|
|
Hi
I am running the following scenario:
Windows 2000 Server domain, to be upgraded to Windows 2003. All current DCs
are end-of-life, so no operating system upgrades. All DCs will be replaced
with new servers running W2003. The domain is "forest-of-one-domain" model w/
3 AD sites.
I have performed the following steps so far:
1 Installed new W2003 servers as member servers of domain
2. adprep /forestprep (using R2 schema v31)
3. adprep /domainprep
4. promoted 1 of the W2003 servers using dcpromo.
Replication links all work once KCC has built the connection objects without
problem.
In DNS server on the new W2003 I get repeated DNS 4521 errors and the DNS
gui states that the zone cannot be loaded.
Is the error because of different storage locations in AD btw 2000 and 2003
servers?
To get round this, I have deleted the domain.com zone on the 2003 server,
created a secondary zone to get the data from one of the w2000 DC/DNS servers
and then converted the zone to primary/ad storage. Is this a safe and viable
option?
Thanks
|
|
In news:BB9993F4-2DBB-4745-94B6-429A3D8F5B01[ at ]microsoft.com,
hampshirebrit <hampshirebrit[ at ]discussions.microsoft.com> typed:
[Quoted Text] > Hi
>
> I am running the following scenario:
>
> Windows 2000 Server domain, to be upgraded to Windows 2003. All
> current DCs are end-of-life, so no operating system upgrades. All DCs
> will be replaced with new servers running W2003. The domain is
> "forest-of-one-domain" model w/ 3 AD sites.
>
> I have performed the following steps so far:
> 1 Installed new W2003 servers as member servers of domain
> 2. adprep /forestprep (using R2 schema v31)
> 3. adprep /domainprep
> 4. promoted 1 of the W2003 servers using dcpromo.
>
> Replication links all work once KCC has built the connection objects
> without problem.
>
> In DNS server on the new W2003 I get repeated DNS 4521 errors and the
> DNS gui states that the zone cannot be loaded.
>
> Is the error because of different storage locations in AD btw 2000
> and 2003 servers?
>
> To get round this, I have deleted the domain.com zone on the 2003
> server, created a secondary zone to get the data from one of the
> w2000 DC/DNS servers and then converted the zone to primary/ad
> storage. Is this a safe and viable option?
>
> Thanks
Tough question to answer without specifics.
1. Are you stating there is a current mixture of 2000 and 2003 DCs in the
forest.
2. What FL is the forest set to?
3. Please post an ipconfig /all of the new DC and of one of your client
machines. (undedited please)
4. What is the actual AD DNS FQDN?
5. What replication scope did you put the zone in?
6. Assuming the zone is AD integrated (but it also depends on what
replication scope it's set to), did you try and create the zone name in your
new DC after you ran dcpromo and installed DNS on it or did you just
patiently wait for the zone to appear (as you should have if it is an
existing zone in the AD database)?
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
|
|
"Ace Fekay [MVP]" wrote:
[Quoted Text] > Tough question to answer without specifics.
>
> 1. Are you stating there is a current mixture of 2000 and 2003 DCs in the
> forest.
> 2. What FL is the forest set to?
> 3. Please post an ipconfig /all of the new DC and of one of your client
> machines. (undedited please)
> 4. What is the actual AD DNS FQDN?
> 5. What replication scope did you put the zone in?
> 6. Assuming the zone is AD integrated (but it also depends on what
> replication scope it's set to), did you try and create the zone name in your
> new DC after you ran dcpromo and installed DNS on it or did you just
> patiently wait for the zone to appear (as you should have if it is an
> existing zone in the AD database)?
