Re: DNS signature failed to verify error

Read inline please.

In news:483FF285-27F9-4FA0-9CE1-91B59913EC52@xxxxxxxxxxxxx,
Don <Don@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
Hey Kevin,

Thanks for your input on this issue.

Both DNS servers have the zone named _msdcs.domain.local with Dynamic
updates and secure only. Also AD Integrated on both servers.

On both servers DNS, in the domain.local zone there is a delegation
named _msdcs with one NS record which refers to srv1.domain.local
(SBS). You indicate that there should be an NS record for both DNS
servers on both DNS servers if I understand you correctly.

Yes, there should be an NS record for each DNS server with the
_msdcs.domain.local zone. This zone is or should replicate to all DNS
servers in the AD Forest running on Win2k3 DCs. Because this zone is in the
ForestDNSZones replication partition, it won't replicate to Win2k DCs at
all, Win2k DCs would need a Secondary of the zone, or you would have to move
the zone to the MicrosoftDNS replication partition. In which case, only
Win2k3 DCs that are in the Forest Root Domain would get the zone.



I also took note since having to reboot srv2 after a failure by the
Symantec Corp Ed product to open, that there were several DNS errors
logged during the reboot, Event 4015 logged one time followed by
serveral Event 4004. Research indicates an LDAP issue but I'm unable
to see any issues here. This may be related to my original post or
completely unrelated or it could be a timing issue.

These errors typically only appear when there is only one DC with DNS
installed.
The missing Delegation might be responsible for these errors, but you might
check the Properties of the _msdcs.domain.local zone and make sure there are
configured to "Replicate to all DNS servers in the Active Directory Forest
<domain.local>" If they are not both set this way, change one to standard
Primary to preserve it zone data, then delete the zone on the other DC. Then
open AD Site & Services expand down to, and select NTDS Settings in the left
hand pane, then right click on the server connection and select Replicate
now.
Then change the Standard Primary back to ADI, and replicate to a DNS servers
in the forest. Failing to wait until the zone that is not in the correct
partition is gone from AD, will cause an error that says the zone exists in
two replication partitions.

If you have not already done so, install the server support tools from the
server CD, (CD2 IIRC on SBS) Then get to know and use the DCdiag and Netdiag
command line tools. In your case the dcdiag tool is the one you need, it
will test the delegation and replication partitions.

Use Dcdiag /e /c /v on both DCs.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================


.

Relevant Pages

  • Re: Cannot create STUB zone
    ... functional level, the more new features are engaged ... ... DNS servers generally store a number of zones (zone = DNS database used ... most non-MS DNS servers only support 1 writable copy of a particular ...
    (microsoft.public.windows.server.dns)
  • Re: DNS and active directory
    ... my other two w2k3 DNS servers are listed so I am guessing ... on my Root domain dns server is set to replicate to "All DNS servers in the ... SHOULD be set to replicate to the forest so that the updates for each zone ... DNS data can be replicated in various application directory partitions (in ...
    (microsoft.public.windows.server.dns)
  • Re: Active Directory Integrated zones questions
    ... All DNS servers use AD Integrated ... zones with replication scope to all DNS servers in Domain. ... It should have the name of each DNS server that has the zone. ...
    (microsoft.public.windows.server.dns)
  • Re: 2003 AD DNS Issue
    ... Even if you choose forest wide it will only replicate to the Win2k3 ... but I'm not sure how many Win2k DNS servers you ... And by changing these settings at any time can ... > it was suppose to be set as a secondary zone so I changed ...
    (microsoft.public.windows.server.dns)
  • Re: With Dynamic updates off, DNS server A records still update
    ... > I am running a set of internal and a set of external DNS servers, ... The intranet application directory partition elists only the ... > The problem I am having is that the intranet zone on the external DNS ...
    (microsoft.public.windows.server.dns)