none
AD integrated Stub zones not visible in all Domain Controllers

    Question

  • Hi,

    we have 25 Domain Controllers in a single domain, spread in multiple AD sites. We  have created few AD integrated stub zones for other domains in different forest on our Root Domain controller, which is visible on some additional domain controllers with all records. But the same stub zone is not visible on few of the additional domain controllers, when we try to create the stub zones on these servers we get error that it already exists. We restarted the dns service and did replication of dns zones from root dc to the servers in question using repadmin, which was successful but still DNS stub zones were not visible in DNS.

    Need some help..

    Thanks..

    Sunil

    Monday, September 16, 2013 1:19 PM

Answers

  • Also need to open port 53 UDP & TCP both the sides.53 TCP is required for zone transfer & 53 UDP is required for client query.

    HTH

    Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Friday, September 20, 2013 12:25 AM
  • One more thing to look at is if there is a replication issue with AD or specifically with the partitions. Let's take a look to make sure you don't have any duplicate AD zones. Here's a tutorial on it below. If you see any zones with names that start with "CNF" or "InProgress" they must be deleted.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    -

    Also, how is your WAN topology setup? Is it a full mesh, or hub and spoke? If it is a hub and spoke, have you disabled Bridge All Site Links (BASL) and manually created links from the hub to each site? If not, and this is your scenario, then the KCC may be creating partnerships to DCs that can't directly communicate with each other.

    How to optimize Active Directory replication in a large network
    Mar 2, 2007 – "Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default."
    http://support.microsoft.com/kb/244368

    For AD Site Link Bridging info: Creating a Site Link Bridge Design
    http://technet.microsoft.com/en-us/library/cc753638(WS.10).aspx

    For ISTG info: How to optimize Active Directory replication in a large network
    This link explains BASL (Bridge All Site Links, or also known as Automatic Site Link Bridging), and when you need to disable it or leave it enabled.
    http://support.microsoft.com/kb/244368 

    -

    One more thing, let's check your replication status and see what it tells us. Also, let's check to see if any ports are firewalled between DCs to eliminate that as factor, too.

    1. ReplDIAG:  (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the output)
       Explained here:
         Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], 13 Oct 2010 12:04 PM
         http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
            ReplDiag Downloadable from:
            http://activedirectoryutils.codeplex.com/releases/view/13664

    2. Download The Active Directory Replication Status Tool:
       http://www.microsoft.com/en-us/download/details.aspx?id=30005
         This tool requires .Net Framework 4. If it's not installed, download and install it:
           Microsoft .NET Framework 4 (Web Installer)
           http://www.microsoft.com/en-us/download/details.aspx?id=17851
     
    3. Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other, or you can

    also run it from a client to a DC. Post only errors with "NOTLISTENING," 0x00000001, and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see

    TCP 42 errors, that just means WINS is not running on the target server.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009

    4. Third Party Utility: Dynamic AD Replication Checker Tool not only checks AD Replication for all domain controllers in your organization but also provides

    monitoring capabilities. For any non-working Domain Controller you can use the various options available to troubleshoot the issue.
     Dynamic AD Replication Checker Tool Version 2.0 Released
     http://blog.dynamicitkit.com/dynamic-ad-replication-checker-tool-version-2-0-released/
     Download Dynamic AD Replication Checker Tool Version 2.0 (part of "Dynamic Pack")
     http://www.dynamic-spotaction.com/index.html

    -

    -

    The point is if you are seeing the stub on some of the DCs and not others, and assuming all the DCs are in one domain, then there is apparently a replication issue that needs to be addressed. I hope the tools and info above give you a good start. Please report back your findings so we can further help you with it.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 23, 2013 4:27 AM

All replies

  • Hi ,

    I suppose the stub zones did not created completely so that they could not show up on the UI console. Therefore, we need to run the following command to delete them and create them again.

    dnscmd /zonedelete <zonename> /Dsdel /f

    Best regards,
    Balla


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, September 19, 2013 8:55 AM
  • Also need to open port 53 UDP & TCP both the sides.53 TCP is required for zone transfer & 53 UDP is required for client query.

