Windows 2008 DNS Secondary 2003 primary DNS zone

[skip]

Hello all

I have a primary DNS zone "mydomain.com" running on a 2003 DC, I replicate
this zone to three additinal 2003 DNS serves. When i look at the name
servers tab on the primary zone for "mydomain.com" it list all the DNS
servers for ultradns.com (this is DNS company that we register our domain
names with) All the DNS servers are AD domain controllers, I never full
understood why someone (before me) decided it was a good idea to list
external DNS servers (ultra dns) for an internal zone? Mydomain.com is
listed on the ultra dns name serves and on our internal DNS serves.

I recently upgraded all the DNS server that have a secondary copy of
mydomain.com to Windows 2008. Once the upgrade was complete i checked DNS
and i had all the proper zones listed. Recently on the newly Windows 2008
DNS servers i noticed that for forwardes it listed itself, and i also
noticed that general web browsing was slow. I decided to change to remove
itself from the forwarders list and instead add in my ISP as a forwarder. I
did this on all the 2008 DNS servers. Roughly ten minutes later the
mydomain.com running as a secondary zone disappeard from the 2008 DNS
servers, and i started getting DNS error below. I tried adding the zone back
as a secondary on the 2008 DNS servers but i couldt replicate the records
from the primary, i then went to the primary 2003 DNS server, and i removed
all the ip's listed under the "name servers" tab and added itself only. I
then went to the one of the seconday DNS serves and i was able to load the
zone from the primary. It appears there is a change in how Windows 2008
loads a secondary zone from a primary? I can understand this but what i dont
understand is how i didnt have a problem with this zone until i made the
forwarders change?


"Invalid response from master DNS server at 10.0.130.100 during attempted
zone transfer of zone mydomain.com. Check the DNS server at 10.0.130.100
and ensure that it is authoritative for this zone. This can be done by
viewing or updating the list of authoritative servers for the zone. When
using the DNS console, select zone mydomain.com Properties at server
10.0.130.100 and click the Name Servers tab. If needed, you can add or
update this server in the list there. As an alternative solution, you could
also modify settings in the Zone Transfer tab to allow transfer of the zone
to this and other DNS servers".



Thanks

[Ace Fekay [Microsoft Certified Trainer]]

In news:1F261386-EC9D-4A4F-A94A-ED4F85DEE6DB@microsoft.com,
skip <shofmann@kbb.com>, posted the following:
> Hello all
>
> I have a primary DNS zone "mydomain.com" running on a 2003 DC, I
> replicate this zone to three additinal 2003 DNS serves. When i look
> at the name servers tab on the primary zone for "mydomain.com" it
> list all the DNS servers for ultradns.com (this is DNS company that
> we register our domain names with) All the DNS servers are AD domain
> controllers, I never full understood why someone (before me) decided
> it was a good idea to list external DNS servers (ultra dns) for an
> internal zone? Mydomain.com is listed on the ultra dns name serves
> and on our internal DNS serves.
> I recently upgraded all the DNS server that have a secondary copy of
> mydomain.com to Windows 2008. Once the upgrade was complete i checked
> DNS and i had all the proper zones listed. Recently on the newly
> Windows 2008 DNS servers i noticed that for forwardes it listed
> itself, and i also noticed that general web browsing was slow. I
> decided to change to remove itself from the forwarders list and
> instead add in my ISP as a forwarder. I did this on all the 2008 DNS
> servers. Roughly ten minutes later the mydomain.com running as a
> secondary zone disappeard from the 2008 DNS servers, and i started
> getting DNS error below. I tried adding the zone back as a secondary
> on the 2008 DNS servers but i couldt replicate the records from the
> primary, i then went to the primary 2003 DNS server, and i removed
> all the ip's listed under the "name servers" tab and added itself
> only. I then went to the one of the seconday DNS serves and i was
> able to load the zone from the primary. It appears there is a change
> in how Windows 2008 loads a secondary zone from a primary? I can
> understand this but what i dont understand is how i didnt have a
> problem with this zone until i made the forwarders change?
>
> "Invalid response from master DNS server at 10.0.130.100 during
> attempted zone transfer of zone mydomain.com. Check the DNS server
> at 10.0.130.100 and ensure that it is authoritative for this zone. This
> can be done by viewing or updating the list of authoritative
> servers for the zone. When using the DNS console, select zone
> mydomain.com Properties at server 10.0.130.100 and click the Name Servers
> tab. If needed, you can add
> or update this server in the list there. As an alternative solution,
> you could also modify settings in the Zone Transfer tab to allow
> transfer of the zone to this and other DNS servers".
>
>
>
> Thanks

