Screwed up my Win2000 AD DNS

  • Thread starter Thread starter Michael Leone
  • Start date Start date
M

Michael Leone

I had 2 internal DNS servers, both AD-integrated into my Win2000 AD. I added
a new DC. And, being the idiot that I am, instead of adding this new DC as
another secondary DNS server, I configured it to add a new AD-integrated
zone onto this new DC ... with the name of my existing AD-integrated zone.

<SIGH>

So now I have a new DNS server, with an AD-integrated zone, with no entries
except itself. I have my 2 other servers, with zones with the same name,
that are now listed as primary (not AD-integrated) and secondary. So how
best to fix this mess?

Should I just DCPROMO the new DC out of the domain entirely, and then go to
my existing primary DNS and make that zone AD-integrated? If so, how?
If not, how best to proceed?

I still have name resolution fine, since all stations are pointing to the
server that is listed as primary.

Eventually, what I want is for the server currently listed as primary to be
AD-integrated, and to be the master, and the other 2 as secondaries. The new
DNS server is supposed to be the secondary. How can I get it back like that?

--
------------------------------------------------------------
Michael Leone, Systems Administrator
Philadelphia Contributionship
210 S. 4th Street, Philadelphia, PA 19106
<mailto:[email protected]>
V: 215-627-1752 x1282
F: 215-627-5354
 
In
Michael Leone said:
I had 2 internal DNS servers, both AD-integrated into my
Win2000 AD. I added a new DC. And, being the idiot that I
am, instead of adding this new DC as another secondary
DNS server, I configured it to add a new AD-integrated
zone onto this new DC ... with the name of my existing
AD-integrated zone.
Click to expand...

The reason this happened is you already had a zone in Active Directory, and
when you created this one in Active Directory, it overwrote the zone you had
in AD.
<SIGH>

So now I have a new DNS server, with an AD-integrated
zone, with no entries except itself. I have my 2 other
servers, with zones with the same name, that are now
listed as primary (not AD-integrated) and secondary. So
how best to fix this mess?
Click to expand...

Do not use Secondary zones on DCs when you have an AD integrated zone on one
DC. You need to point all DCs to one DC for DNS only for DNS. Then on that
DC convert the AD zone to standard primary with dynamic updates allowed.
Make sure all other DCs have no primary or secondary zones and that the zone
object is deleted from ADUC in the System\MicrosoftDNS container. Then on
all DC run this command net stop netlogon & net start netlogon & ipconfig
/flushdns & ipconfig /registerdns
After this command completes and it is verified that all DCs have registered
in DNS with this command netdiag /test:dns /v convert the Primary zone to AD
integrated and wait for it to replicate to all DCs with DNS installed. Do
not create the zone of any type on the other DCs, this will only overwrite
the zone you just created or cause a zone conflict.

Eventually, what I want is for the server currently
listed as primary to be AD-integrated, and to be the
master, and the other 2 as secondaries. The new DNS
server is supposed to be the secondary. How can I get it
back like that?
Click to expand...

You cannot do this, if the zone is on one DC AD integrated, you must wait
for the zone to replicate, you cannot have a secondary zone for this name on
other DCs.
In an AD environment all zones are writable masters and will list themselves
as the master on the SOA record.
 
Kevin D. Goodknecht Sr. said:
In

The reason this happened is you already had a zone in Active Directory,
and
when you created this one in Active Directory, it overwrote the zone you
had
in AD.
Click to expand...

So I unfortunately found out. :-( And AD didn't even warn me, which I also
find aggravating ...
Do not use Secondary zones on DCs when you have an AD integrated zone on
one
DC.
Click to expand...

I probably misspoke. I don't want a secondary zone; what I really want is
another DC with DNS on it. I plan to keep this DC offsite, and use it during
Disaster Recovery. In case of disaster (even a test), I would fire up this
server; tell it to seize all 5 FSMO roles; clean up the metadata (since
there will be no other DCs to replicate to); and have my domain up and
running in a shorter amount of time.

And every 2-3 weeks, I would plug this DC back into the production LAN, and
let it synchronize with the others, then put it back offsite.


Thanks for all the help so far.
 
In
Michael Leone said:
"Kevin D. Goodknecht Sr. [MVP]" <[email protected]>
wrote in message


So I unfortunately found out. :-( And AD didn't even warn
me, which I also find aggravating ...


I probably misspoke. I don't want a secondary zone; what
I really want is another DC with DNS on it. I plan to
keep this DC offsite, and use it during Disaster
Recovery. In case of disaster (even a test), I would fire
up this server; tell it to seize all 5 FSMO roles; clean
up the metadata (since there will be no other DCs to
replicate to); and have my domain up and running in a
shorter amount of time.

And every 2-3 weeks, I would plug this DC back into the
production LAN, and let it synchronize with the others,
then put it back offsite.


Thanks for all the help so far.
Click to expand...

Keeping it off site is one thing, I hope your not planning on keeping it off
site and off line even two or three weeks at a time. Two or three hours is
too much. That would be a major problem.
 
Back
Top