Re: Windows 2008 DNS Secondary 2003 primary DNS zone

In news:1F261386-EC9D-4A4F-A94A-ED4F85DEE6DB@xxxxxxxxxxxxx,
skip <shofmann@xxxxxxx>, posted the following:
Hello all

I have a primary DNS zone "mydomain.com" running on a 2003 DC, I
replicate this zone to three additinal 2003 DNS serves. When i look
at the name servers tab on the primary zone for "mydomain.com" it
list all the DNS servers for ultradns.com (this is DNS company that
we register our domain names with) All the DNS servers are AD domain
controllers, I never full understood why someone (before me) decided
it was a good idea to list external DNS servers (ultra dns) for an
internal zone? Mydomain.com is listed on the ultra dns name serves
and on our internal DNS serves.
I recently upgraded all the DNS server that have a secondary copy of
mydomain.com to Windows 2008. Once the upgrade was complete i checked
DNS and i had all the proper zones listed. Recently on the newly
Windows 2008 DNS servers i noticed that for forwardes it listed
itself, and i also noticed that general web browsing was slow. I
decided to change to remove itself from the forwarders list and
instead add in my ISP as a forwarder. I did this on all the 2008 DNS
servers. Roughly ten minutes later the mydomain.com running as a
secondary zone disappeard from the 2008 DNS servers, and i started
getting DNS error below. I tried adding the zone back as a secondary
on the 2008 DNS servers but i couldt replicate the records from the
primary, i then went to the primary 2003 DNS server, and i removed
all the ip's listed under the "name servers" tab and added itself
only. I then went to the one of the seconday DNS serves and i was
able to load the zone from the primary. It appears there is a change
in how Windows 2008 loads a secondary zone from a primary? I can
understand this but what i dont understand is how i didnt have a
problem with this zone until i made the forwarders change?

"Invalid response from master DNS server at 10.0.130.100 during
attempted zone transfer of zone mydomain.com. Check the DNS server
at 10.0.130.100 and ensure that it is authoritative for this zone. This can be done by viewing or updating the list of authoritative
servers for the zone. When using the DNS console, select zone
mydomain.com Properties at server 10.0.130.100 and click the Name Servers tab. If needed, you can add
or update this server in the list there. As an alternative solution,
you could also modify settings in the Zone Transfer tab to allow
transfer of the zone to this and other DNS servers".



Thanks

Hello Skip,

If the 2008 machine is a domain controller, and the DNS server service is installed on it, and the mydomain.com zone already existed in DNS, then creating a Secondary zone on the DC/DNS will get deleted because the DNS server recognizes it as duplicate because it is a valid zone that exists in the AD database.

I don;t see how changing the forwarder will alter this, however it is best practice to set a forward to an outsider DNS, and not anything internally to another DNS that is hosting the same zones as the DNS server itself.

Due to trying to re-create the zone, you may have inadvertently created a duplicate in the AD database. In addition, the zone could have been configured with a different replication scope, which causes a conflict. In either case, the dupe will need to be removed from AD. The procedure involves using ADSI Edit. Please read the following blog (also available at www.fekay.com/supportblogs.htm). It outlines a procedure to fix it, however, I would like you to just use ADSI Edit to determine whether the dupes exist or not.

Please post back with your findings.


==================================
==================================

Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message stating:
"The name limit for the local computer network adapter card was exceeded."

Dupe zone errata:
A quick explanation: When you have an AD integrated zone, the DNS data is stored in the actual AD database and is replicated to all DCs and will be available to any DC that has DNS installed, depending on the zone replication scope setting. If rep scope is set to the bottom button, it will be store in the DomainNC partition of the AD database and compatible with Windows 2000. If the middle button, it will be stored in the DomainDnsZones and only works with Windows 2003 and newer DCs. These two scope types will be replicated to all DCs only in the domain it exists in. The third type, the top buttton, is stored in the ForestDnsZones application partition and is available to ALL DCs in the whole forest. The
data in any of the AD integrated zone types are truly secured since you can;t get at them without the proper tools.

If you have an AD integrated zone existing on a DC and you install DNS on another DC in the domain or forest, depending what zone type, it will automatically appear on the new DNS installation without any interaction on your part. If you attempted to manually create the zone, then you pretty much just introduced a duplicate in the AD database, which will cause problems and other issues as well.

A Primary or Secondary zone that is not stored in AD is stored in a text file in the system32\dns folder. This type of zone storage has nothing to do with the above types ONLY unless it is truly a secondary with the Master being a DC transferring a copy of the zone. This types of zone storage is obviously not secure.

Now **IF** you did manually create a zone on one DC while it already existed on another DC, then you may have a duplicate. If this is the case, you can use ADSI Edit and look for zone data that starts with a "CNF..." in front of it. Delete them and you;re good to go. Under Windows 2000, the physcial AD database is broken up into 3 logical partitions, the DomainNC (Domain Name Context, or some call the Domain Name Container), the Configuration Partition, and the Schema Partition. The Schema and Config partitions replicate to all DCs in a forest.

However, the DomainNC is specific only to the domain the DC belongs to. That's where a user, domain local or global group is stored. The DomainNC only replicates to the DCs of that specific domain. When you create an AD INtegrated zone in Win 2000, it gets stored in the DomainNC.

This causes a limitation if you want this zone to be available on a DC/DNS server that belongs to a different domain. The only way to get around that is for a little creative designing using either delegation, or secondary zones. This was a challenge for the _msdcs zone, which must be available forest wide to resolve the forest root domain, which contains the Schema and Domain Name Masters FSMO roles.

In Windows 2003, there were two additional partitions added, they are called the DomainDnsZones and ForestDnsZones Application Partitions, specifically to store DNS data. They were conceived to overcome the limitation of Windows 2000's AD Integrated zones. Now you can store an AD Integrated zone in either of these new partitions instead of the DomainNC. If stored in the DomainDnsZones app partition, it is available only in that domain's DomainDnsZones partition. If you store it in the ForestDnsZones app partition, it will be available to any DC/DNS server in the whole forest. This opens many more design options. It also ensures the availability of the _msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's properties, click on the "Change" button. Under that you will see 3 options:

To choose the ForestDnsZones:
"To all DNS servers in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS servers in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"

If you have a duplicate, that's indicating there is a zone that exists in the DomainNC and in the DomainDnsZones Application partition. This means at one time, or currently, you have a mixed Win2000/2003 environment and you have DNS installed on both operating systems. On Win2000, if the zone is AD Integrated, it is in the DomainNC, and should be set the same in Win2003's DC/DNS server to keep compatible. Someone must have attempted to change it in Win2003 DNS to put it in the DomainDnsZones partition no realizing the implications, hence the duplicate. In a scenario such as this where you want to use the Win2003 app partitions, you then must insure the zone on the Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine, then once that's done, you can then go to the Win2003 DNS and change the partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app partitions, but not the main partitions. You need to add the DomainNC partition in order to delete that zone. But you must uninstall DNS off the Win2000 server first, unless you want to keep the zone in the DomainNC. But that wouldn't make much sense if you want to take advantage of the _msdcs zone being available forest wide in the ForestDnsZones partition, which you should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click on "Well known Naming Context", then in the drop-down box, select "Domain". Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that says
"In Progress...." or "CNF" with a long GUID number after it, delete them too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helped!

==================================
==================================


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

.