DomainDNSZone converts automatically to ForestDNSZone

I have a Root / Child domain model. We have 4 Sites. Root domain is only in Main Site and Child Domain is across all of the sites.

We have Windows 2003 R2 and Windows 2012 R2 Active Directory model.

Main Office:

Root domain have TWO windows 2012 R2 DC's and THREE Windows 2003 R2 DC's.

Child Domain have TWO WINDOWS 2012 R2 DC's and TWO Windows 2003 R2 DC's

Sites:

Each site have Windows 2003 R2 DC's 

DNS:

All DC's are running DNS Service and 1 additional DNS Server is also available which holds secondary zones.

ISSUE:

I came across strange issue. While fixing my replication issues  appearing on DCDIAG, I added Master Servers under additional DNS Server and my replication starts without any error. But automatically my _mcdcs.root.domain converts to ForestDNSZone and after 1 days root.domain and child.root.domain also change to ForestDNSZone.  The evernt which logs this entry showing my user ID for this change but I didn't change this manually.

Please help me if there is any possibility of happening this automatically. Might be as I replicated and replication completed successfully this converts and as I did the replication the event for changing is generated with my ID.

Regards,

Faisal Kamal

April 21st, 2015 1:48pm

Hi,

I am not sure that I get right your issues. Are you saying that the replication scope for both zones changed to "All DNS servers in the forest" or something else?

Regards,

Calin

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 9:16am

Need more elaborate Faisal . Couldn't understand it.
Coexing 2003 and 2012 r2 wont be a good idea in the first place..
Try to move it off.
April 22nd, 2015 11:29am

FirestDNSZone replication is a default configuration in the mentioned zone.  Need more details. Can you share the event IDs related to this activity.
  • Edited by Hydor Thursday, April 23, 2015 7:17 AM
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 9:00pm

You are correct Coexisting 2003 and 2012 is not a good idea and we upgraded because we want to phase out 2003 ASAP.

Take this example

I have a root domain named group.root

Child domain named child.group.root

Hence we have 3 major zones in DNS and all 3 are Active Directory Integrated. named as follows:

_mcdcs.group.root

group.root

child.group.root

After the upgrade of Active Directory I was facing few sync issues. After adding master server entries on the secondary zone servers and changing DNS server entries on DNS server itself to 127.0.0.1 for some time and the reverting it back to DNS server IP itself replication started smoothly.

Once replication started smoothly we got some events under Event Viewer that _mcdcs.group.root moved to ForestDNSzone and after a day my group.root and child.group.root also have the same entries.

Now my question is as by default in Windows 2003 and above  _mcdcs.xxx.xxx and root domain zones store under ForestDNSzones so might be it converts automatically to ForestDNSzones.

Please check this and confirm. Currently my zones replication is set to All DNS servers across the Forest

Regards,

Faisal

April 22nd, 2015 9:03pm

Dear Hydor,

The event id's are 713, 516, 515,514, 4005 & 4015. My major concern is does it is possible that once the sync completes successfully these events generates automatically means without manual intervention.

Regards,

Faisal Kamal

  • Edited by faisalka78 Wednesday, April 22, 2015 9:13 PM
  • Proposed as answer by Hydor Thursday, April 23, 2015 7:17 AM
  • Unproposed as answer by Hydor Thursday, April 23, 2015 7:18 AM
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 9:07pm

Faisal it is possible that after the proper sync these zones shifted to ForestDNSzone which is the default location in Windows 2012 multi-domain environment. I faced this kind of activity while performing couple of Windows 2003 to Windows 2008 /2012R2 upgrades.
April 23rd, 2015 8:57am

Hi Faisal,
we have experienced the same when we had migration from Windows 2003 to Windows 2008 R2 few years ago. We did not have child domain at that time, however it was complex as DCs were geographically dispersed in many location and there were lots of replication issues among windows 2003 DCs.
Since the root zone has its default behavior to keep the replication on forest level and it is recommended as well, after upgrade domain controllers to 2008 R2 we noticed that the DNS zone replication is configured as forest level.
Once we fixed replication issues, it triggered the respective changes to all other domain controllers to synchronize accordingly. So all the zones who were configured with other replication settings i.e. (for windows 2000 compatibility) were switched over to the forest level replication and issued the event ids 713 with the account name of the logged on user who was operating this activity. And of course with other event ids associated wit this change. Like 4005, that means replication data deleted from one container (for Win 2000 compatible) and moved to other container.
So I believed it is absolutely normal automatic behavior and recommended too. Specially in a coexisting environment and if you don't have pre windows 2003 DCs.

Thanks

Tim

  • Marked as answer by faisalka78 15 hours 9 minutes ago
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2015 11:05am

Hi Faisal,

I am completely agree with Tim Genius this happened with one of my customer as well.

Thanks & Regards,

ZB

April 25th, 2015 3:01pm

Well I wonder why Faisal is so surprised to see this behavior. This is perfectly normal and expected when one fixes any existing firewall ports, WAN links or DNS service issues with remote located Domain Controllers which are most often ignored in small environments and pop up during migrations or upgrades.

Events are always logged with the account that's logged in and fixing these issues. Automatically DNS zones are updated once lookup and replication/sync issues get fixed. Also the way the DNS integrated zones info was saved in Windows 2000 AD and later versions differ.

Event id 713 says Admin moved the zone which is rather misleading sometimes. See links below.

http://houstongeek.blogspot.ae/2009/11/ad-integrated-dns-zones-disappearing.html

https://technet.microsoft.com/en-us/library/ee783617(v=ws.10).aspx

Making the zone forest wide AD integrated actually helps when dealing with geographically dispersed locations as local copy is available to query when WAN links fluctuate and always recommended if you have unreliable links.

Cheers!!

Azhar

Free Windows Admin Tool Kit Click here and download it now
April 25th, 2015 3:05pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics