DNS calling Domain Naming Master?

  • Thread starter Thread starter Sean Siler
  • Start date Start date
S

Sean Siler

I have a network with multiple domains, each of them behind their own
firewall. (Don't ask. It's ugly.) We only allow IPSec through the FW, and
have setup IPSec policies between two DCs in each domain and the Forest
Root. Everything works like a champ.

When a domain administrator from domain X attempted to add a new DC,
everything went well, replicating AD from the DC on his side of the
firewall. When he attempted to make the DC a DNS server, though, things
fell apart.

The DNS server log is getting a bunch of errors such as :
The DNS server detected that it is not enlisted in the replication scope of
the directory partition DomainDnsZones.subdomain.root.com. This prevents the
zones that should be replicated to all DNS servers in the subdomain.root.com
domain from replicating to this DNS server.

and

The DNS server was unable to connect to the domain naming FSMO
DC.subdomain.root.com. No modifications to Directory Partitions are possible
until the FSMO server is available for LDAP connections.

I am at a loss as to why the DNS server needs to contact the Domain Naming
Master. I assume this is necessary for it to enlist in the zone, but I have
never read this anywhere. Has anyone else?

Comments are greatly appreciated.

Thanks.
 
In
Sean Siler said:
I have a network with multiple domains, each of them behind their own
firewall. (Don't ask. It's ugly.) We only allow IPSec through the
FW, and have setup IPSec policies between two DCs in each domain and
the Forest Root. Everything works like a champ.

When a domain administrator from domain X attempted to add a new DC,
everything went well, replicating AD from the DC on his side of the
firewall. When he attempted to make the DC a DNS server, though,
things fell apart.

The DNS server log is getting a bunch of errors such as :
The DNS server detected that it is not enlisted in the replication
scope of the directory partition DomainDnsZones.subdomain.root.com.
This prevents the zones that should be replicated to all DNS servers
in the subdomain.root.com domain from replicating to this DNS server.

and

The DNS server was unable to connect to the domain naming FSMO
DC.subdomain.root.com. No modifications to Directory Partitions are
possible until the FSMO server is available for LDAP connections.

I am at a loss as to why the DNS server needs to contact the Domain
Naming Master. I assume this is necessary for it to enlist in the
zone, but I have never read this anywhere. Has anyone else?

Comments are greatly appreciated.

Thanks.
Click to expand...

In a mixed mode or Win2000 Mode environment with W2k3 DCs, which apparently
you seem have here, the Domain Name Master must be moved off the W2k DC to a
W2k3 DC or you'll get these errors. I've seen it once before in this
scenario. Here you go, read up on it:

http://www.microsoft.com/resources/...docs/en-us/sag_DNS_und_Active_Dir_Storage.asp

To eliminate the URL wrap, use this link:
http://tinyurl.com/2n5zl

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Actually, every DC in the Forest is 2003, although the Forest is in 2000
mode.

I'll check out the link, though.

Thanks for the response.

-Sean


"Ace Fekay [MVP]"
 
In
Sean Siler said:
Actually, every DC in the Forest is 2003, although the Forest is in
2000
mode.

I'll check out the link, though.

Thanks for the response.

-Sean


"Ace Fekay [MVP]"

http://www.microsoft.com/resources/...docs/en-us/sag_DNS_und_Active_Dir_Storage.asp
Click to expand...


No problem. Maybe if all your servers are W2k3, then raising the domain and
forest levels would be prudent.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
In
Sean Siler said:
Actually, every DC in the Forest is 2003, although the Forest is in
2000
mode.

I'll check out the link, though.

Thanks for the response.

-Sean
Click to expand...

Just to add, are there possibly any servers still in AD that were not
removed properly that were W2k machines?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
It's a brand new forest. Not a migration, but from the ground up, brand
new. I build every server from scratch. Nope, they are all 2003, and
always have been. (Don't even have any workstations. Really. It's 100%
2003.)

Thanks for the good info!

-Sean Siler


"Ace Fekay [MVP]"
 
In
Sean Siler said:
It's a brand new forest. Not a migration, but from the ground up,
brand new. I build every server from scratch. Nope, they are all
2003, and always have been. (Don't even have any workstations.
Really. It's 100% 2003.)

Thanks for the good info!

-Sean Siler


"Ace Fekay [MVP]"
Click to expand...


Hmm, that is strange. And I wouldn't assume functional level may have
something to do with it.

Good luck!

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
 
Back
Top