Hello Skip,

If the 2008 machine is a domain controller, and the DNS server service is
installed on it, and the mydomain.com zone already existed in DNS, then
creating a Secondary zone on the DC/DNS will get deleted because the DNS
server recognizes it as duplicate because it is a valid zone that exists in
the AD database.

I don;t see how changing the forwarder will alter this, however it is best
practice to set a forward to an outsider DNS, and not anything internally to
another DNS that is hosting the same zones as the DNS server itself.

Due to trying to re-create the zone, you may have inadvertently created a
duplicate in the AD database. In addition, the zone could have been
configured with a different replication scope, which causes a conflict. In
either case, the dupe will need to be removed from AD. The procedure
involves using ADSI Edit. Please read the following blog (also available at
www.fekay.com/supportblogs.htm). It outlines a procedure to fix it, however,
I would like you to just use ADSI Edit to determine whether the dupes exist
or not.

Please post back with your findings.


==================================
==================================

Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."

Dupe zone errata:
A quick explanation: When you have an AD integrated zone, the DNS data is
stored in the actual AD database and is replicated to all DCs and will be
available to any DC that has DNS installed, depending on the zone
replication scope setting. If rep scope is set to the bottom button, it will
be store in the DomainNC partition of the AD database and compatible with
Windows 2000. If the middle button, it will be stored in the DomainDnsZones
and only works with Windows 2003 and newer DCs. These two scope types will
be replicated to all DCs only in the domain it exists in. The third type,
the top buttton, is stored in the ForestDnsZones application partition and
is available to ALL DCs in the whole forest. The
data in any of the AD integrated zone types are truly secured since you
can;t get at them without the proper tools.

If you have an AD integrated zone existing on a DC and you install DNS on
another DC in the domain or forest, depending what zone type, it will
automatically appear on the new DNS installation without any interaction on
your part. If you attempted to manually create the zone, then you pretty
much just introduced a duplicate in the AD database, which will cause
problems and other issues as well.

A Primary or Secondary zone that is not stored in AD is stored in a text
file in the system32\dns folder. This type of zone storage has nothing to do
with the above types ONLY unless it is truly a secondary with the Master
being a DC transferring a copy of the zone. This types of zone storage is
obviously not secure.

Now **IF** you did manually create a zone on one DC while it already existed
on another DC, then you may have a duplicate. If this is the case, you can
use ADSI Edit and look for zone data that starts with a "CNF..." in front of
it. Delete them and you;re good to go. Under Windows 2000, the physcial AD
database is broken up into 3 logical partitions, the DomainNC (Domain Name
Context, or some call the Domain Name Container), the Configuration
Partition, and the Schema Partition. The Schema and Config partitions
replicate to all DCs in a forest.

However, the DomainNC is specific only to the domain the DC belongs to.
That's where a user, domain local or global group is stored. The DomainNC
only replicates to the DCs of that specific domain. When you create an AD
INtegrated zone in Win 2000, it gets stored in the DomainNC.

This causes a limitation if you want this zone to be available on a DC/DNS
server that belongs to a different domain. The only way to get around that
is for a little creative designing using either delegation, or secondary
zones. This was a challenge for the _msdcs zone, which must be available
forest wide to resolve the forest root domain, which contains the Schema and
Domain Name Masters FSMO roles.

In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.

When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:

To choose the ForestDnsZones:
"To all DNS servers in the AD forest example.com"

To choose DomainDnsZones:
"To all DNS servers in the AD domain example.com"

To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"

If you have a duplicate, that's indicating there is a zone that exists in
the DomainNC and in the DomainDnsZones Application partition. This means at
one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.

