Re: AD 2003 Design from NT 4

In news:42CC244D-BEF3-44E1-93BD-FB3BF3A661A5@xxxxxxxxxxxxx,
Aughtooting <Aughtooting@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, and I replied below: 
Hi Ace,

OK let me explain. I am testing all this in a test environment. I
wish to have the following ONE forest and TWO domains.
The forest contains the empty root domain called ad.local and the
domain xxx-domain.com. (I think I made an error in using the term
"resource domain", but suffice to say that xxx-domain.com is where
all the accounts, ou's etc will be created.  I will create absolutley
nothing additional in ad.local , no user accounts, no groups, no
shared resources, no ou's)

OK this is how my DNS is configured.

I started with a standalone DNS server Windows 2003.  Lets call it
DNS_ALONE. I created the two zones on this server . ad.local and
xxx-domain.com

I then configured my first DC (DC1, which was the first DC in
ad.local) by pointing it to DNS_ALONE.  This worked very well with no
problems.
I then configured the second DC(DC2) in the forest(which was the
first DC in the domain xxx-domain.com) again by pointing it at
DNS_ALONE.  Again no problems.

I then set about the task of intergrated DNS.
I installed DNS on dc1 and pointed DC1 at itself for DNS.  I created
the zone ad.local, with dynamic updates and replicate to all DNS
servers in the domain.  There were no problems.

I then installed DNS on DC2 and I pointed DC2 at itself for DNS.  I
created the zone xxx-domain.com, with dynamic and replicate to all
DNS servers in the domain.  STOP . that is where the problem is, the
replication scope of the second domain. When I select this option I
get the error message"The zone cannot be replicated to all DNS
servers in the xxx-domain.com AD domain because the required
application directory does not exist...".  The only way to solve the
problem is to select the option "To all domain controllers inthe AD".
The problem with this option is that the folder DomainDNSZones is NOT
created.  I believe that this is know as the "naming context".  Is
this a problem if the naming context is not created?


Thanks & Regards

p.s I have gone ahead and completed the task and I can get AD
replication to work and I det 0 DNS errors from netdiag.  However I
still do not get the naming context for the second domain.  I need to
know if I am storing up problems for myself by doing this?
p.p.s To avoid confusion I have not explained how I got this working
I just am concerned about the naming context and did not include my
solution.  If you wish I will add my solution.
p.p.p.s I cannot get hold of the tutor, who was very good.  It was
him who suggested the design.

It sounds like your xxx-domain.com is actually a different tree in the same ad.local's forest. That makes sense now.

As for the app partitions, use ADSI Edit to insure that they either do or don't exist.

Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
partitions issues:
http://www.kbalertz.com/kb_867464.aspx

As for the multi-trees, the _msdcs zone is already there in the ForestDnsZones. For the multi trees, I would suggest to replicate all your zones in the ForestDnsZones partition because you'll want as.local and xxxx-domain.com be available from both sides of the fence, and that rep scope would be your better solution.

And here's something from a really recent post I posted (three days ago) about app partitions:
========================
What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain
NC (Name Container) Partition, and also in the DomainDnsZones App
partition), was first to change the zone on one of the DCs to a Primary
zone, and allowed zone transfers. Then I went to the other DCs and
changed the zone to a Secondary, and using the first DC as the Master.
Then I went into ADSI Edit, (from memory) under the Domain NC,
Services, DNS, and deleted any reference to the domain name. Then I
added the DomainDnsZones partition to the ADSI Edit console, and
deleted any reference to the zone name in there as well. If you see
anything saying something to the extent of "In Progress...." with a
long GUID number after it, delete them too. Everytime you may have
tried tochange the replication scope, it creates one of them. Delete
them all.

Then I forced replication. If there were Sites configured, I juggled
around the servers and subnet objects so all of the servers are now in
one site, then I forced replication (so I didn't have to wait for the
next site replication schedule). Once I've confirmed that replication
occured, and the zones no longer existed in either the Domain NC or
DomainDnsZones, then I changed the zone on the first server back to AD
Integrated, choosing the middle button for it's replication scope
(which puts it in the DomainDnsZones app partition). Then I went to the
other servers and changed the zone to AD Integrated choosing the same
replication scope. Then I reset the sites and subnet objects, and
everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't
causing any problems and is located in the ForestDnsZones (default) in
all of my client cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few
times to get familiar with the procedure. You may even want to change
it into a numbered step by step list if you like. If you only have one
DC, and one Site, then it's much easier since you don't have to mess
with secondaries or play with the site objects.

I hope that helped!
=========================

You can also opt to just delete all your zones, recreate them from scratch and run:

netdiag /v /fix

That should recreate the app partitions or set them straight, if the rep scopes are messed up.

Ace 

.

Loading