Sign in with
Sign up | Sign in
Your question

Screwed up my Win2000 AD DNS

Last response: in Windows 2000/NT
Share
Anonymous
March 17, 2005 7:30:13 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I had 2 internal DNS servers, both AD-integrated into my Win2000 AD. I added
a new DC. And, being the idiot that I am, instead of adding this new DC as
another secondary DNS server, I configured it to add a new AD-integrated
zone onto this new DC ... with the name of my existing AD-integrated zone.

<SIGH>

So now I have a new DNS server, with an AD-integrated zone, with no entries
except itself. I have my 2 other servers, with zones with the same name,
that are now listed as primary (not AD-integrated) and secondary. So how
best to fix this mess?

Should I just DCPROMO the new DC out of the domain entirely, and then go to
my existing primary DNS and make that zone AD-integrated? If so, how?
If not, how best to proceed?

I still have name resolution fine, since all stations are pointing to the
server that is listed as primary.

Eventually, what I want is for the server currently listed as primary to be
AD-integrated, and to be the master, and the other 2 as secondaries. The new
DNS server is supposed to be the secondary. How can I get it back like that?

--
------------------------------------------------------------
Michael Leone, Systems Administrator
Philadelphia Contributionship
210 S. 4th Street, Philadelphia, PA 19106
<mailto:mleone@contributionship.com>
V: 215-627-1752 x1282
F: 215-627-5354

More about : screwed win2000 dns

Anonymous
March 18, 2005 2:21:31 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:u0IUCizKFHA.2648@TK2MSFTNGP14.phx.gbl,
Michael Leone <mleone@contributionship.com> commented
Then Kevin replied below:
> I had 2 internal DNS servers, both AD-integrated into my
> Win2000 AD. I added a new DC. And, being the idiot that I
> am, instead of adding this new DC as another secondary
> DNS server, I configured it to add a new AD-integrated
> zone onto this new DC ... with the name of my existing
> AD-integrated zone.

The reason this happened is you already had a zone in Active Directory, and
when you created this one in Active Directory, it overwrote the zone you had
in AD.

>
> <SIGH>
>
> So now I have a new DNS server, with an AD-integrated
> zone, with no entries except itself. I have my 2 other
> servers, with zones with the same name, that are now
> listed as primary (not AD-integrated) and secondary. So
> how best to fix this mess?

Do not use Secondary zones on DCs when you have an AD integrated zone on one
DC. You need to point all DCs to one DC for DNS only for DNS. Then on that
DC convert the AD zone to standard primary with dynamic updates allowed.
Make sure all other DCs have no primary or secondary zones and that the zone
object is deleted from ADUC in the System\MicrosoftDNS container. Then on
all DC run this command net stop netlogon & net start netlogon & ipconfig
/flushdns & ipconfig /registerdns
After this command completes and it is verified that all DCs have registered
in DNS with this command netdiag /test:D ns /v convert the Primary zone to AD
integrated and wait for it to replicate to all DCs with DNS installed. Do
not create the zone of any type on the other DCs, this will only overwrite
the zone you just created or cause a zone conflict.

<snip>

> Eventually, what I want is for the server currently
> listed as primary to be AD-integrated, and to be the
> master, and the other 2 as secondaries. The new DNS
> server is supposed to be the secondary. How can I get it
> back like that?

You cannot do this, if the zone is on one DC AD integrated, you must wait
for the zone to replicate, you cannot have a secondary zone for this name on
other DCs.
In an AD environment all zones are writable masters and will list themselves
as the master on the SOA record.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
Anonymous
March 18, 2005 12:48:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:uO$6Zp3KFHA.3296@TK2MSFTNGP15.phx.gbl...
> In news:u0IUCizKFHA.2648@TK2MSFTNGP14.phx.gbl,
> Michael Leone <mleone@contributionship.com> commented
> Then Kevin replied below:
>> I had 2 internal DNS servers, both AD-integrated into my
>> Win2000 AD. I added a new DC. And, being the idiot that I
>> am, instead of adding this new DC as another secondary
>> DNS server, I configured it to add a new AD-integrated
>> zone onto this new DC ... with the name of my existing
>> AD-integrated zone.
>
> The reason this happened is you already had a zone in Active Directory,
> and
> when you created this one in Active Directory, it overwrote the zone you
> had
> in AD.

So I unfortunately found out. :-( And AD didn't even warn me, which I also
find aggravating ...

>
> Do not use Secondary zones on DCs when you have an AD integrated zone on
> one
> DC.

I probably misspoke. I don't want a secondary zone; what I really want is
another DC with DNS on it. I plan to keep this DC offsite, and use it during
Disaster Recovery. In case of disaster (even a test), I would fire up this
server; tell it to seize all 5 FSMO roles; clean up the metadata (since
there will be no other DCs to replicate to); and have my domain up and
running in a shorter amount of time.

And every 2-3 weeks, I would plug this DC back into the production LAN, and
let it synchronize with the others, then put it back offsite.


Thanks for all the help so far.
Anonymous
March 18, 2005 7:29:22 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uW189l8KFHA.440@TK2MSFTNGP10.phx.gbl,
Michael Leone <mleone@contributionship.com> commented
Then Kevin replied below:
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US>
> wrote in message
> news:uO$6Zp3KFHA.3296@TK2MSFTNGP15.phx.gbl...
>> In news:u0IUCizKFHA.2648@TK2MSFTNGP14.phx.gbl,
>> Michael Leone <mleone@contributionship.com> commented
>> Then Kevin replied below:
>>> I had 2 internal DNS servers, both AD-integrated into my
>>> Win2000 AD. I added a new DC. And, being the idiot that
>>> I am, instead of adding this new DC as another secondary
>>> DNS server, I configured it to add a new AD-integrated
>>> zone onto this new DC ... with the name of my existing
>>> AD-integrated zone.
>>
>> The reason this happened is you already had a zone in
>> Active Directory, and
>> when you created this one in Active Directory, it
>> overwrote the zone you had
>> in AD.
>
> So I unfortunately found out. :-( And AD didn't even warn
> me, which I also find aggravating ...
>
>>
>> Do not use Secondary zones on DCs when you have an AD
>> integrated zone on one
>> DC.
>
> I probably misspoke. I don't want a secondary zone; what
> I really want is another DC with DNS on it. I plan to
> keep this DC offsite, and use it during Disaster
> Recovery. In case of disaster (even a test), I would fire
> up this server; tell it to seize all 5 FSMO roles; clean
> up the metadata (since there will be no other DCs to
> replicate to); and have my domain up and running in a
> shorter amount of time.
>
> And every 2-3 weeks, I would plug this DC back into the
> production LAN, and let it synchronize with the others,
> then put it back offsite.
>
>
> Thanks for all the help so far.

Keeping it off site is one thing, I hope your not planning on keeping it off
site and off line even two or three weeks at a time. Two or three hours is
too much. That would be a major problem.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
!