AD Integrated problem

  • Thread starter Thread starter Curt Shaffer
  • Start date Start date
C

Curt Shaffer

We just tried to upgrade our DNS to AD Integrated and all of the host files
under the domain disappeared. The secondary DC could not get a list from
them PDC either. We tried remaking the zones on the secondary but it would
not pull from the primary. I have never seen this happen before. We had
backups of course but I am confused as to why it happened? Any Clues?

Thanks!

Curt Shaffer,MCP
Wireless/Network Specialist
Chilitech Internet Solutions
 
In
Curt Shaffer said:
We just tried to upgrade our DNS to AD Integrated and all of the host
files under the domain disappeared. The secondary DC could not get a
list from them PDC either. We tried remaking the zones on the
secondary but it would not pull from the primary. I have never seen
this happen before. We had backups of course but I am confused as to
why it happened? Any Clues?

Thanks!

Curt Shaffer,MCP
Wireless/Network Specialist
Chilitech Internet Solutions
Click to expand...

Just changing the zone type to AD Integrated will not remove any host
records in DNS. When you make a zone AD Integrated, you are just simply
telling it to store the zone data in the actual AD database instead of a
text file in system32\dns. That's it. Some other DNS servers, I understand,
you can tell them to store them in other databases, such as SQL, Oracle,
etc. With Microsoft DNS, the only database option you have is the AD
database. Besides, it's much more secure this way, anyway. Once it's in the
AD database, it replicates as part of the AD database replication process to
all DCs in that domain (win2000). Win 2003 has additional feature sets that
enhances this behavior, to other domains, but I'm assuming you have Win
2000, since you posted in this group.

If you have a secondary zone, as long as you ensure the Primary or the AD
INtegrated zone that is configured as the Master has zone transfers allowed,
then it should allow the transfer. Now if the secondary zone is sitting on a
DC in teh same domain, then you should make that AD Integrated as well,
since the zone is stored in the AD database on that machine.

If you can describe your steps, step for step, in what you did that would
have caused what you are saying, maybe we can point out what went wrong and
where.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
In

Just changing the zone type to AD Integrated will not remove any host
records in DNS. When you make a zone AD Integrated, you are just simply
telling it to store the zone data in the actual AD database instead of a
text file in system32\dns. That's it. Some other DNS servers, I understand,
you can tell them to store them in other databases, such as SQL, Oracle,
etc. With Microsoft DNS, the only database option you have is the AD
database. Besides, it's much more secure this way, anyway. Once it's in the
AD database, it replicates as part of the AD database replication process to
all DCs in that domain (win2000). Win 2003 has additional feature sets that
enhances this behavior, to other domains, but I'm assuming you have Win
2000, since you posted in this group.

If you have a secondary zone, as long as you ensure the Primary or the AD
INtegrated zone that is configured as the Master has zone transfers allowed,
then it should allow the transfer. Now if the secondary zone is sitting on a
DC in teh same domain, then you should make that AD Integrated as well,
since the zone is stored in the AD database on that machine.

If you can describe your steps, step for step, in what you did that would
have caused what you are saying, maybe we can point out what went wrong and
where.
Click to expand...
We opened the properties for the zone on the Primary DNS (which is also a
DC) and changed the zone to AD-Integrated. We then opened the zone for the
secondary DNS (also a DC) and it said that the zone type was invalid and
would not accept the change. When we tried to remove the zone on the
secondary to attempt to readd it as AD Integrated it added fine but it did
not pull any records from the other. We checked the other and that is when
we found that all of the records were gone from both. We are running a
native 2000 domain also to answer that question.

Thanks for your help
 
In
Curt Shaffer said:
We opened the properties for the zone on the Primary DNS (which is
also a DC) and changed the zone to AD-Integrated. We then opened the
zone for the secondary DNS (also a DC) and it said that the zone type
was invalid and would not accept the change. When we tried to remove
the zone on the secondary to attempt to readd it as AD Integrated it
added fine but it did not pull any records from the other. We checked
the other and that is when we found that all of the records were gone
from both. We are running a native 2000 domain also to answer that
question.

Thanks for your help
Click to expand...

I believe the series of steps you did *may have* caused the issue. You
should still have a backup copy of the original Primary zone in
system32\dns\backup. If so, copy the backup copy from the dns\backup folder
to the \dns folder, then delete both current zones, then create the zone on
the original DC, make it a Primary, tell it to use the existing file. Once
satisfied your data is back, then change it to AD Integrated, once it's AD
Integrated, go to the other DC, create the zone, make it AD Integrated, and
you should be good to go.

