DNS Setup Changes …

[Guest Sanjay Mehta]

Hi,

 

I am trying to sort the DNS setup. We are using windows 2003 and exchange

2003. The current setup is:

 

Exchange Server is the primary DNS server while two domain controllers have

the secondary DNS. Also funnily enough the two domain controllers have AD

Intergrated reverse zones, while the primary DNS server has its reverse zone

which is primary (not AD intergrated).

 

 

My proposed goal is to AD Integrate the DNS.

 

These are the steps I am taking in order to get their:

 

1) Go to the forward zone i.e. domain.com -> General and change the type

from primary to secondary.

 

2) corresponding go to the domain controller. Locate the forward zone i.e

domain.com -> General and change the type form secondary to primary.

 

Also check the checkbox ‘Store the zone in AD’

 

 

Not sure how to proceed doing the same with the reverse lookup zones though.

Because on the domain controller when I check the properties I see it’s a

primary zone but AD Integrated; and I see the same on the exchange server

though its not AD Intergrated.

 

How can you have a setup with 2 primary reverse dns zones?

 

Something additional:

 

I see the below error on the DNS server event log

 

“The DNS server has encountered numerous run-time events. To determine the

initial cause of these run-time events, examine the DNS server event log

entries that precede this event. To prevent the DNS server from filling the

event log too quickly, subsequent events with Event IDs higher than 3000 will

be suppressed until events are no longer being generated at a high rate.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.”

 

 

However everything on the network works fine - one would suspect that with

DNS issues you would have network problems.

 

Thx

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:2AAE4915-0155-4ECE-B8EF-5E33FD1C74ED@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Hi,

>

> I am trying to sort the DNS setup. We are using windows 2003 and

> exchange 2003. The current setup is:

>

> Exchange Server is the primary DNS server while two domain

> controllers have the secondary DNS. Also funnily enough the two

> domain controllers have AD Intergrated reverse zones, while the

> primary DNS server has its reverse zone which is primary (not AD

> intergrated).

>

>

> My proposed goal is to AD Integrate the DNS.

>

> These are the steps I am taking in order to get their:

>

> 1) Go to the forward zone i.e. domain.com -> General and change the

> type from primary to secondary.

>

> 2) corresponding go to the domain controller. Locate the forward zone

> i.e domain.com -> General and change the type form secondary to

> primary.

>

> Also check the checkbox 'Store the zone in AD'

>

>

> Not sure how to proceed doing the same with the reverse lookup zones

> though. Because on the domain controller when I check the properties

> I see it's a primary zone but AD Integrated; and I see the same on

> the exchange server though its not AD Intergrated.

>

> How can you have a setup with 2 primary reverse dns zones?

>

> Something additional:

>

> I see the below error on the DNS server event log

>

> "The DNS server has encountered numerous run-time events. To

> determine the initial cause of these run-time events, examine the DNS

> server event log entries that precede this event. To prevent the DNS

> server from filling the event log too quickly, subsequent events with

> Event IDs higher than 3000 will be suppressed until events are no

> longer being generated at a high rate.

>

> For more information, see Help and Support Center at

> http://go.microsoft.com/fwlink/events.asp."

>

>

> However everything on the network works fine - one would suspect that

> with DNS issues you would have network problems.

>

> Thx

 

If Exchange is not a DC, and you have DNS installed on it, and have a copy

of an AD Integrated zone, and is a Primary and not a Secondary, then it is a

totally useless separate additional copy that has nothing to do with the

real zone on the DCs.

 

A quick explanation: When you have an AD integrated zone, the DNS data is

stored in the actual AD database and is replicated to all DCs and will be

available to any DC that has DNS installed, depending on the zone

replication scope setting. If rep scope is set to the bottom button, it will

be store in the DomainNC partition of the AD database and compatible with

Windows 2000. If the middle button, it will be stored in the DomainDnsZones

and only works with Windows 2003 and newer DCs. These two scope types will

be replicated to all DCs only in the domain it exists in. The third type,

the top buttton, is stored in the ForestDnsZones application partition and

is available to ALL DCs in the whole forest. The data in any of the AD

integrated zone types are truly secured since you can;t get at them without

the proper tools.

 

If you have an AD integrated zone existing on a DC and you install DNS on

another DC in the domain or forest, depending what zone type, it will

automatically appear on the new DNS installation without any interaction on

your part. If you attempted to manually create the zone, then you pretty

much just introduced a duplicate in the AD database, which will cause

problems and other issues as well.