>
>
> --
> Regards,
> Ace
Hi Ace
1 Yes, 2000 with one 2003 DC, but all 2000 DCs are destined to be replaced
by new 2003 DCs
2 Forest level is Windows 2000
3 DC first:
Windows IP Configuration
Host Name . . . . . . . . . . . . : test96
Primary Dns Suffix . . . . . . . : test.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-34-91-56
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 131.107.2.206
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 131.107.2.210
DNS Servers . . . . . . . . . . . : 131.107.2.201
131.107.2.202
141.107.2.201
141.107.2.202
151.107.2.201
Client
Windows IP Configuration
Host Name . . . . . . . . . . . . : test2s98
Primary Dns Suffix . . . . . . . : test.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-80-ED-1E
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 151.107.2.205
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 151.107.0.210
DNS Servers . . . . . . . . . . . : 151.107.2.201
131.107.2.201
131.107.2.202
141.107.2.201
141.107.2.202
4: FQDN test.local
5: I'm assuming you mean the newly created one on the 2003 domain
controller...this was set to the default "to all DCs in the AD domain"
6: The server was running DNS prior to being promoted to DC. So I "waited
patiently". No result, only the 4521 eventlog entries.
|
|
In news:6C3BE15E-735B-49BB-BC8D-AF10FE285CAB[ at ]microsoft.com,
hampshirebrit <hampshirebrit[ at ]discussions.microsoft.com> typed:
[Quoted Text] > "Ace Fekay [MVP]" wrote:
>
>
>> Tough question to answer without specifics.
>>
>> 1. Are you stating there is a current mixture of 2000 and 2003 DCs
>> in the forest.
>> 2. What FL is the forest set to?
>> 3. Please post an ipconfig /all of the new DC and of one of your
>> client machines. (undedited please)
>> 4. What is the actual AD DNS FQDN?
>> 5. What replication scope did you put the zone in?
>> 6. Assuming the zone is AD integrated (but it also depends on what
>> replication scope it's set to), did you try and create the zone name
>> in your new DC after you ran dcpromo and installed DNS on it or did
>> you just patiently wait for the zone to appear (as you should have
>> if it is an existing zone in the AD database)?
>>
>>
>> --
>> Regards,
>> Ace
>
> Hi Ace
>
> 1 Yes, 2000 with one 2003 DC, but all 2000 DCs are destined to be
> replaced by new 2003 DCs
> 2 Forest level is Windows 2000
> 3 DC first:
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : test96
> Primary Dns Suffix . . . . . . . : test.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : test.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter Physical Address. . . . . . . . . : 00-0C-29-34-91-56
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 131.107.2.206
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 131.107.2.210
> DNS Servers . . . . . . . . . . . : 131.107.2.201
> 131.107.2.202
> 141.107.2.201
> 141.107.2.202
> 151.107.2.201
>
> Client
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : test2s98
> Primary Dns Suffix . . . . . . . : test.local
> Node Type . . . . . . . . . . . . : Unknown
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : test.local
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter Physical Address. . . . . . . . . : 00-0C-29-80-ED-1E
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 151.107.2.205
> Subnet Mask . . . . . . . . . . . : 255.255.0.0
> Default Gateway . . . . . . . . . : 151.107.0.210
> DNS Servers . . . . . . . . . . . : 151.107.2.201
> 131.107.2.201
> 131.107.2.202
> 141.107.2.201
> 141.107.2.202
>
> 4: FQDN test.local
> 5: I'm assuming you mean the newly created one on the 2003 domain
> controller...this was set to the default "to all DCs in the AD domain"
> 6: The server was running DNS prior to being promoted to DC. So I
> "waited patiently". No result, only the 4521 eventlog entries.
I assume this test domain is all private and not on the Internet. You do
know that the 131.107.x.x IP address space belongs to Microsoft?
What are all those IP addresses for DNS servers? Does each one represent a
DC in the forest? Keep in mind, that AD members must ONLY point to the DNS
servers that host the AD zone. In yoru case, the AD zone is test.local. Do
all of these servers host the zone?
The DNS servers listed also appear to be on different subnets. Are they in
different locations? Is there a VPN between them? Can you elaborate please?
The IP address of the machine test2s98.test.local is different than
test96.test.local. Are they in different locations? Is there a VPN between
them?
Actually, only 2, max 3 would suffice for DNS addresses in IP properties
anyway. Based on the way the resolver service works, which asks the first
one for an answer and only if it gets a null response does it go to the
second one, , it may never get passed the first or second one anyway. Keep
in mind if it gets a negative answer, such as an "I don't know," that is
considered an answer and won't look any further. Hence why you cannot
specify DNS servers that do not host the zone. Use a forwarder for internet
resolution.