In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.

In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.

But make sure to decide FIRST which way to go before you delete anything.

Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/d...g_dat_favt.asp

kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx


How to fix it?
-------------

What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that
says
"In Progress...." or "CNF" with a long GUID number after it, delete them
too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.

Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.

Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.

It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.

I hope that helped!

==================================
==================================


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

[Meinolf Weber [MVP-DS]]

Hello skip,

Additional to Ace great advice, why not using AD integrated zones in your
domain? This prevents you from creating/controlling the secondary zones and
also all zones are full writable in case the primary server is not available.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello all
>
> I have a primary DNS zone "mydomain.com" running on a 2003 DC, I
> replicate this zone to three additinal 2003 DNS serves. When i look at
> the name servers tab on the primary zone for "mydomain.com" it list
> all the DNS servers for ultradns.com (this is DNS company that we
> register our domain names with) All the DNS servers are AD domain
> controllers, I never full understood why someone (before me) decided
> it was a good idea to list external DNS servers (ultra dns) for an
> internal zone? Mydomain.com is listed on the ultra dns name serves and
> on our internal DNS serves.
>
> I recently upgraded all the DNS server that have a secondary copy of
> mydomain.com to Windows 2008. Once the upgrade was complete i checked
> DNS and i had all the proper zones listed. Recently on the newly
> Windows 2008 DNS servers i noticed that for forwardes it listed
> itself, and i also noticed that general web browsing was slow. I
> decided to change to remove itself from the forwarders list and
> instead add in my ISP as a forwarder. I did this on all the 2008 DNS
> servers. Roughly ten minutes later the mydomain.com running as a
> secondary zone disappeard from the 2008 DNS servers, and i started
> getting DNS error below. I tried adding the zone back as a secondary
> on the 2008 DNS servers but i couldt replicate the records from the
> primary, i then went to the primary 2003 DNS server, and i removed all
> the ip's listed under the "name servers" tab and added itself only. I
> then went to the one of the seconday DNS serves and i was able to load
> the zone from the primary. It appears there is a change in how Windows
> 2008 loads a secondary zone from a primary? I can understand this but
> what i dont understand is how i didnt have a problem with this zone
> until i made the forwarders change?
>
> "Invalid response from master DNS server at 10.0.130.100 during
> attempted zone transfer of zone mydomain.com. Check the DNS server at
> 10.0.130.100 and ensure that it is authoritative for this zone. This
> can be done by viewing or updating the list of authoritative servers
> for the zone. When using the DNS console, select zone mydomain.com
> Properties at server 10.0.130.100 and click the Name Servers tab. If
> needed, you can add or update this server in the list there. As an
> alternative solution, you could also modify settings in the Zone
> Transfer tab to allow transfer of the zone to this and other DNS
> servers".
>
> Thanks
>

[skip]