Ace
 
Some other DNS servers, I understand, you can tell them to store them in other databases, such as SQL, Oracle, etc. SQL servers, LDAP servers, CDB files, DB2, ODBC, ...
With Microsoft DNS, the only database option you have is the AD database. The only other database option.  "zone" files are (source form) database storage as well, after all.  So Microsoft's DNS server has two choices for DNS database.
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
commented
Then Kevin replied below:
In

I believe the series of steps you did *may have* caused
the issue. You should still have a backup copy of the
original Primary zone in system32\dns\backup. If so, copy
the backup copy from the dns\backup folder to the \dns
folder, then delete both current zones, then create the
zone on the original DC, make it a Primary, tell it to
use the existing file. Once satisfied your data is back,
then change it to AD Integrated, once it's AD Integrated,
go to the other DC, create the zone, make it AD
Integrated, and you should be good to go.
Click to expand...

When changing two DNS servers from Primary/Secondary to AD integrated, one
should only change the Primary to AD integrated, then delete the Secondary
zone. Changing one, puts the zone in AD, then if you convert the secondary
it will try to create a new zone in AD because AD thinks it is a newer zone.
By deleting the secondary zone, this won't happen and the zone in AD will
replicate to the server that had the secondary.
 
In
Kevin D. Goodknecht Sr. said:
When changing two DNS servers from Primary/Secondary to AD
integrated, one should only change the Primary to AD integrated, then
delete the Secondary zone. Changing one, puts the zone in AD, then if
you convert the secondary it will try to create a new zone in AD
because AD thinks it is a newer zone. By deleting the secondary zone,
this won't happen and the zone in AD will replicate to the server
that had the secondary.
Click to expand...

What I think he did, when he changed the secondary to AD Integrated, when he
had problems trying to save it and attempting to delete it, I think it may
have taken as AD Integrated, but when he tried to add it, it added a brand
new empty zone. Not sure why, unless he may have replication issues. Hence,
why I suggested to use the backup file to restore the original data.

:-)

Ace
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
commented
Then Kevin replied below:
In

What I think he did, when he changed the secondary to AD
Integrated, when he had problems trying to save it and
attempting to delete it, I think it may have taken as AD
Integrated, but when he tried to add it, it added a brand
new empty zone. Not sure why, unless he may have
replication issues. Hence, why I suggested to use the
backup file to restore the original data.
Click to expand...

I agree with the part of restoring the data from a backup of the primary,
the problem is on the final step. Once the zone is in AD, don't go to
another DC and create another zone in AD. That will overwrite the previous
zone you just created in AD.
 
In
I agree with the part of restoring the data from a backup of the
primary, the problem is on the final step. Once the zone is in AD,
don't go to another DC and create another zone in AD. That will
overwrite the previous zone you just created in AD.
Click to expand...



I was just saying to create the same zone name, and make it AD integrated.
That will pull the data from AD. It shouldn't overwrite it.

Ace
 
In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
commented
Then Kevin replied below:
In



I was just saying to create the same zone name, and make
it AD integrated. That will pull the data from AD. It
shouldn't overwrite it.
Click to expand...

I think what happened, he made the change before AD replicated, so when he
made the change it created a new zone in AD which would overwrite the other
zone. Usually if you change one then the other you will get a pop up message
that says the zone already exists in AD and asks if you want to use the zone
in AD or overwrite the existing zone. If the change was made before the zone
replicated it may have overwritten the other zone. Win2k3 will create
conflicting zones in AD giving one a name beginning with CNF. I don't think
Win2k does this, it just overwrites it. I've seen this behavior myself on my
two DCs before I figured out I just had to wait for replication.
 
In
Kevin D. Goodknecht Sr. said:
I think what happened, he made the change before AD replicated, so
when he made the change it created a new zone in AD which would
overwrite the other zone. Usually if you change one then the other
you will get a pop up message that says the zone already exists in AD
and asks if you want to use the zone in AD or overwrite the existing
zone. If the change was made before the zone replicated it may have
overwritten the other zone. Win2k3 will create conflicting zones in
AD giving one a name beginning with CNF. I don't think Win2k does
this, it just overwrites it. I've seen this behavior myself on my two
DCs before I figured out I just had to wait for replication.
Click to expand...

That's probably what happened. He did it on the one machine, then did it
immediately on the other machine. W2k just overwrites it, you're right about
that one. W2k3, depending on which replication domain setting is chosen,
will create the conflict. If he chose the center selection, that goes into
the DomainDnsZones, the bottom selection goes into the DomainNC, which is 2k
compatible. If he did it differently on each server, then the CNF will
appear.

Cheers!

Ace
 
Back
Top