Event ID 4521 may be hinting at it cannot find AD to enumerate the zone,
which may point back to a DNS configuration issue.
Ace
|
|
|
[Quoted Text] >>I assume this test domain is all private and not on the Internet. You do
know that the 131.107.x.x IP address space belongs to Microsoft?
Yes, it is completely private and isolated from the internet.
>>What are all those IP addresses for DNS servers? Does each one represent a
>>DC in the forest? Keep in mind, that AD members must ONLY point to the DNS
>>servers that host the AD zone. In yoru case, the AD zone is test.local. Do
>>all of these servers host the zone?
Yes. All referenced servers are DCs and DNS servers.
>>The DNS servers listed also appear to be on different subnets. Are they in
>>different locations? Is there a VPN between them? Can you elaborate please?
3 AD sites. There is no VPN or firewall between them.
The IP address of the machine test2s98.test.local is different than
test96.test.local. Are they in different locations? Is there a VPN between
them?
see above
>>Actually, only 2, max 3 would suffice for DNS addresses in IP properties
>>anyway. Based on the way the resolver service works, which asks the first
>>one for an answer and only if it gets a null response does it go to the
>>second one, , it may never get passed the first or second one anyway. Keep
>>in mind if it gets a negative answer, such as an "I don't know," that is
>>considered an answer and won't look any further. Hence why you cannot
>>specify DNS servers that do not host the zone. Use a forwarder for internet
>>resolution.
all host the zone.
>>Event ID 4521 may be hinting at it cannot find AD to enumerate the zone,
>>which may point back to a DNS configuration issue.
It's more than hinting it, I'd say.
I guess I didn't phrase this question very well.
What is the upgrade path for an Windows 2000 environment, where NONE of the
current AD servers will be upgraded to Windows 2003 server, but will be
REPLACED by NEW server platforms running Windows 2003, initially configured
as member servers and then promoted to DCs?
The documentation I have seen only points to guidance for in-place upgrades
of W2000 servers to 2003, not replacements.
The error has occurred in two test interations, immediately after the first
2003 DC has been promoted.
The "fix" as I described it in the first post appears to work, but results
in two test.local DNS zones, one replicated only to the windows 2000 servers
(the original one) and the other only replicated to W2003 servers. This
points to a DNS zone storage issue, rather than just a DNS configuration
issue. I suspect that the 4512 occurs b/c the 2003 DC is not looking in the
right place for the zone information.
Although the fix is viable in this environment, as all the 2000DCs will be
demoted, it would not be viable if some 2000 servers were to remain.
|
|
In news:38C03C72-6E4A-4D17-9DA4-C35F3F4693BB[ at ]microsoft.com,
hampshirebrit <hampshirebrit[ at ]discussions.microsoft.com> typed:
[Quoted Text] >>> I assume this test domain is all private and not on the Internet.
>>> You do
> know that the 131.107.x.x IP address space belongs to Microsoft?
>
> Yes, it is completely private and isolated from the internet.
>
>>> What are all those IP addresses for DNS servers? Does each one
>>> represent a DC in the forest? Keep in mind, that AD members must
>>> ONLY point to the DNS servers that host the AD zone. In yoru case,
>>> the AD zone is test.local. Do all of these servers host the zone?
>
> Yes. All referenced servers are DCs and DNS servers.
>
>
>>> The DNS servers listed also appear to be on different subnets. Are
>>> they in different locations? Is there a VPN between them? Can you
>>> elaborate please?
>
> 3 AD sites. There is no VPN or firewall between them.
>
> The IP address of the machine test2s98.test.local is different than
> test96.test.local. Are they in different locations? Is there a VPN
> between them?
