Re: Forward lookup zone not automatically created for new domain i
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Fri, 17 Nov 2006 17:12:08 -0600
"Shawn Conaway" <ShawnConaway@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9C4F091B-1B04-49CE-9A34-B5BB0DE3B371@xxxxxxxxxxxxxxxx
Hi.
Thanks for the help...I appreciate it. I don't think I'm getting any
closer, though. I updated the 'Preferred DNS server' on shell.company to
point to the forest root company.biz instead of itself.
Did you remove the other DNS servers? You must only
allow a DNS Client (including DCs which are DNS
clients) to use ONE (set) of DNS servers that all return
the same answers - -there is not way to guarantee which
will be used if you have alternates in there too.
I got all sorts of
unpleasant errors when I ran 'dcdiag /fix':
Starting test: frsevent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
This looks like you already had replication errors (at least
for SysVol.)
......................... BKFADDC08 failed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80000677
......................... BKFADDC08 failed test kccevent
No forward lookup zone appeared.
I waited a bit, then switched the DNS servers back so that the preferred
DNS
servers were DC1.shell.company (itself first), then to DC2.shell.company,
company.biz, and sight.company (in that order). I waited a bit and the
'dcdiag /fix' reports that it is working normally except for the following
error, which appears like it will resolve itself in a day:
This implies that the main DNS servers cannot find
the child or other tree DNS servers. You said earlier
that you had those zones on the main DNS for the other
zones/domains. Are they all AD Integrated? If so,
any should be able to take replication.
Are they all using the same scope of replication?
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 failed test frsevent
The main indicator that tells me something is still wrong is the following
error:
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Shawn Conaway" <ShawnConaway@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9C4F091B-1B04-49CE-9A34-B5BB0DE3B371@xxxxxxxxxxxxxxxx
Hi.
Thanks for the help...I appreciate it. I don't think I'm getting any
closer, though. I updated the 'Preferred DNS server' on shell.company to
point to the forest root company.biz instead of itself. I got all sorts
of
unpleasant errors when I ran 'dcdiag /fix':
Starting test: frsevent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... BKFADDC08 failed test frsevent
Starting test: kccevent
An Warning Event occured. EventID: 0x80000677
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000677
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000466
Time Generated: 11/17/2006 15:44:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80250828
Time Generated: 11/17/2006 15:44:22
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000466
Time Generated: 11/17/2006 15:45:15
(Event String could not be retrieved)
......................... BKFADDC08 failed test kccevent
No forward lookup zone appeared.
I waited a bit, then switched the DNS servers back so that the preferred
DNS
servers were DC1.shell.company (itself first), then to DC2.shell.company,
company.biz, and sight.company (in that order). I waited a bit and the
'dcdiag /fix' reports that it is working normally except for the following
error, which appears like it will resolve itself in a day:
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 failed test frsevent
The main indicator that tells me something is still wrong is the following
error:
-------------------
DNS server has updated its own host (A) records. In order to ensure that
its DS-integrated peer DNS servers are able to replicate with this server,
an
attempt was made to update them with the new records through dynamic
update.
An error was encountered during this update, the record data is the error
code.
If this DNS server does not have any DS-integrated peers, then this error
should be ignored.
If this DNS server's Active Directory replication partners do not have the
correct IP address(es) for this server, they will be unable to replicate
with
it.
To ensure proper replication:
1) Find this server's Active Directory replication partners that run the
DNS
server.
2) Open DnsManager and connect in turn to each of the replication
partners.
3) On each server, check the host (A record) registration for THIS server.
4) Delete any A records that do NOT correspond to IP addresses of this
server.
5) If there are no A records for this server, add at least one A record
corresponding to an address on this server, that the replication partner
can
contact. (In other words, if there multiple IP addresses for this DNS
server, add at least one that is on the same network as the Active
Directory
DNS server you are updating.)
6) Note, that is not necessary to update EVERY replication partner. It is
only necessary that the records are fixed up on enough replication
partners
so that every server that replicates with this server will receive
(through
replication) the new data.
----------------
The reason why I wanted to create a forward lookup zone is because this
above error indicates that the servers cannot find an A record for the
DC1.shell.company server. However, it sounds like are recommending that a
forward lookup zone is unnecessary since all the DCs in the forest are
using
AD-integrated DNS. Please let me know if I have misinterpreted what you
are
recommending.
Thanks again.
"Herb Martin" wrote:
"Shawn Conaway" <ShawnConaway@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4A9419E5-6ACA-4910-9AE4-E9553F945581@xxxxxxxxxxxxxxxx
Hi,
I have a forest with three domains that are in separate trees:
company.biz,
sight.company, and shell.company. Company.biz is the forest root.
Shell.company is the new domain. In DNS, all three domains appear in
the
forward lookup zones on the domain controllers hosting shell.company.
Domain
controllers for the other two domains only show the two domains.
