Re: Event 4515 :another copy of zone has been found

I don't know if you will recieve this Mr. Fekay but I'm having similar
problems as well. I moved my DC FSMOs from a 2000 server, sp 4,(server 1) to
a 2003 server, sp 2, (server 2) a few weeks ago along with DNS which had been
running on the old 2000 server. I stopped the DNS service on server 1 and
then blew it away to make a clean install of 2003 Server due to some other
problems that have been plaguing me since last Fall. I then installed DNS on
server 1 and promoted it to DC also to have some backup. I have both servers
running AD integrated DNS. As a result of all this I'm getting the 4515
error which sounds as if it's a result of the legacy DNS service being
transferred to server 2.

Should I still follow your instructions as given to fix the 4515 error or
have I burned too many bridges to work it this way? Or do you need more
information?

Thanks.
Dana


"Ace Fekay [MVP]" wrote:

In news:4E13977E-CAB8-4EEF-8231-8BE1F6126FC8@xxxxxxxxxxxxx,
JimyJohn <JimyJohn@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I commented on
below:
Ace,
Thank you for you great reply and Happy New year!

So, to delete the Zone , in a pure 2003 ADI, 2003 Interim level,
single domain, 9 site environment, is it simply a matter of deleting
it or would one have to to take various pre-cautionary steps in
de-installing most(8) DNS\DC servers, remove the partition and and
then re-install the DNS/DCs?

I seem to remember hearing that if you just delete/remove the zone it
will get re-replicated back.

Thanks again Ace,
John

Delete the entries in ADSI Edit that start with "InProgress...". Delete them
ALL.

Do not simply delete the zone in DNS. If you do, it will be deleted on ALL
DC/DNS servers.

If you do NOT have Windows 2000 (forget and don't worry about NT4 - that is
make sure you are not using NT4 for DNS as well), and ALL DCs are 2003, go
to EACH DNS server and choose the center button for the replication scope.

If you have a mixed bunch of 2000/2003 DCs, and are using 2000 and 2003's
for DNS servers, then choose the BOTTOM button for the replication scope.

If you cannot do this and you get a "Name too long" or some other weird
error message that doesn't seem to have anything to do with it, follow this
from my private blogs, which also explains what happened:

==================================
==================================

Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."

Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.

In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS serer in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS serer in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"


If you have a duplicate, that's telling me that there is a zone that exists
in the DomainNC and in the DomainDnsZones Application partition. This means
at one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of "In
Progress...." with a long GUID number after it, delete them too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helped!

==================================
==================================

Ace



.