>
> see above
>
>>> Actually, only 2, max 3 would suffice for DNS addresses in IP
>>> properties anyway. Based on the way the resolver service works,
>>> which asks the first one for an answer and only if it gets a null
>>> response does it go to the second one, , it may never get passed
>>> the first or second one anyway. Keep in mind if it gets a negative
>>> answer, such as an "I don't know," that is considered an answer and
>>> won't look any further. Hence why you cannot specify DNS servers
>>> that do not host the zone. Use a forwarder for internet resolution.
>
> all host the zone.
>>> Event ID 4521 may be hinting at it cannot find AD to enumerate the
>>> zone, which may point back to a DNS configuration issue.
>
> It's more than hinting it, I'd say.
>
> I guess I didn't phrase this question very well.
>
> What is the upgrade path for an Windows 2000 environment, where NONE
> of the current AD servers will be upgraded to Windows 2003 server,
> but will be REPLACED by NEW server platforms running Windows 2003,
> initially configured as member servers and then promoted to DCs?
>
> The documentation I have seen only points to guidance for in-place
> upgrades of W2000 servers to 2003, not replacements.
>
> The error has occurred in two test interations, immediately after the
> first 2003 DC has been promoted.
>
> The "fix" as I described it in the first post appears to work, but
> results in two test.local DNS zones, one replicated only to the
> windows 2000 servers (the original one) and the other only replicated
> to W2003 servers. This points to a DNS zone storage issue, rather
> than just a DNS configuration issue. I suspect that the 4512 occurs
> b/c the 2003 DC is not looking in the right place for the zone
> information.
>
> Although the fix is viable in this environment, as all the 2000DCs
> will be demoted, it would not be viable if some 2000 servers were to
> remain.
Your original question was:
"Is the error because of different storage locations in AD btw 2000 and 2003
servers?"
Yes and no. Possibly. When upgrading , the machine holding the Domain Name
Master MUST be a 2003 DC.
As for DNS "storage" issues, then it points to the fact you selected two
different replication scopes. The scope you selected (sorry for not
addressing it in my previous post) is "to all DCs in the AD domain", which
is the center button. In a mixed system, you MUST select the bottom button.
No otehr way around this. To fix it, delete the zone that you manually
created and set to the incorrect replication scope on the new 2003 server.
Then leave it alone and allow replication to do it's part. The real zone
will auto appear.
Just in case you may want to go into ADUC and into ADSI Edit and delete any
zone references that have a "CNF" prefix. That means 'conflict' due to
duplicate zones (based on teh one that you created). Below is the full
explanation I post for folks (from my private blog). But in the meantime, I
would suggest to just use two DNS addresses on each server. The 4 or 5
specificed is a bit of an overkill and technically servers 3 and onward may
never be used unless the first 3 DCs are literaly powered down and out.
==================================
==================================
Conflicting AD Integrated zones if they exist in both the Domain NC and
one of the Application Partitions or if you get a weird error message
stating:
"The name limit for the local computer network adapter card was exceeded."
Under Windows 2000, the physcial AD database is broken up into 3 logical
partitions, the DomainNC (Domain Name Context, or some call the Domain Name
Container), the Configuration Partition, and the Schema Partition. The
Schema and Config partitions replicate to all DCs in a forest. However, the
DomainNC is specific only to the domain the DC belongs to. That's where a
user, domain local or global group is stored. The DomainNC only replicates
to the DCs of that specific domain. When you create an AD INtegrated zone in
Win 2000, it gets stored in the DomainNC. This causes a limitation if you
want this zone to be available on a DC/DNS server that belongs to a
different domain. The only way to get around that is for a little creative
designing using either delegation, or secondary zones. This was a challenge
for the _msdcs zone, which must be available forest wide to resolve the
forest root domain, which contains the Schema and Domain Name Masters FSMO
roles.
In Windows 2003, there were two additional partitions added, they are called
the DomainDnsZones and ForestDnsZones Application Partitions, specifically
to store DNS data. They were conceived to overcome the limitation of Windows
2000's AD Integrated zones. Now you can store an AD Integrated zone in
either of these new partitions instead of the DomainNC. If stored in the
DomainDnsZones app partition, it is available only in that domain's
DomainDnsZones partition. If you store it in the ForestDnsZones app
partition, it will be available to any DC/DNS server in the whole forest.
