Hi There,
I have found duplicate zones that exist in our DNS database and would appreciate some help with the correct way of resolving this as I am still a little uncertain of the correct approach. I want to make sure I've done my research before delving into ADSIEdit to perform surgery on DNS!
I have reviewed a great article from Ace Fekay in a previous forum "Duplicate AD Integrated DNS Zones" which has been my best resource so far. http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Here is the situation.
We are running a Windows 2003 AD Forest with a parent domain (lets call it CORP) and 4 child domains for each of our regions (I'll call them AU, NA, EU, and CN)
The problem lies with the AU child domain, all of our domains have their replication scope set to "All DNS Servers in the AD Forest". However, when I view the scope for the AU.CORP Forward lookup zone (from a DC in the AU.CORP domain) it is set at "To All domain Controllers in the Active Directory Domain". Any attempt to raise this to the Forest level will give me the error "The name limit for the local computer network adapter card was exceeded". There are also event ID 4515 errors which. To make matters a little more confusing, when looking at the replication scope from a DC from any other domain (e.g. CORP or CN.CORP) it states that "AU.CORP" has a replication scope forest wide. Something has gone wrong! On googling this problem I found Ace's article and started looking for duplicate zones, which I found! as follows:
I Ran ADSIEDIT on a Domain Controller in the AU.CORP domain. Looking in the DomainNC container I can see one copy of the "AU.CORP" zone. I then quieried the "DC=ForestDNSZones,DC=CORP" (I assume this is the correct way to view the ForestDNSZones?? I first tried DC=ForestDNSZones,DC=AU,DC=CORP but that failed). Looking here I can also see a copy of the AU.CORP zone (with less approx 200 less entires than in the domainNC). There is also one CNF, and 23 InProgress zones AU.CORP zones.
My plan of action is as follows:
- Change the zone type for AU.CORP to a Non-AD Integrated Primary zone and backup the .dns file
- Ensure this change has replicated to all DC's in the domain.
- DELETE all of the InProgress and CNF entries in the ForestDNSZone for AU.CORP using ADSIEdit
Here is where I am uncertain. I don't believe those steps are enough as I now have one copy of AU.CORP in the ForestDNSZone and one Primary Non Integrated Zone, so there is still a duplication. Looking at the entries in both zones the DomainNC zone is the most uptodate and complete zone. Therefore I assume I should do the following:
- DELETE the AU.CORP Zone from the ForestDNSZone, there is now no zone for AU.CORP at the forest level.
- Wait for Replication to occur....
- Change the AU.CORP zone to be AD Integrated.
- Change the AU.CORP scope to be forest wide.
- Wait for replication to occur
- Check DC's in AU.CORP Domain, as well as DC's in all other domains including the parent domain.
Any advise or comments would be greatly appreciated,
Cheers,
Ben