Re: Forward Lookup Zone missing when new tree added to forest

In news:2B35F4C8-F377-4C48-B6AD-135E576BA62F@xxxxxxxxxxxxx,
Shawn Conaway <ShawnConaway@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I
commented on below:
Hi,

I have a forest with three domains that are in separate trees:
company.biz, sight.company, and shell.company. Company.biz is the
forest root. Shell.company is the new domain. In DNS, all three
domains appear in the forward lookup zones on the domain controllers
hosting shell.company. Domain controllers for the other two domains
only show the two domains.

DNS is Active Directory-Integrated. Replication is set for 'All DNS
servers in the Active Directory Forest'. Zone transfers are allowed
to 'only to servers listed on the Name Servers tab'. Under the Name
Servers tab, I have update the name servers so that the two new
shell.company domain controllers appear in all three zones.

Adding the servers under the Name Servers tab appears to have
resolved my Kerberos issues because now in Sites and Services, the
correct domain appears for both of my shell.company domain
controllers. Previously, the servers were in the site, but the
domain did not show.

Adding the servers to the Names Servers tab also appears to have
fixed my name resolution problem. Pinging the shell.company is now
resolvable from other domain controllers. Pinging one shell.company
DC from the other shell.company DC now returns the FQDN instead of
just the name.

Although I can resolve names, I'm not sure how the resolution is
occurring as the servers doing the resolution do not have the
shell.company domain forward lookup zone. I suspect the forest root
is resolving names because of an A record for a shell.company domain
controller in company.biz\forestdnszones.

Are zone transfers actually occurring? Will manually creating a
forward lookup zone in the company.biz and sight.company domains
cause DNS corruption? Is there a setting I can change so that the
shell.company forward lookup zones automatically propagate into the
other zones?

<snipped>

I can't tell from the DCDIag and Netdiag since you masked out the IP
addresses for your DNS servers. The best way to tell is to know what DNS
servers are being used by all your DCs. If the wrong DNS, or an ISP's is
involved, then that can be the cause of it all.

Keep in mind, with AD integrated zones, the zone is stored in the AD
database. There is no such thing as a zone transfer between them. The DC/DNS
servers get their data from the AD database. If it is set to forest
replication, then all DCs in the forest have a copy of the zone. Surprised
that you are having trouble with the nameservers tab, etc, to not be able to
find all the DCs. BY default, all this just populates with AD integrated
zones, and if forest wide replication scope is set, then ALL DCs will have a
copy. Ideallyt when installing a new tree in the forest, we would want to
point ONLY to an existing DNS server in order for it to create the zone,
then you must have PATIENCE to allow the AD database to replciate to all
DCs. If you install DNS on another DC, WAIT WAIT WAIT for the DNS data to
replicate and it will auto populate. BUt if your DNS addresses are not
configured properly to point to the correct DNS servers, then that maynot
even work. Hence why you had Sites and Services issues.

Honestly, it would better to see a whole layout of each DC in each
tree/domain and see each of their "ipconfig all" (unedited and
un-obfuscated). If you cannot post that, then at least go by my
recommendations please.


--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...



.

Relevant Pages

  • Re: ad and dns setup
    ... MCSE, MVP Directory Services ... _msdcs, forward zone, reverse lookup zone. ... To fully rebuild DNS: ... changes immediately to all servers, this helps to speedup the process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... on 2 servers out of 4 DNS servers. ... DNS and 2003 DNS and how to set up Conditional Forwarding. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ad and dns setup
    ... "Jorge Silva" wrote: ... domain It gave me 2 errors, no dns servers have dns records for this dc ... error no logon servers.. ... Make sure that the _msdcs zone exists and the scope is set ...
    (microsoft.public.windows.server.active_directory)
  • Re: Protected Forest with One Child domain
    ... All servers are Win2K3. ... The forest is in native mode. ... I have setup my child domains to conditionally forward to the forest domain ... I can click on the root of the forest (in dns) and then ...
    (microsoft.public.windows.server.dns)
  • Re: Global catalog server died before completing replication to new GC server
    ... What about the DNS zones,are all machines listed there? ... Install DNS role and create a forward lookup zone for your complete ... Then make sure all servers are listed in the zones, ... cause Group Policy problems. ...
    (microsoft.public.windows.server.active_directory)