 

A Primary or Secondary zone that is not stored in AD is stored in a text

file in the system32\dns folder. This type of zone storage has nothing to do

with the above types ONLY unless it is truly a secondary with the Master

being a DC transferring a copy of the zone. This types of zone storage is

obviously not secure.

 

That said, use only your DCs for DNS. Uninstall DNS off the Exchange box.

Make sure all DCs, servers and workstations are only using the DCs in their

ipconfig DNS settings.

 

Now **IF** you did manually create a zone on one DC while it already existed

on another DC, then you may have a duplicate. If this is the case, you can

use ADSI Edit and look for zone data that starts with a "CNF..." in front of

it. Delete them and you;re good to go. If you did perform this action, let

me know and I can post instructions to find out and clean it up.

 

 

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

Infinite Diversities in Infinite Combinations

[Guest melu]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

Hi Ace,

 

thanks for your comments.

 

i am refering to you first paragraph ... DNS is installed on Exchange but

note the following.

 

The forward lookup zone is standard on the exchange server (which is the

primary). the DC's are secondaries.

 

However, the reverse lookup is primary on the exchange server while the DC's

are AD intergrated.

 

Thx

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:94AF0781-F4AD-4156-9376-A35D28572465@microsoft.com,

melu <melu@discussions.microsoft.com> typed:

> Hi Ace,

>

> thanks for your comments.

>

> i am refering to you first paragraph ... DNS is installed on Exchange

> but note the following.

>

> The forward lookup zone is standard on the exchange server (which is

> the primary). the DC's are secondaries.

>

> However, the reverse lookup is primary on the exchange server while

> the DC's are AD intergrated.

>

> Thx

 

If the Exchange server is not a DC, I would not use that as a DNS server. I

would make the DCs authorative for the zone instead of hosting a secondary.

I would just use the DC, and nothing else and make sure all machines are

ONLY using the DC's DNS in their ip properties.

Curious, why is it setup this way?

 

Also, if Exchange is hosting a Primary reverse zone, and the DCs host the

same zone as AD integrated, the two are totally two separate zones that have

nothing to do with each other. For example, if I created a PTR on the DC's

DNS, such as '192.168.5.200, with a name of 'test machine', the addition

would never be seen in the zone on the Exchange server. I would just use the

DC's and make sure all your m achines are using the DC as their DNS server.

 

Ace

[Guest Sanjay Mehta]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

Hi Ace,

 

Not sure why it was setup this way myself. I found the setup with no

documentation. Agreed the DC's should be authorative and the DNS should be AD

intergrated. That is my goal so I am planing to change it.

 

Does the steps (see first posted message) cover everything that needs to be

done [to make the move].

 

Your comments in the 2nd paragraph are interesting. So what would I do with

the reverse DNS zone on the exchange server. Just delete it? Its seems we

dont have to migrate this zone?

 

 

Thx

 

 

 

 

 

"Ace Fekay [MVP]" wrote:

> In news:94AF0781-F4AD-4156-9376-A35D28572465@microsoft.com,

> melu <melu@discussions.microsoft.com> typed:

> > Hi Ace,

> >

> > thanks for your comments.

> >

> > i am refering to you first paragraph ... DNS is installed on Exchange

> > but note the following.

> >

> > The forward lookup zone is standard on the exchange server (which is

> > the primary). the DC's are secondaries.

> >

> > However, the reverse lookup is primary on the exchange server while

> > the DC's are AD intergrated.

> >

> > Thx

>

> If the Exchange server is not a DC, I would not use that as a DNS server. I

> would make the DCs authorative for the zone instead of hosting a secondary.

> I would just use the DC, and nothing else and make sure all machines are

> ONLY using the DC's DNS in their ip properties.

> Curious, why is it setup this way?

>

> Also, if Exchange is hosting a Primary reverse zone, and the DCs host the

> same zone as AD integrated, the two are totally two separate zones that have

> nothing to do with each other. For example, if I created a PTR on the DC's

> DNS, such as '192.168.5.200, with a name of 'test machine', the addition

> would never be seen in the zone on the Exchange server. I would just use the

> DC's and make sure all your m achines are using the DC as their DNS server.

>

> Ace

>

>

>

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:ABF8591E-146E-49D9-8D33-6B8F2DFA3854@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Hi Ace,

>

> Not sure why it was setup this way myself. I found the setup with no

> documentation. Agreed the DC's should be authorative and the DNS

> should be AD intergrated. That is my goal so I am planing to change

> it.