The zone in question is not an AD integrated zone its a standard primary
zone that is outside of AD. I replicate this zone to other DNS servers by
creating a secondary zone on them. I have been doing this sort of thing for
years
"Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname@hotmail.com>
wrote in message news:%23fMb$MOiJHA.3728@TK2MSFTNGP06.phx.gbl...
> In news:1F261386-EC9D-4A4F-A94A-ED4F85DEE6DB@microsoft.com,
> skip <shofmann@kbb.com>, posted the following:
>> Hello all
>>
>> I have a primary DNS zone "mydomain.com" running on a 2003 DC, I
>> replicate this zone to three additinal 2003 DNS serves. When i look
>> at the name servers tab on the primary zone for "mydomain.com" it
>> list all the DNS servers for ultradns.com (this is DNS company that
>> we register our domain names with) All the DNS servers are AD domain
>> controllers, I never full understood why someone (before me) decided
>> it was a good idea to list external DNS servers (ultra dns) for an
>> internal zone? Mydomain.com is listed on the ultra dns name serves
>> and on our internal DNS serves.
>> I recently upgraded all the DNS server that have a secondary copy of
>> mydomain.com to Windows 2008. Once the upgrade was complete i checked
>> DNS and i had all the proper zones listed. Recently on the newly
>> Windows 2008 DNS servers i noticed that for forwardes it listed
>> itself, and i also noticed that general web browsing was slow. I
>> decided to change to remove itself from the forwarders list and
>> instead add in my ISP as a forwarder. I did this on all the 2008 DNS
>> servers. Roughly ten minutes later the mydomain.com running as a
>> secondary zone disappeard from the 2008 DNS servers, and i started
>> getting DNS error below. I tried adding the zone back as a secondary
>> on the 2008 DNS servers but i couldt replicate the records from the
>> primary, i then went to the primary 2003 DNS server, and i removed
>> all the ip's listed under the "name servers" tab and added itself
>> only. I then went to the one of the seconday DNS serves and i was
>> able to load the zone from the primary. It appears there is a change
>> in how Windows 2008 loads a secondary zone from a primary? I can
>> understand this but what i dont understand is how i didnt have a
>> problem with this zone until i made the forwarders change?
>>
>> "Invalid response from master DNS server at 10.0.130.100 during
>> attempted zone transfer of zone mydomain.com. Check the DNS server
>> at 10.0.130.100 and ensure that it is authoritative for this zone. This
>> can be done by viewing or updating the list of authoritative
>> servers for the zone. When using the DNS console, select zone
>> mydomain.com Properties at server 10.0.130.100 and click the Name Servers
>> tab. If needed, you can add
>> or update this server in the list there. As an alternative solution,
>> you could also modify settings in the Zone Transfer tab to allow
>> transfer of the zone to this and other DNS servers".
>>
>>
>>
>> Thanks
>
> Hello Skip,
>
> If the 2008 machine is a domain controller, and the DNS server service is
> installed on it, and the mydomain.com zone already existed in DNS, then
> creating a Secondary zone on the DC/DNS will get deleted because the DNS
> server recognizes it as duplicate because it is a valid zone that exists
> in the AD database.
>
> I don;t see how changing the forwarder will alter this, however it is best
> practice to set a forward to an outsider DNS, and not anything internally
> to another DNS that is hosting the same zones as the DNS server itself.
>
> Due to trying to re-create the zone, you may have inadvertently created a
> duplicate in the AD database. In addition, the zone could have been
> configured with a different replication scope, which causes a conflict. In
> either case, the dupe will need to be removed from AD. The procedure
> involves using ADSI Edit. Please read the following blog (also available
> at www.fekay.com/supportblogs.htm). It outlines a procedure to fix it,
> however, I would like you to just use ADSI Edit to determine whether the
> dupes exist or not.
>
> Please post back with your findings.
>
>
> ==================================
> ==================================
>
> Conflicting AD Integrated zones if they exist in both the Domain NC and
> one of the Application Partitions or if you get a weird error message
> stating:
> "The name limit for the local computer network adapter card was exceeded."
>
> Dupe zone errata:
> A quick explanation: When you have an AD integrated zone, the DNS data is
> stored in the actual AD database and is replicated to all DCs and will be
> available to any DC that has DNS installed, depending on the zone
> replication scope setting. If rep scope is set to the bottom button, it
> will be store in the DomainNC partition of the AD database and compatible
> with Windows 2000. If the middle button, it will be stored in the
> DomainDnsZones and only works with Windows 2003 and newer DCs. These two
> scope types will be replicated to all DCs only in the domain it exists in.
> The third type, the top buttton, is stored in the ForestDnsZones
> application partition and is available to ALL DCs in the whole forest. The
> data in any of the AD integrated zone types are truly secured since you
> can;t get at them without the proper tools.
>
> If you have an AD integrated zone existing on a DC and you install DNS on
> another DC in the domain or forest, depending what zone type, it will
> automatically appear on the new DNS installation without any interaction
> on your part. If you attempted to manually create the zone, then you
> pretty much just introduced a duplicate in the AD database, which will
> cause problems and other issues as well.
>
> A Primary or Secondary zone that is not stored in AD is stored in a text
> file in the system32\dns folder. This type of zone storage has nothing to
> do with the above types ONLY unless it is truly a secondary with the
> Master being a DC transferring a copy of the zone. This types of zone
> storage is obviously not secure.
>
> Now **IF** you did manually create a zone on one DC while it already
> existed on another DC, then you may have a duplicate. If this is the case,
> you can use ADSI Edit and look for zone data that starts with a "CNF..."
> in front of it. Delete them and you;re good to go. Under Windows 2000, the
> physcial AD database is broken up into 3 logical partitions, the DomainNC
> (Domain Name Context, or some call the Domain Name Container), the