This opens many more design options. It also ensures the availability of the
_msdcs zone to all DCs in the forest. By default in Win 2003, the _msdcs
zone is stored in the ForestDnsZones application partition.
When selecting a zone replication scope in Win2003, in the zone's
properties, click on the "Change" button. Under that you will see 3 options:
To choose the ForestDnsZones:
"To all DNS serer in the AD forest example.com"
To choose DomainDnsZones:
"To all DNS serer in the AD domain example.com"
To choose the DomainNC (only for compatibility with Win2000):
"To all domain controllers in the AD domain example.com"
If you have a duplicate, that's telling me that there is a zone that exists
in the DomainNC and in the DomainDnsZones Application partition. This means
at one time, or currently, you have a mixed Win2000/2003 environment and you
have DNS installed on both operating systems. On Win2000, if the zone is AD
Integrated, it is in the DomainNC, and should be set the same in Win2003's
DC/DNS server to keep compatible. Someone must have attempted to change it
in Win2003 DNS to put it in the DomainDnsZones partition no realizing the
implications, hence the duplicate. In a scenario such as this where you want
to use the Win2003 app partitions, you then must insure the zone on the
Win2003 is set to the DomainNC, then uninstall DNS off the Win2000 machine,
then once that's done, you can then go to the Win2003 DNS and change the
partition's replication scope to one of the app partitions.
In ADSI Edit, you can view all five partitions. You were viewing the app
partitions, but not the main partitions. You need to add the DomainNC
partition in order to delete that zone. But you must uninstall DNS off the
Win2000 server first, unless you want to keep the zone in the DomainNC. But
that wouldn't make much sense if you want to take advantage of the _msdcs
zone being available forest wide in the ForestDnsZones partition, which you
should absolutley NOT delete. I would just use the Win2003 DNS servers only.
In ADSI Edit, rt-click ADSI Edit, connect to, in the Connection Point click
on "Well known Naming Context", then in the drop-down box, select "Domain".
Drill down to CN=System. Under that you will see CN=MicrosoftDNS. You will
see the zone in there.
But make sure to decide FIRST which way to go before you delete anything.
Some reading for you...
Directory Partitions:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbg_dat_favt.asp
kbAlertz- (867464) - Explains how to use ADSI Edit to resolve app partitions
issues:
http://www.kbalertz.com/kb_867464.aspx
How to fix it?
-------------
What I've done in a few cases with my clients that have issues with
'duplicate' zone entries in AD (because the zone name was in the Domain NC
(Name Container) Partition, and also in the DomainDnsZones App partition),
was first to change the zone on one of the DCs to a Primary zone, and
allowed zone transfers. Then I went to the other DCs and changed the zone to
a Secondary, and using the first DC as the Master. Then I went into ADSI
Edit, (from memory) under the Domain NC, Services, DNS, and deleted any
reference to the domain name. Then I added the DomainDnsZones partition to
the ADSI Edit console, and deleted any reference to the zone name in there
as well. If you see anything saying something to the extent of a phrase that
says
"In Progress...." or "CNF" with a long GUID number after it, delete them
too. Everytime
you may have tried tochange the replication scope, it creates one of them.
Delete them all.
Then I forced replication. If there were Sites configured, I juggled around
the servers and subnet objects so all of the servers are now in one site,
then I forced replication (so I didn't have to wait for the next site
replication schedule). Once I've confirmed that replication occured, and the
zones no longer existed in either the Domain NC or DomainDnsZones, then I
changed the zone on the first server back to AD Integrated, choosing the
middle button for it's replication scope (which puts it in the
DomainDnsZones app partition). Then I went to the other servers and changed
the zone to AD Integrated choosing the same replication scope. Then I reset
the sites and subnet objects, and everything was good to go.
Keep in mind, I left the _msdcs... zone alone, since that wasn't causing any
problems and is located in the ForestDnsZones (default) in all of my client
cases I've come across with so far.