>

> Does the steps (see first posted message) cover everything that needs

> to be done [to make the move].

>

> Your comments in the 2nd paragraph are interesting. So what would I

> do with the reverse DNS zone on the exchange server. Just delete it?

> Its seems we dont have to migrate this zone?

>

>

> Thx

 

Yes, delete the reverse zone on the Exchange box.

 

Your steps aren't 100% clear. Here are my suggestions:

 

1. On one of the DCs, change the zone from a secondary to a Primary and

Store it in AD. Click on the Replication Scope button, then choose the

middle button for where to store it.

 

2. On Exchange, delete the reverse zone. Uninstall DNS from Add/Remove.

 

3. Make sure ALL machines are using the DC(s) only for DNS. Change your DHCP

Option 006 to reflect this as well.

 

4. In the DC(s)' DNS properties, configure forwarding to your ISP's DNS.

 

I hope that helps.

 

Ace

[Guest Sanjay Mehta]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

 

Hi Ace,

 

Added to that another strange thing is that all clients (using DHCP) pick

the DC (which has the secondary zone) as the Preferred DNS while the exchange

server (which has the primary zone zone) is the alternative.

 

Shouldnt it be the other way round?

 

Thx

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:5253D552-ED10-4223-8D07-B07C728AA7B2@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Hi Ace,

>

> Added to that another strange thing is that all clients (using DHCP)

> pick the DC (which has the secondary zone) as the Preferred DNS while

> the exchange server (which has the primary zone zone) is the

> alternative.

>

> Shouldnt it be the other way round?

>

> Thx

 

That is controlled by Option 006.

 

Like I said, please get the Exchange server out of the picture. Follow my

suggestions. Change DHCP Option 006 to make it ONLY the DC(s) for their DNS

address.

 

Ace

[Guest Sanjay Mehta]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

 

Done. I am now getting the following error:

 

 

Windows cannot access the file gpt.ini for GPO

CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Parkinson,DC=ca.

The file must be present at the location

<\\<mydomain.com>\sysvol\mydomain.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Thx

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:6D8EE0B5-6ACA-4458-993C-557EFCC3C44E@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Done. I am now getting the following error:

>

>

> Windows cannot access the file gpt.ini for GPO

> CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=Parkinson,DC=ca.

> The file must be present at the location

> <\\<mydomain.com>\sysvol\mydomain.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>.

> (Access is denied. ). Group Policy processing aborted.

>

> For more information, see Help and Support Center at

> http://go.microsoft.com/fwlink/events.asp.

>

> Thx

 

That usually indicates an issue with resolving the domain name.

 

Please do me a favor and post an updated and unedited ipconfig /all from the

two DCs and of one from a workstation please.

 

Also please post any Event log errors in any of the logs on either DC and of

a client. Please post their EventID # and the Source name.

 

Thank you,

 

Ace

[Guest Sanjay Mehta]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

Hi Ace,

 

I got event id's 1030 and 1058 on both DC's simultaneoulsly. Eventually

tracked that ... for some reason DHCP was not issueing out DNS's addresses to

the clients on the network.

 

So restarted and now I get this error on the DC:

 

event id: 53258 // which I think one can safely ignore according to kb

923977 not sure according to eventID.

 

More worrying I get the following error on the DNS event log:

 

event ID: 4515

 

 

The zone 250.10.10.in-addr.arpa was previously loaded from the directory

partition MicrosoftDNS but another copy of the zone has been found in

directory partition DomainDnsZones.Parkinson.ca. The DNS Server will ignore

this new copy of the zone. Please resolve this conflict as soon as possible.

 

If an administrator has moved this zone from one directory partition to

another this may be a harmless transient condition. In this case, no action

is necessary. The deletion of the original copy of the zone should soon

replicate to this server.

 

 

what should I do?

 

thx

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:320F2589-A73E-4F0B-B340-4C8C76B3015E@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Hi Ace,

>

> I got event id's 1030 and 1058 on both DC's simultaneoulsly.

> Eventually tracked that ... for some reason DHCP was not issueing out

> DNS's addresses to the clients on the network.

>

> So restarted and now I get this error on the DC:

>

> event id: 53258 // which I think one can safely ignore according to kb

> 923977 not sure according to eventID.

>

> More worrying I get the following error on the DNS event log:

>

> event ID: 4515

>

>

> The zone 250.10.10.in-addr.arpa was previously loaded from the

> directory partition MicrosoftDNS but another copy of the zone has

> been found in directory partition DomainDnsZones.Parkinson.ca. The

> DNS Server will ignore this new copy of the zone. Please resolve this

> conflict as soon as possible.