> Configuration Partition, and the Schema Partition. The Schema and Config
> partitions replicate to all DCs in a forest.
>
> However, the DomainNC is specific only to the domain the DC belongs to.
> That's where a user, domain local or global group is stored. The DomainNC
> only replicates to the DCs of that specific domain. When you create an AD
> INtegrated zone in Win 2000, it gets stored in the DomainNC.
>
> This causes a limitation if you want this zone to be available on a DC/DNS
> server that belongs to a different domain. The only way to get around that
> is for a little creative designing using either delegation, or secondary
> zones. This was a challenge for the _msdcs zone, which must be available
> forest wide to resolve the forest root domain, which contains the Schema
> and Domain Name Masters FSMO roles.
>
> In Windows 2003, there were two additional partitions added, they are
> called the DomainDnsZones and ForestDnsZones Application Partitions,
> specifically to store DNS data. They were conceived to overcome the
> limitation of Windows 2000's AD Integrated zones. Now you can store an AD
> Integrated zone in either of these new partitions instead of the DomainNC.
> If stored in the DomainDnsZones app partition, it is available only in
> that domain's DomainDnsZones partition. If you store it in the
> ForestDnsZones app partition, it will be available to any DC/DNS server in
> the whole forest. This opens many more design options. It also ensures the
> availability of the _msdcs zone to all DCs in the forest. By default in
> Win 2003, the _msdcs zone is stored in the ForestDnsZones application
> partition.
>
> When selecting a zone replication scope in Win2003, in the zone's
> properties, click on the "Change" button. Under that you will see 3
> options:
>
> To choose the ForestDnsZones:
> "To all DNS servers in the AD forest example.com"
>
> To choose DomainDnsZones:
> "To all DNS servers in the AD domain example.com"
>
> To choose the DomainNC (only for compatibility with Win2000):
> "To all domain controllers in the AD domain example.com"
>
> If you have a duplicate, that's indicating there is a zone that exists in
> the DomainNC and in the DomainDnsZones Application partition. This means
> at one time, or currently, you have a mixed Win2000/2003 environment and
> you have DNS installed on both operating systems. On Win2000, if the zone
> is AD Integrated, it is in the DomainNC, and should be set the same in
> Win2003's DC/DNS server to keep compatible. Someone must have attempted to
> change it in Win2003 DNS to put it in the DomainDnsZones partition no
> realizing the implications, hence the duplicate. In a scenario such as
> this where you want to use the Win2003 app partitions, you then must
> insure the zone on the Win2003 is set to the DomainNC, then uninstall DNS
> off the Win2000 machine, then once that's done, you can then go to the
> Win2003 DNS and change the partition's replication scope to one of the app
> partitions.
>
> In ADSI Edit, you can view all five partitions. You were viewing the app
> partitions, but not the main partitions. You need to add the DomainNC
> partition in order to delete that zone. But you must uninstall DNS off the
> Win2000 server first, unless you want to keep the zone in the DomainNC.
> But that wouldn't make much sense if you want to take advantage of the
> _msdcs zone being available forest wide in the ForestDnsZones partition,
> which you should absolutley NOT delete. I would just use the Win2003 DNS
> servers only.
>
> In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point
> click on "Well known Naming Context", then in the drop-down box, select
> "Domain". Drill down to CN=System. Under that you will see
> CN=MicrosoftDNS. You will see the zone in there.
>
> But make sure to decide FIRST which way to go before you delete anything.
>
> Some reading for you...
> Directory Partitions:
> http://www.microsoft.com/resources/d...g_dat_favt.asp
>
> kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app
> partitions issues:
> http://www.kbalertz.com/kb_867464.aspx
>
>
> How to fix it?
> -------------
>
> What I've done in a few cases with my clients that have issues with
> 'duplicate' zone entries in AD (because the zone name was in the Domain NC
> (Name Container) Partition, and also in the DomainDnsZones App partition),
> was first to change the zone on one of the DCs to a Primary zone, and
> allowed zone transfers. Then I went to the other DCs and changed the zone
> to
> a Secondary, and using the first DC as the Master. Then I went into ADSI
> Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
> reference to the domain name. Then I added the DomainDnsZones partition to
> the ADSI Edit console, and deleted any reference to the zone name in there
> as well. If you see anything saying something to the extent of a phrase
> that says
> "In Progress...." or "CNF" with a long GUID number after it, delete them
> too. Everytime
> you may have tried tochange the replication scope, it creates one of them.
> Delete them all.
>
> Then I forced replication. If there were Sites configured, I juggled
> around
> the servers and subnet objects so all of the servers are now in one site,
> then I forced replication (so I didn't have to wait for the next site
> replication schedule). Once I've confirmed that replication occured, and
> the
> zones no longer existed in either the Domain NC or DomainDnsZones, then I
> changed the zone on the first server back to AD Integrated, choosing the
> middle button for it's replication scope (which puts it in the
> DomainDnsZones app partition). Then I went to the other servers and
> changed
> the zone to AD Integrated choosing the same replication scope. Then I
> reset
> the sites and subnet objects, and everything was good to go.
>
> Keep in mind, I left the _msdcs... zone alone, since that wasn't causing
> any
> problems and is located in the ForestDnsZones (default) in all of my
> client
> cases I've come across with so far.
>
> It seems like alot of steps, but not really. Just read it over a few times
> to get familiar with the procedure. You may even want to change it into a
> numbered step by step list if you like. If you only have one DC, and one
> Site, then it's much easier since you don't have to mess with secondaries
> or
> play with the site objects.
>
> I hope that helped!
>
> ==================================
> ==================================
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>

