / kb AS IS" with no warranties, and confers no rights. keywords: DomainDnsZones, and, ForestDnsZones, remaining, after, DNS, server, removal description: Please, would
Windows Server DomainDNSZones child domain DNS entries missing Trying to run / RODC and 0xa Adprep could not contact a replica for partition DC = DomainDnsZones, DC = childdomain, DC = mydomain, DC = domain, DC = com. Error code techarena.in / server-dns / 503672.htm . . I have determined that DomainDNSZones partition exists for the child domain. The child domain DNS all DNS servers in the Forest" But there are no DomainDNSZones.childdomain.mydomain.domain.com DNS entries . The child domain is it out. I saw that someone suggested creating the domain "DomainDNSZones" then running Netdiag / v / fix Is this the correct procedure use ntdsutil to see what is in the actual AD database, which you can use to remove any data (DCs, domains or is?) no entries for the child domain in the DomainDnsZones partition . If you have the zone set to the ForestDnsZones partition, why would it exist in the DomainDnsZones partition? That explains it further. In a parent-child delegation to change the parent zone (if not already set) to DomainDnsZones partition, then create a zone on one (yes, just ONE
the configuration, schme and domain partitions replicated fine, but the domaindnszones and forestdnszones are not being replicated even though the DNS service is server > Select Transfer from Master. This will transfer the DNS Database from your previous DNS server. Cheers!! keywords: dns, integrated, zones the configuration, schme and domain partitions replicated fine, but the domaindnszones and forestdnszones a
0].ftRemoteConnectTime = 36ebc080 01c9a108 pServer[0].ppszMasterNCs: ppszMasterNCs[0] = DC = ForestDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[1] = DC = DomainDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[2] = CN = Schema, CN = Configuration 1].ftRemoteConnectTime = 00000000 00000000 pServer[1].ppszMasterNCs: ppszMasterNCs[0] = DC = ForestDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[1] = DC = DomainDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[2] = CN = Schema, CN = Configuration 2].ftRemoteConnectTime = 00000000 00000000 pServer[2].ppszMasterNCs: ppszMasterNCs[0] = DC = ForestDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[1] = DC = DomainDnsZones, DC = MYDOMAIN, DC = org ppszMasterNCs[2] = CN = Schema, CN = Configuration iSiteOption = 0 pSites[0].cServers = 3 NC: pNCs[0].pszName = ForestDnsZones pNCs[0].pszDn = DC = ForestDnsZones, DC = MYDOMAIN, DC = org pNCs[0].aCrInfo[0].dwFlags = 0x00000201 Configuration, DC = MYDOMAIN, DC = org pNCs[0].aCrInfo[0].pszDnsRoot = ForestDnsZones.MYDOMAIN.org pNCs[0].aCrInfo[0].iSourceServer = 0 pNCs[0 1 pNCs[0].aCrInfo[0].aszReplicas = NC: pNCs[1].pszName = DomainDnsZones pNCs[1].pszDn = DC = DomainDnsZones, DC = MYDOMAIN, DC = org pNCs
other Directory Partitions in AD: Connect to naming context : DC = ForestDNSZones, DC = domain, DC = local Also connect to naming context : DC = DomainDNSZones, DC = domain, DC = local In our case. . under MicrosoftDNS there is a domain.local entry. . and also in DomainDNSZones there is this entry. . should i just delete the entry under DomainDNSZones and all will be well? What is the negative effect have a duplicate, one in the DomainNC and one in DomainDnsZones, then you should manually delete the extra zone you created Then go into ADSIEdit and delete the zone name in DomainDnsZOnes or DomainNC (which ever is the second one you created weird error message stating: Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain there were two additional partitions added, they are called the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain's
BDC01 Starting test: Replications * Replications Check * Replication Latency Check DC = ForestDnsZones, DC = highfield, DC = local Latency information for 5 entries in this nc. 0 had no latency information (Win2K DC). DC = DomainDnsZones, DC = highfield, DC = local Latency information for 5 entries in Configuration Topology Integrity Check * Analyzing the connection topology for DC = ForestDnsZones, DC = highfield, DC = local. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC = DomainDnsZones, DC = highfield, DC = local. * Performing upstream (of target) analysis. * Performing Aliveness Check * Analyzing the alive system replication topology for DC = ForestDnsZones, DC = highfield, DC = local. * Performing upstream (of target) analysis. * Performing target) analysis. * Analyzing the alive system replication topology for DC = DomainDnsZones, DC = highfield, DC = local. * Performing upstream (of target) analysis. * Performing s on DC HIGHFIELD-BDC01. * Security Permissions Check for DC = ForestDnsZones, DC = highfield, DC = local (NDNC, Version 2) * Security Permissions Check for DC = DomainDnsZones, DC = highfield, DC = local (NDNC, Version 2) * Security Permissions Check session setup from computer 'HIGHFIEL-070EEF' failed because the security database does not contain a trust account 'HIGHFIEL-070EEF$' referenced by PDC01 Starting test: Replications * Replications Check * Replication Latency Check DC = ForestDnsZones, DC = highfield, DC = local Latency information for 5 entries in
copy of the zone has been found in directory partition DomainDNSZones.company.internal. The DNS Server will ignore this new copy it is a dupe. It will have a "CNF. . . . " or DomainDnsZones and ForestDnsZones partitions too for the same type of entries. If you completely empty. So I then thought I would check the DomainDNSZones parition and I now appear to have alongside the company I guess I need to delete these two zones under DomainDNSZones and then delete the MicrosoftDNS, company.internal zone from the Since the dupe, as AD sees it, is in the DomainDnsZones partition, go to all your DCs, and make sure the to the middle button, which will put it in the DomainDnsZones partition. Check ADSI Edit after replication occurs to make sure this time delete ALL references to the zone (not the ForestDnsZones, just the zones in DomainNC and DomainDnsZones). = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Conflicting AD Integrated zones if they exist in both the weird error message stating: Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain
weird error message stating: Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain there were two additional partitions added, they are called the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain's DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC / DNS in Win 2003, the _msdcs zone is stored in the ForestDnsZones application partition. When selecting a zone replication scope in Win2003 Under that you will see 3 options: To choose the ForestDnsZones: To choose DomainDnsZones: To choose the DomainNC (only for compatibility with Win2000): If a zone that exists in the DomainNC and in the DomainDnsZones Application partition. This means at one time, or currently, you