Missing ForestDNSZones and DomainDNSZones partitions under child AD 2003 domain

[Spin]

How come I do not see a ForestDNSZones and DomainDNSZones partition under my
child AD 2003 domain inside the DNS management console? This child domain
is one of two domains in an AD 2003 forest (one parent, one child) forest.
I do indeed see both of these partitions in the forest root domain but not
under the child domain. See URL below, you will have to set Internet
Explorer to FULL screen mode to view the bitmap properly. Notice in the
corp.alpha.local (highlighted domain in picture), both ForestDNSZones and
DomainDNSZonesare missing. But if you look under alpha.local (forest root)
both of these partitions are present.

[Ace Fekay [MVP]]

Try rt-clicking the zone, new domain, type in DomainDnsZones. Then run
netdiag /v /fix. Refresh the console. I've done it this was a few times.
Keep in mind, from a child, (can't remember this for sure), you may not be
able to see the ForestDnsZones since I believe you need to be an EA.

[Paul Williams [MVP]]

In addition to Ace's reply, are you sure these partitions exist? Can you
see the crossRef objects for them under CN=Partitions, CN=Configuration,
DC=domain-name, DC=com? If not, they need to be recreated. You can do this
from the DNSMGMT.MSC tool if your Domain Naming master FSMO role holder is
running Server 2003.

[Spin]

So Ace, I guess what you're saying is, if one does not log on as an EA to a
child domain (say they logon as a DA), and then proceeds to open the DNS
console, they will NOT see the ForestDNSZones and DomainDNSZones partitions
b/c these are only viewable by an EA? Or am I confused?

[Ace Fekay [MVP]]

No, that's not what I said. I said that you may be able to see the
DomainDnsZones, but _*MAY*_ not be able tosee the ForestDnsZones.

Have you tried my procedure yet? There's nothing to lose... and nothing
gained by not trying it.

[Paul Williams [MVP]]

You can check for their existence by viewing the namingContexts attribute of
the RootDSE. Simply fire up LDP and connect (enter nothing for serverless
bind or add a k3 DC).

[Paul Williams [MVP]]

From that LDP output, you have a ForestDNSZone but not a DomainDNSZone App
NC.

The scope of your child domain is probably still "All domain controllers in
this domain" as opposed to "All DNS servers in this domain".

As for why the ForestDNSZones isn't showing, three things spring to mind (in
no particular order):

1. Non-Windows 2003 DNSMGMT.MSC console or DNS server.
2. Permissions problem.
3. Name resolution problem.

Logon to the child domain with an admin account in the root domain and see
if you can see the ForestDNSZones then. If you can, you need to check the
permissions on that zone. If you cannot, you need to check that that
snap-in is OK and that the DNS server in question is actually reading zone
info. from AD. In the child, can you resolve
ForestDNSZones.domain-name.com? That sub-domain should have been
registered. You should be able to resolve it. If you can't, that is
probably your issue.

[Spin]

There are only two servers in the test environment. One AD/DNS server in
the parent domain and one in the child. Both run Windows Server 2003. The
replication scope of the child domain is set to all domain controllers in
the AD domain. Two questions.

1) Is that why I do not have a DomainDNSZones partition?
2) How should I attempt to resolve "ForestDNSZones.domain-name.com"? Should
I be using this syntax:

nslookup ForestDNSZones.alpha.local

[Paul Williams [MVP]]

Yes. Change to all DNS servers in the domain to store it in DomainDNSZones
app partition.

Yes, that is correct. If that doesn't work, test from the root domain.
Does it work there? Can you resolve host.alpha.local (where host is any
given host in that domain)?

When you run nslookup forestdnszones.alpha.local you should have the IP
address of your DC returned.

[Ace Fekay [MVP]]

In addition to Paul's response, you can also use ADSI Edit to look at the
partitions. Matter of fact, if you find any zones or records under the
partitions that start with CNF_, then you've got an issue due to conflicting
zones due to an administrator selecting the wrong replication scope of a
zone using the 2003 DNS console, say putting the zone in the "To all DNS
servers in the Active Directory domain contoso.com", which is the
DomainDNSZones, however, in the 2000 DNS console, it's still set to "To all
domain controllers in the Active Directory domain contoso.com", which is the
DomainNC partition, therefore creating a conflict. For obvious reasons, I've
see this quite often in a mixed 2000/2003 environment.

This will explain how to view them in ADSI Edit. Let us know if you find any
CNF entries in any of the partitions (Domain NC, DomainDnsZones, and
ForestDnsZones).

kbAlertz (867464) - Explains how to use ADSI Edit to resolve a problem where
the DNS service logs event ID 4515 in the DNS Server log.

[Spin]

Yes, the command nslookup ForestDNSZones.alpha.local does in fact return the
IP addresses of my root domain AD/DNS server and my child domain AD/DNS
server. However, I get an error when I change the replication scope of
corp.alpha.local to all DNS servers in the AD domain. I am logged on as a
DA in corp.alpha.local whenever I try this. The error is:

"The replication scope could not be set... The specified directory partition
does not exist".

What is weird is, the error is saying the "specified directory partition
does not exist" -- my response to that is of course is doesn't exist, I am
trying to create it! I'm befuddled!

[Spin]

I was able to successfully use ADSIEDIT to see both the ForestDNSZones and
DomainDNSZones in the forest root domain alpha.local (logged on as an EA to
that domain to that AD/DNS server). However, I get "Directory Object Not
Found" while searching for both ForestDNSZones and DmainDNSZones in the
child domain, logged on as a DA in the child domain to the child domain
AD/DNS server and even when logged on as an EA the child domain AD/DNS
server.

[Ace Fekay [MVP]]

Then this sounds (obviously) more of a DNS misconfiguration. How is the
child domain's DNS configured? Is it delegated from the parent or using
stubs? If you are trying to set the scope for the child and it;s not
working, then how is the child supposed to find the parent? Set it up with a
parent to child delegation, then forward from the child to the parent for
now to get it working first.

[Spin]

The child domain DNS server points to itself for preferred DNS server under
TCP/IP properties. In the DNS console, I have setup a forwarder pointing at
the root domain DNS server for unresolved queries. I have not setup any
delegation or stubs. Do I need to?

[Spin]

Ace, YOU ARE A GENIUS! After I re-read your post, I understood what you
meant. All I needed to do, like you said, was create a delegation on the
forest root domain for the child domain on the root domain DNS server. Once
I did that, and selected "Create Default Application Directory Partitions"
on my child domain DNS server, the DomainDNSZones partition (folder) showed
up!