It seems like alot of steps, but not really. Just read it over a few times
to get familiar with the procedure. You may even want to change it into a
numbered step by step list if you like. If you only have one DC, and one
Site, then it's much easier since you don't have to mess with secondaries or
play with the site objects.
I hope that helped!
==================================
==================================
Ace
|
|
Sorry, but I don’t understand this.
[Quoted Text] >>As for DNS "storage" issues, then it points to the fact you selected two
>>different replication scopes. The scope you selected (sorry for not
>>addressing it in my previous post) is "to all DCs in the AD domain", which
>>is the center button. In a mixed system, you MUST select the bottom button.
>>No otehr way around this. To fix it, delete the zone that you manually
>>created and set to the incorrect replication scope on the new 2003 server.
>>Then leave it alone and allow replication to do it's part. The real zone
>>will auto appear.
It conflicts with MS documentation on the subject:
http://technet2.microsoft.com/windowsserver/en/library/6c0515cf-1719-4bf4-a3c0-7e3514cef6581033.mspx?mfr=true
which states that “All domain controllers in the Active Directory domainâ€
should be used “if you want Windows 2000 DNS servers to load an Active
Directory zoneâ€.
This is also the default setting when promoting a W2003 server to a DC in a
W2000 domain.
To re-iterate, I am upgrading a W2000 Active Directory to W2003, without
upgrading the existing domain controllers, but by running adprep/forestprep
and then adprep/domainprep, and then promoting a W2003 server to become a
domain controller w/DNS server.
The DNS configuration on the Windows 2000 domain is unmodified from
standard, i.e. active directory integrated. The fault (DNS - 4512) shows up
in the Windows 2003 server’s DNS eventlog once it is promoted as a DC.
No manual configuration has been performed on DNS configuration at all on
either Windows 2000 DCs or Windows 2003 DCs before the fault occurs. The
configuration of DNS on both W2000 and W2003 platforms is completely default,
as performed as a function of the dcpromo on all DCs with a unmodified DNS
installation.
I have now observed this fault predictably occurring in AD upgrade scenarios
based on the above, in the following test environments:
-A multi-site single domain
-A single-site single domain
-In a domain where the Domain Naming Master role is on the original 2000 DC
-In a domain where the Domain Naming Master role has been transferred to the
Windows 2003 DC.
I know that I can get round this issue by upgrading the FSMO roleholder
W2000 DC to W2003. But I do not want to do this (and should not have to). The
point of this exercise is not to upgrade any server’s operating system.
|
|
In news:E763B2E5-0728-4AC9-AF4E-946E1928795A[ at ]microsoft.com,
hampshirebrit <hampshirebrit[ at ]discussions.microsoft.com> typed:
[Quoted Text] > Sorry, but I don't understand this. > >>> As for DNS "storage" issues, then it points to the fact you >>> selected two different replication scopes. The scope you selected >>> (sorry for not addressing it in my previous post) is "to all DCs in >>> the AD domain", which is the center button. In a mixed system, you >>> MUST select the bottom button. No otehr way around this. To fix it, >>> delete the zone that you manually created and set to the incorrect >>> replication scope on the new 2003 server. Then leave it alone and >>> allow replication to do it's part. The real zone will auto appear. > > It conflicts with MS documentation on the subject: > > http://technet2.microsoft.com/windowsserver/en/library/6c0515cf-1719-4bf4-a3c0-7e3514cef6581033.mspx?mfr=true> > which states that "All domain controllers in the Active Directory > domain" should be used "if you want Windows 2000 DNS servers to load > an Active Directory zone". > This is also the default setting when promoting a W2003 server to a > DC in a W2000 domain.
Sorry, I thought it was the middle button. The bottom button, as you;ve
stated, is the correct selection in a mixed environment.
However, what triggered me to say what I did is something you stated in your
original post:
"The "fix" as I described it in the first post appears to work, but results
in two test.local DNS zones, one replicated only to the windows 2000 servers
(the original one) and the other only replicated to W2003 servers. This
points to a DNS zone storage issue, rather than just a DNS configuration
issue. I suspect that the 4512 occurs b/c the 2003 DC is not looking in the
right place for the zone information."