[Ace Fekay [Microsoft Certified Trainer]]

In news:D4397C34-FE7E-4E6C-BDF7-A0B4D63594C4@microsoft.com,
skip <shofmann@kbb.com>, posted the following:
> The zone in question is not an AD integrated zone its a standard
> primary zone that is outside of AD. I replicate this zone to other
> DNS servers by creating a secondary zone on them. I have been doing
> this sort of thing for years

Hello Skip,

I see. Your terminology threw me off. The term "replication" is used in
reference with AD database replication, which AD Integrated zones are stored
in the AD database and replicates to all DCs that have DNS installed on
them.

Now if you have Primary (non-AD Integrated) and Secondaries, the act of
copying zone data from the single Primary (the 'Master') to any and all
Secondaries, is referred to as a 'zone transfer.'

If it disappears, which is also based on an AD integrated zone thing, is
because theh server sees it in the AD database, and removes it since it
already exists. Now since none of your zones are AD Integrated, it would be
confusing why it is deleting it.

Are you seeing any EventID errors? I can't see how a forwarder change would
cause this. Is 10.0.130.100 the actual Master? May you have inadvertently
left the checkbox "store in AD" checked when you created the zone on any of
the servers?

Ace

[skip]

Ace


The zone in question is not AD integrated it is a standard primary zone. I
have been transering this zone to other DNS serves (created secondary zone
and enabled zone transfer) At the time all DNS servers were running windows
2003. Now i upgraded all the DC/DNS serves to Windows 2008 except for one,
the one DC that i didnt upgrade was the zone owner or primary of the zone in
question, and in the "name servers tab" for this zone it listed external
isp DNS servers not itself. At this point DNS zone transfers for the zone
were working fine. A couple of days later i noticed that the 2008 DNS
servers for "forwarders" were pointing to themselves, so i changed this to
point to our isp dns servers. I did this for all the 2008 DNS serves,
roughly ten minutes later the zone in question was no longer available on
the 2008 DNS servers but it was on the 2003 DNS server, it was gone. I tried
created the zone again on the 2008 DNS serves as a secondary zone, but it
kept failing out. I then went to the 2003 DNS server looked at the zone in
question and removed all the isp DNS server's that were listed in the "name
serves" tab and i added iteself. I hit ok then went back to the 2008 DNS
server and I was able to create the zone as a secondary and zone transfered.