>

> If an administrator has moved this zone from one directory partition

> to another this may be a harmless transient condition. In this case,

> no action is necessary. The deletion of the original copy of the zone

> should soon replicate to this server.

>

>

> what should I do?

>

> thx

 

First, you didn';t post the info I needed to see.

 

Second, you have a duplicate zone. Apparently you tried to manually create

the zone on a new DC when one already existed in DNS. When installing DNS on

an additional DC, you must PATIENTLY WAIT for the zone to auto-appear

otherwise you;ve just created a dupe. How to fix, read the following from my

private blogs:

 

 

----

=================================

Dupe zone errata:

A quick explanation: When you have an AD integrated zone, the DNS data is

stored in the actual AD database and is

 

replicated to all DCs and will be available to any DC that has DNS

installed, depending on the zone replication scope

 

setting. If rep scope is set to the bottom button, it will be store in the

DomainNC partition of the AD database and

 

compatible with Windows 2000. If the middle button, it will be stored in the

DomainDnsZones and only works with

 

Windows 2003 and newer DCs. These two scope types will be replicated to all

DCs only in the domain it exists in. The

 

third type, the top buttton, is stored in the ForestDnsZones application

partition and is available to ALL DCs in the

 

whole forest. The data in any of the AD integrated zone types are truly

secured since you can;t get at them without

 

the proper tools.

 

If you have an AD integrated zone existing on a DC and you install DNS on

another DC in the domain or forest,

 

depending what zone type, it will automatically appear on the new DNS

installation without any interaction on your

 

part. If you attempted to manually create the zone, then you pretty much

just introduced a duplicate in the AD

 

database, which will cause problems and other issues as well.

 

A Primary or Secondary zone that is not stored in AD is stored in a text

file in the system32\dns folder. This type of

 

zone storage has nothing to do with the above types ONLY unless it is truly

a secondary with the Master being a DC

 

transferring a copy of the zone. This types of zone storage is obviously not

secure.

 

That said, use only your DCs for DNS. Uninstall DNS off the Exchange box.

Make sure all DCs, servers and workstations

 

are only using the DCs in their ipconfig DNS settings.

 

Now **IF** you did manually create a zone on one DC while it already existed

on another DC, then you may have a

 

duplicate. If this is the case, you can use ADSI Edit and look for zone data

that starts with a "CNF..." in front of

 

it. Delete them and you;re good to go. If you did perform this action, let

me know and I can post instructions to find

 

out and clean it up.

==================================

==================================

More info and how to fix...

 

Conflicting AD Integrated zones if they exist in both the Domain NC and

one of the Application Partitions or if you get a weird error message

stating:

"The name limit for the local computer network adapter card was exceeded."

 

Under Windows 2000, the physcial AD database is broken up into 3 logical

partitions, the DomainNC (Domain Name

 

Context, or some call the Domain Name Container), the Configuration

Partition, and the Schema Partition. The Schema

 

and Config partitions replicate to all DCs in a forest. However, the

DomainNC is specific only to the domain the DC

 

belongs to. That's where a user, domain local or global group is stored. The

DomainNC only replicates to the DCs of

 

that specific domain. When you create an AD INtegrated zone in Win 2000, it

gets stored in the DomainNC. This causes a

 

limitation if you want this zone to be available on a DC/DNS server that

belongs to a different domain. The only way

 

to get around that is for a little creative designing using either

delegation, or secondary zones. This was a

 

challenge for the _msdcs zone, which must be available forest wide to

resolve the forest root domain, which contains

 

the Schema and Domain Name Masters FSMO roles.

 

In Windows 2003, there were two additional partitions added, they are called

the DomainDnsZones and ForestDnsZones

 

Application Partitions, specifically to store DNS data. They were conceived

to overcome the limitation of Windows

 

2000's AD Integrated zones. Now you can store an AD Integrated zone in

either of these new partitions instead of the

 

DomainNC. If stored in the DomainDnsZones app partition, it is available

only in that domain's DomainDnsZones

 

partition. If you store it in the ForestDnsZones app partition, it will be

available to any DC/DNS server in the whole

 

forest. This opens many more design options. It also ensures the

availability of the _msdcs zone to all DCs in the

 

forest. By default in Win 2003, the _msdcs zone is stored in the

ForestDnsZones application partition.