"To get round this, I have deleted the domain.com zone on the 2003 server,
created a secondary zone to get the data from one of the w2000 DC/DNS
servers
and then converted the zone to primary/ad storage. Is this a safe and viable
option?"
This was actually what may have caused the problem. TO answer the question
if it is a safe and viable option (which I should have answered earlier), is
no it's not a safe and viable option. Let me explain. If a zone is AD
Integrated, meaning the zone is stored in the actual AD database, then all
DCs that have DNS installed on them, will be aware of the zone in the AD
database, of course depending on it;s replication scope, and this maybe
somewhat contradicatory to whether or not you get a message saying the 'zone
can be loaded.'
Also, when you opted to delete the zone on one DC, you essentially opted to
delete the zone, or rather essentially opted to remove it completely from
the AD database so it no longer exists. This action will then get replicated
to all DCs so all DCs are now aware the zone should no longer exist in the
AD database. Now you said you got a copy of the zone as a secondary. That
alone will cause a duplicate error in AD and a DC will promptly remove the
zone from that DC. Surprisingly and possibly due to timing (how fast you did
this), you may have created the zone, deleted the original and replication
didn';t occur fast enough, then you changed the zone to AD integrated
(regardless of replication scope) where in effect you may have now duplicate
data in AD.
To determine whether there actually is duplicate data, you will need to look
in two places: ADSI Edit and ADUC in Advanced View\Serivices\Microsoft DNS.
If nothing in ADUC, then you must look in ADSI Edit in the DomainNC section
(the AD database for the domain it is a member of, which is the bottom
button in the replication scope properties) and also in DomainDnsZones
replication scope, which is the center button, which I would look just in
case because when you create a zone and make it AD Integrated, it
automatically defaults to the center button.
Either way, if dupes exist, you will see a zone name with a "CNF..." prefix.
You may also see that in there on other DNS objects, and not just zones. If
you do, promptly delete the CNF entries since they are useless and signal
the fact the system discovered a dupe.
>
> To re-iterate, I am upgrading a W2000 Active Directory to W2003,
> without upgrading the existing domain controllers, but by running
> adprep/forestprep and then adprep/domainprep, and then promoting a
> W2003 server to become a domain controller w/DNS server.
>
> The DNS configuration on the Windows 2000 domain is unmodified from
> standard, i.e. active directory integrated. The fault (DNS - 4512)
> shows up in the Windows 2003 server's DNS eventlog once it is
> promoted as a DC.
>
> No manual configuration has been performed on DNS configuration at
> all on either Windows 2000 DCs or Windows 2003 DCs before the fault
> occurs. The configuration of DNS on both W2000 and W2003 platforms
> is completely default, as performed as a function of the dcpromo on
> all DCs with a unmodified DNS installation.
Sometimes it's just a matter of waiting it out to let replication occur and
AD will self-heal (so to speak) provided DNS is configured correctly and
pointing to the correct servers, as well as there are no MTU changes other
than default on the routers, no NAT between segments (AD can't communicate
across NAT unless VPN'd thru it), and the DNM, Schema and GC are on the new
GC, assuming that a DC in the forest root was updated first. Can't upate a
child DC first because of the DNM rule of thumb.
>
> I have now observed this fault predictably occurring in AD upgrade
> scenarios based on the above, in the following test environments:
>
> -A multi-site single domain
> -A single-site single domain
> -In a domain where the Domain Naming Master role is on the original
> 2000 DC
> -In a domain where the Domain Naming Master role has been transferred
> to the Windows 2003 DC.
Honestly, in all of the domains/forests I've upgraded over the years. I have
NEVER seen such an issue.
>
> I know that I can get round this issue by upgrading the FSMO
> roleholder W2000 DC to W2003. But I do not want to do this (and
> should not have to). The point of this exercise is not to upgrade any
> server's operating system.
Nah, all you have to do is transfer the Domain Name Master and Schema Master
to the new 2003 DC, as well as make it a GC. Those are part of the first
rule of thumb in an upgrade scenario.
Ace
|
|
|