This has to be tied to the name serves tab on the 2003 dns server not
listing itself for the zone. This was never an issue in 2003, seems 2008
handles this a bit different?

After upgraind the
"Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname@hotmail.com>
wrote in message news:OqTXu8NjJHA.4868@TK2MSFTNGP05.phx.gbl...
> In news:D4397C34-FE7E-4E6C-BDF7-A0B4D63594C4@microsoft.com,
> skip <shofmann@kbb.com>, posted the following:
>> The zone in question is not an AD integrated zone its a standard
>> primary zone that is outside of AD. I replicate this zone to other
>> DNS servers by creating a secondary zone on them. I have been doing
>> this sort of thing for years
>
> Hello Skip,
>
> I see. Your terminology threw me off. The term "replication" is used in
> reference with AD database replication, which AD Integrated zones are
> stored in the AD database and replicates to all DCs that have DNS
> installed on them.
>
> Now if you have Primary (non-AD Integrated) and Secondaries, the act of
> copying zone data from the single Primary (the 'Master') to any and all
> Secondaries, is referred to as a 'zone transfer.'
>
> If it disappears, which is also based on an AD integrated zone thing, is
> because theh server sees it in the AD database, and removes it since it
> already exists. Now since none of your zones are AD Integrated, it would
> be confusing why it is deleting it.
>
> Are you seeing any EventID errors? I can't see how a forwarder change
> would cause this. Is 10.0.130.100 the actual Master? May you have
> inadvertently left the checkbox "store in AD" checked when you created the
> zone on any of the servers?
>
> Ace
>
>
>

[Ace Fekay [Microsoft Certified Trainer]]

In news:8A051758-1D1C-4518-A3DB-0C99CA6F6C4E@microsoft.com,
skip <shofmann@kbb.com>, posted the following:
> Ace
>
>
> The zone in question is not AD integrated it is a standard primary
> zone. I have been transering this zone to other DNS serves (created
> secondary zone and enabled zone transfer) At the time all DNS servers
> were running windows 2003. Now i upgraded all the DC/DNS serves to
> Windows 2008 except for one, the one DC that i didnt upgrade was the
> zone owner or primary of the zone in question, and in the "name
> servers tab" for this zone it listed external isp DNS servers not
> itself. At this point DNS zone transfers for the zone were working
> fine. A couple of days later i noticed that the 2008 DNS servers for
> "forwarders" were pointing to themselves, so i changed this to point
> to our isp dns servers. I did this for all the 2008 DNS serves,
> roughly ten minutes later the zone in question was no longer
> available on the 2008 DNS servers but it was on the 2003 DNS server,
> it was gone. I tried created the zone again on the 2008 DNS serves as
> a secondary zone, but it kept failing out. I then went to the 2003
> DNS server looked at the zone in question and removed all the isp DNS
> server's that were listed in the "name serves" tab and i added
> iteself. I hit ok then went back to the 2008 DNS server and I was
> able to create the zone as a secondary and zone transfered.
> This has to be tied to the name serves tab on the 2003 dns server not
> listing itself for the zone. This was never an issue in 2003, seems
> 2008 handles this a bit different?

THanks for the detailed info. From what *appears* happening, is I am
assuming your 'mydomain.com' zone name (assuming) is also a public domain
name. Apparently 2008 may be recognizing that and putting in the public
hostname server data in. I didn't realize it will do that. I twas possibly
trying a zone transfer from the public nameservers, and failed, so it
removes the zone. One of my customers has a public name for their internal
AD zone, and I have 2008 running, but have not seen this issue, well as of
yet, at least. Apparently changing the nameserver tab info to itself on
2003, made the 2008 server recognize that the 2003 is listed authorative for
the zone.

Something to keep watch for. Curious, does it change it back to the public
nameservers after a period of time?