 

When selecting a zone replication scope in Win2003, in the zone's

properties, click on the "Change" button. Under that

 

you will see 3 options:

To choose the ForestDnsZones:

"To all DNS serer in the AD forest example.com"

 

To choose DomainDnsZones:

"To all DNS serer in the AD domain example.com"

 

To choose the DomainNC (only for compatibility with Win2000):

"To all domain controllers in the AD domain example.com"

 

 

If you have a duplicate, that's telling me that there is a zone that exists

in the DomainNC and in the DomainDnsZones

 

Application partition. This means at one time, or currently, you have a

mixed Win2000/2003 environment and you have

 

DNS installed on both operating systems. On Win2000, if the zone is AD

Integrated, it is in the DomainNC, and should

 

be set the same in Win2003's DC/DNS server to keep compatible. Someone must

have attempted to change it in Win2003 DNS

 

to put it in the DomainDnsZones partition no realizing the implications,

hence the duplicate. In a scenario such as

 

this where you want to use the Win2003 app partitions, you then must insure

the zone on the Win2003 is set to the

 

DomainNC, then uninstall DNS off the Win2000 machine, then once that's done,

you can then go to the Win2003 DNS and

 

change the partition's replication scope to one of the app partitions.

 

In ADSI Edit, you can view all five partitions. You were viewing the app

partitions, but not the main partitions. You

 

need to add the DomainNC partition in order to delete that zone. But you

must uninstall DNS off the Win2000 server

 

first, unless you want to keep the zone in the DomainNC. But that wouldn't

make much sense if you want to take

 

advantage of the _msdcs zone being available forest wide in the

ForestDnsZones partition, which you should absolutley

 

NOT delete. I would just use the Win2003 DNS servers only.

 

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click

on "Well known Naming Context", then in

 

the drop-down box, select "Domain". Drill down to CN=System. Under that you

will see CN=MicrosoftDNS. You will see the

 

zone in there.

 

But make sure to decide FIRST which way to go before you delete anything.

 

Some reading for you...

Directory Partitions:

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp

 

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions

issues:

http://www.kbalertz.com/kb_867464.aspx

 

 

How to fix it?

-------------

 

What I've done in a few cases with my clients that have issues with

'duplicate' zone entries in AD (because the zone name was in the Domain NC

(Name Container) Partition, and also in the DomainDnsZones App partition),

was first to change the zone on one of the DCs to a Primary zone, and

allowed zone transfers. Then I went to the other DCs and changed the zone to

a Secondary, and using the first DC as the Master. Then I went into ADSI

Edit, (from memory) under the Domain NC, Services, DNS, and deleted any

reference to the domain name. Then I added the DomainDnsZones partition to

the ADSI Edit console, and deleted any reference to the zone name in there

as well. If you see anything saying something to the extent of a phrase that

says

"In Progress...." or "CNF" with a long GUID number after it, delete them

too. Everytime

you may have tried tochange the replication scope, it creates one of them.

Delete them all.

 

Then I forced replication. If there were Sites configured, I juggled around

the servers and subnet objects so all of the servers are now in one site,

then I forced replication (so I didn't have to wait for the next site

replication schedule). Once I've confirmed that replication occured, and the

zones no longer existed in either the Domain NC or DomainDnsZones, then I

changed the zone on the first server back to AD Integrated, choosing the

middle button for it's replication scope (which puts it in the

DomainDnsZones app partition). Then I went to the other servers and changed

the zone to AD Integrated choosing the same replication scope. Then I reset

the sites and subnet objects, and everything was good to go.

 

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any

problems and is located in the ForestDnsZones (default) in all of my client

cases I've come across with so far.

 

It seems like alot of steps, but not really. Just read it over a few times

to get familiar with the procedure. You may even want to change it into a

numbered step by step list if you like. If you only have one DC, and one

Site, then it's much easier since you don't have to mess with secondaries or

play with the site objects.

 

I hope that helped!

 

==================================

==================================

 

Ace

[Guest Sanjay Mehta]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

Hi Ace,

 

Thank You.

 

Great Help!!

[Guest Ace Fekay [MVP]]

Re: DNS Setup Changes .

 

Re: DNS Setup Changes .

 

In news:2F71D073-5F3F-4AA5-BC94-EF2E6F51772D@microsoft.com,

Sanjay Mehta <SanjayMehta@discussions.microsoft.com> typed:

> Hi Ace,

>

> Thank You.

>

> Great Help!!

 

I'm glad it helped.

 

:-)