You need your DNS servers in every domain/tree
to be able to find the others so you can make them Secondaries
(as you have done with shell.company), use Stubs instead if
zones are giant, conditionally forward, or if ALL DC-DNS
servers are Win2003 you can do forest wide AD Integration
and replication.
DNS is Active Directory-Integrated. Replication is set for 'All DNS
servers
in the Active Directory Forest'.
Chances are the problem is due to the DCs in all the
"other" zones/domains to be able to initially find the
one that is working.
Try (TEMPORARILY) changes the DCs in those domains
to use the main DNS servers ONLY in their NIC->IP
properties.
Re-register them with DNS (DCDiag /fix or restart NetLogon service.)
Check replication. Once it replicated the other zones
you can put them back to the most efficient DNS settings.
Zone transfers are allowed to 'only to
servers listed on the Name Servers tab'. Under the Name Servers tab, I
have
update the name servers so that the two new shell.company domain
controllers
appear in all three zones.
Zone transfer settings are NOT relevant to AD integration
replication -- only to ordinary secondaries.
Adding the servers under the Name Servers tab appears to have resolved
my
Kerberos issues because now in Sites and Services, the correct domain
appears
for both of my shell.company domain controllers. Previously, the
servers
were in the site, but the domain did not show.
Check time -- and especially TIME ZONE settings if
you suspect Kerberos issues.
One common mistake is to set the time on a server based
on an INCORRECT time zone and thus end up being hours
away (in GMT) from the correct time.
Adding the servers to the Names Servers tab also appears to have fixed
my
name resolution problem. Pinging the shell.company is now resolvable
from
other domain controllers. Pinging one shell.company DC from the other
shell.company DC now returns the FQDN instead of just the name.
Although I can resolve names, I'm not sure how the resolution is
occurring
as the servers doing the resolution do not have the shell.company
domain
forward lookup zone. I suspect the forest root is resolving names
because
of
an A record for a shell.company domain controller in
company.biz\forestdnszones.
Are zone transfers actually occurring? Will manually creating a
forward
lookup zone in the company.biz and sight.company domains cause DNS
corruption? Is there a setting I can change so that the shell.company
forward lookup zones automatically propagate into the other zones?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
----------------
DCDIAG:
C:\>dcdiag
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Site\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Site\DC1
Starting test: Replications
......................... DC1 passed test Replications
Starting test: NCSecDesc
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
......................... DC1 passed test NetLogons
Starting test: Advertising
......................... DC1 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: Services
......................... DC1 passed test Services
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC1 passed test frssysvol
Starting test: frsevent
......................... DC1 passed test frsevent
Starting test: kccevent
......................... DC1 passed test kccevent
Starting test: systemlog
......................... DC1 passed test systemlog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test
CheckSDRefDom
Running partition tests on : shell
Starting test: CrossRefValidation
......................... shell passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... shell passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test
CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test
CheckSDRefDom
Running enterprise tests on : company.biz
Starting test: Intersite
......................... company.biz passed test Intersite
Starting test: FsmoCheck
......................... company.biz passed test FsmoCheck
NETDIAG -------------------------------------------------------------------
C:\>netdiag
Computer Name: DC1
DNS Host Name: DC1.shell.company
System info : Microsoft Windows Server 2003 R2 (Build 3790)
Processor : x86 Family 15 Model 33 Stepping 2, AuthenticAMD
List of installed hotfixes :
KB890046
KB893756
KB896358
KB896424
KB896428
KB898715
KB899587
KB899588
KB899589
KB899591
KB900725
KB901017
KB901214
KB902400
KB904706
KB904942
KB905414
KB908519
KB908531
KB909520
KB910437
KB911280
KB911562
KB911567
KB911927
KB912919
KB914388
KB914389
KB917159
KB917344
KB917422
KB917734
KB917953
KB918439
KB918899
KB920214
KB920670
KB920683
KB920685
KB921398
KB921883
KB922582
KB922616
KB922819
KB923191
KB923414
KB924191
KB924496
KB925486
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : DC1.shell.company
IP Address . . . . . . . . :
Subnet Mask. . . . . . . . :
Default Gateway. . . . . . :
Primary WINS Server. . . . :
Dns Servers. . . . . . . . :
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
WINS service test. . . . . : Passed
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{92CF28BD-0ECC-4EDC-A934-915B8D99B36E}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation
Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server ''
and other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS server ''
and other DCs also have some of the names registered.
.
- References:
- Forward lookup zone not automatically created for new domain in fo
- From: Shawn Conaway
- Re: Forward lookup zone not automatically created for new domain in fo
- From: Herb Martin
- Re: Forward lookup zone not automatically created for new domain i
- From: Shawn Conaway
- Forward lookup zone not automatically created for new domain in fo
- Prev by Date: Re: ADSI ans Visual Basic .NET 2005
- Next by Date: Re: Can't delete a corrupt user object
- Previous by thread: Re: Forward lookup zone not automatically created for new domain i
- Next by thread: Move a user to new group and make it as primary....
- Index(es):
Relevant Pages
|