Ace

[Family]

No it doesnt, after i removed the public isp DNS servers from the name
servers tab and added itself *only* i havent seen this issue again. The
part i am having a hard time understanding is why didnt the zone transfer
fail right away from 2003 dns to the 2008 dns as soon as the 2008 DNS
servers came online? The zone was gone from the 2008 dns serves when i
removed the 2008 dns servers as being forwarders, basically i removed the
local 2008 dns server as a forwarder and i added the isp dns servers, as
soon as i did this the zone disappeard from the 2008 dns servers. Very
strange behavior.

Thanks again for your help

"Ace Fekay [Microsoft Certified Trainer]" <firstnamelastname@hotmail.com>
wrote in message news:e5mY$amjJHA.500@TK2MSFTNGP06.phx.gbl...
> In news:8A051758-1D1C-4518-A3DB-0C99CA6F6C4E@microsoft.com,
> skip <shofmann@kbb.com>, posted the following:
>> Ace
>>
>>
>> The zone in question is not AD integrated it is a standard primary
>> zone. I have been transering this zone to other DNS serves (created
>> secondary zone and enabled zone transfer) At the time all DNS servers
>> were running windows 2003. Now i upgraded all the DC/DNS serves to
>> Windows 2008 except for one, the one DC that i didnt upgrade was the
>> zone owner or primary of the zone in question, and in the "name
>> servers tab" for this zone it listed external isp DNS servers not
>> itself. At this point DNS zone transfers for the zone were working
>> fine. A couple of days later i noticed that the 2008 DNS servers for
>> "forwarders" were pointing to themselves, so i changed this to point
>> to our isp dns servers. I did this for all the 2008 DNS serves,
>> roughly ten minutes later the zone in question was no longer
>> available on the 2008 DNS servers but it was on the 2003 DNS server, it
>> was gone. I tried created the zone again on the 2008 DNS serves as
>> a secondary zone, but it kept failing out. I then went to the 2003
>> DNS server looked at the zone in question and removed all the isp DNS
>> server's that were listed in the "name serves" tab and i added
>> iteself. I hit ok then went back to the 2008 DNS server and I was
>> able to create the zone as a secondary and zone transfered.
>> This has to be tied to the name serves tab on the 2003 dns server not
>> listing itself for the zone. This was never an issue in 2003, seems
>> 2008 handles this a bit different?
>
> THanks for the detailed info. From what *appears* happening, is I am
> assuming your 'mydomain.com' zone name (assuming) is also a public domain
> name. Apparently 2008 may be recognizing that and putting in the public
> hostname server data in. I didn't realize it will do that. I twas possibly
> trying a zone transfer from the public nameservers, and failed, so it
> removes the zone. One of my customers has a public name for their internal
> AD zone, and I have 2008 running, but have not seen this issue, well as of
> yet, at least. Apparently changing the nameserver tab info to itself on
> 2003, made the 2008 server recognize that the 2003 is listed authorative
> for the zone.
>
> Something to keep watch for. Curious, does it change it back to the public
> nameservers after a period of time?
>
> Ace

[Ace Fekay [Microsoft Certified Trainer]]

In news:D024566B-1C1E-4A69-9AE4-83ED8E47C74C@microsoft.com,
Family <shofmann@kbb.com>, posted the following:
> No it doesnt, after i removed the public isp DNS servers from the name
> servers tab and added itself *only* i havent seen this issue again.
> The part i am having a hard time understanding is why didnt the zone
> transfer fail right away from 2003 dns to the 2008 dns as soon as
> the 2008 DNS servers came online? The zone was gone from the 2008
> dns serves when i removed the 2008 dns servers as being forwarders,
> basically i removed the local 2008 dns server as a forwarder and i
> added the isp dns servers, as soon as i did this the zone disappeard
> from the 2008 dns servers. Very strange behavior.
>
> Thanks again for your help

Interesting. I would think to setup forwarding from the secondaries to the
Master (the 2003 DNS), then from the Master, forward to the ISP, may
alleviate it. Give it a shot and let me know how it works out.

Ace