    HTH

    Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Friday, September 20, 2013 12:25 AM
  • One more thing to look at is if there is a replication issue with AD or specifically with the partitions. Let's take a look to make sure you don't have any duplicate AD zones. Here's a tutorial on it below. If you see any zones with names that start with "CNF" or "InProgress" they must be deleted.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    Published by acefekay on Sep 2, 2009 at 2:34 PM  7748  2
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

    -

    Also, how is your WAN topology setup? Is it a full mesh, or hub and spoke? If it is a hub and spoke, have you disabled Bridge All Site Links (BASL) and manually created links from the hub to each site? If not, and this is your scenario, then the KCC may be creating partnerships to DCs that can't directly communicate with each other.

    How to optimize Active Directory replication in a large network
    Mar 2, 2007 – "Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default."
    http://support.microsoft.com/kb/244368

    For AD Site Link Bridging info: Creating a Site Link Bridge Design
    http://technet.microsoft.com/en-us/library/cc753638(WS.10).aspx

    For ISTG info: How to optimize Active Directory replication in a large network
    This link explains BASL (Bridge All Site Links, or also known as Automatic Site Link Bridging), and when you need to disable it or leave it enabled.
    http://support.microsoft.com/kb/244368 

    -

    One more thing, let's check your replication status and see what it tells us. Also, let's check to see if any ports are firewalled between DCs to eliminate that as factor, too.

    1. ReplDIAG:  (run it as repldiag > c:\repldiag.txt, then open it as a CSV in Excel choosing comma separated, to be able to clearly read the output)
       Explained here:
         Troubleshooting replication with ReplDiag.exe [part 1 of 4], Rob Bolbotowski [MSFT], 13 Oct 2010 12:04 PM
         http://blogs.technet.com/b/robertbo/archive/2010/10/13/troubleshooting-replication-with-repldiag-exe-part-1-of-4.aspx
            ReplDiag Downloadable from:
            http://activedirectoryutils.codeplex.com/releases/view/13664

    2. Download The Active Directory Replication Status Tool:
       http://www.microsoft.com/en-us/download/details.aspx?id=30005
         This tool requires .Net Framework 4. If it's not installed, download and install it:
           Microsoft .NET Framework 4 (Web Installer)
           http://www.microsoft.com/en-us/download/details.aspx?id=17851
     
    3. Run PortQry GUI choosing the "Domains & Trusts" option between each other (DCs). Run the test from a DC to a DC from both sides to each other, or you can

    also run it from a client to a DC. Post only errors with "NOTLISTENING," 0x00000001, and 0x00000002. You can ignore UDP 389 and UDP 88 messages. If you see

    TCP 42 errors, that just means WINS is not running on the target server.
           PortQryUI - GUI - Version 2.0 8/2/2004
           http://www.microsoft.com/download/en/details.aspx?id=24009

    4. Third Party Utility: Dynamic AD Replication Checker Tool not only checks AD Replication for all domain controllers in your organization but also provides

    monitoring capabilities. For any non-working Domain Controller you can use the various options available to troubleshoot the issue.
     Dynamic AD Replication Checker Tool Version 2.0 Released
     http://blog.dynamicitkit.com/dynamic-ad-replication-checker-tool-version-2-0-released/
     Download Dynamic AD Replication Checker Tool Version 2.0 (part of "Dynamic Pack")
     http://www.dynamic-spotaction.com/index.html

    -

    -

    The point is if you are seeing the stub on some of the DCs and not others, and assuming all the DCs are in one domain, then there is apparently a replication issue that needs to be addressed. I hope the tools and info above give you a good start. Please report back your findings so we can further help you with it.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 23, 2013 4:27 AM