locked
new domain tree in existing forest DNS q's... RRS feed

  • Question

  • Very simple setup.  One domain controller (dc1) in abc.com.  I'm curious what I need to do in regards to DNS that will allow me to add a new domain tree.  I have followed the method for creating a domain tree here: http://technet.microsoft.com/en-us/library/cc770662(WS.10).aspx.  Every time I follow those instructions I continually get errors about DNS and the new domain tree (xyz.com) doesn't create DomainDNSZones in DNS.

    I have also tried to create an AD-integrated FLZ on dc1.abc.com and then manually configure a zone delegation for the new domain xyz.com.  I add the server-to-be name and IP address in the delegation wizard.  I get similar problems, complaints about DNS and the DomainDNSZones isn't shown in DNS on the new DC in xyz.com.

    I've read around that maybe I'm supposed to create a stub zone on the root DC and point it to the new DC before running dcpromo on the new DC.  Is this correct?  If so, should it be AD-integrated?  Should it be replicated through the forest or just the domain?

    TIA.

    Tuesday, June 21, 2011 3:38 AM

Answers

  • You could create a stub zone and point it to the new Tree root domain.

    However, to start it off, I would suggest:

    1. Create the zone on the forest root DNS server. Make the zone Forest Wide.
    2. Point DNS on the new machine prior to promoting it, to the existing forest root DNS server
    3. Promote the machine introducting a new tree.
    4. After the machine has been promoted, and the necessary records have been created, install DNS on the new server.
    5. Walk away for about 30 minutes and allow the zone to auto-populate through replication.
    6. Once it's replicated, then change the zone on the new tree DC to DomainDnsZones replication scope.
    7. Then you can create the stub zone on the original forest root DNS pointing to it. Set the stub zone to DomainDnsZones.
    8. Create a Conditional forwarder from the new tree DNS server to the forest root DNS server. You can also opt to create a Stub zone (preferrable) to the forest root DNS server and AD integrate the stub zone in DomainDnsZones so it will be available on the new tree domain.
    9. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    • Edited by Ace Fekay [MCT] Tuesday, June 21, 2011 4:06 AM - adjusted the steps
    • Proposed as answer by Meinolf Weber Tuesday, June 21, 2011 6:11 AM
    • Marked as answer by snickered Wednesday, June 22, 2011 3:16 PM
    Tuesday, June 21, 2011 4:04 AM

All replies

  • You could create a stub zone and point it to the new Tree root domain.

    However, to start it off, I would suggest:

    1. Create the zone on the forest root DNS server. Make the zone Forest Wide.
    2. Point DNS on the new machine prior to promoting it, to the existing forest root DNS server
    3. Promote the machine introducting a new tree.
    4. After the machine has been promoted, and the necessary records have been created, install DNS on the new server.
    5. Walk away for about 30 minutes and allow the zone to auto-populate through replication.
    6. Once it's replicated, then change the zone on the new tree DC to DomainDnsZones replication scope.
    7. Then you can create the stub zone on the original forest root DNS pointing to it. Set the stub zone to DomainDnsZones.
    8. Create a Conditional forwarder from the new tree DNS server to the forest root DNS server. You can also opt to create a Stub zone (preferrable) to the forest root DNS server and AD integrate the stub zone in DomainDnsZones so it will be available on the new tree domain.
    9. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    • Edited by Ace Fekay [MCT] Tuesday, June 21, 2011 4:06 AM - adjusted the steps
    • Proposed as answer by Meinolf Weber Tuesday, June 21, 2011 6:11 AM
    • Marked as answer by snickered Wednesday, June 22, 2011 3:16 PM
    Tuesday, June 21, 2011 4:04 AM
  • Yes, you are required to create a zone first in root domain & point the new domain tree to root DNS because your root domain contains all FSMO role which are required to be contacted while creating new domain tree in the forest like DNM. I would follow Ace suggested steps too.

    http://mikehowells.wordpress.com/2011/04/05/adding-a-child-domain-using-windows-server-2003-vs-windows-server-2008-r2/

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 5:13 AM
  • 1. Create the zone on the forest root DNS server. Make the zone Forest Wide.

    Thanks for the replies.  Ace, does that mean to create an AD-Integrated FLZ?  If so, after creating the new FLZ, do I need to create a manual delegation on the forest root DNS for the new tree/server?

    Tuesday, June 21, 2011 10:04 AM
  • Awinish, so, are you saying I need to create an AD-Integrated FLZ also?  

    The link you provided is for a child domain and tells me I don't need to create the new zone on bigdog.bigfirm.biz.

    Tuesday, June 21, 2011 10:19 AM
  • Yes, in windows 2008 both will work either pre create it or it will create it for you during delegation, but i was not sure whether you are running with windows 2003 or 2008 & thought of sharing the link which might be helpful to you.

    Child domain inherit parent domain name where as domain tree doesn't, otherwise multiple domain or child domain in same forest are both are same sharing same SChema & Domain naming master roles. One more difference is enterprise admin group is missing in child domain where as its present in domain tress as well as root domain.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 10:34 AM
  • Yes, in windows 2008 both will work either pre create it or it will create it for you during delegation

    Not sure I quite understand.  So, 1) create the AD-Integrated FLZ? OR 2) don't create the AD-Integrated FLZ and just run dcpromo on the new tree?

    Either of those should create the DomainDNSZones?

    Tuesday, June 21, 2011 10:53 AM
  • You don't need to be confused, either create the empty zone in root DNS server as AD-Integrated or let AD to create the dns zone it during configuring DCpromo. Make sure new DC which going to host new domain tree should contain DNS IP from the root domain in its NIC as preferred DNS server & it can contact root domain.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 10:57 AM
  • When I run dcpromo on the new domain tree DC it doesn't create the zone on the root DC.  Are you saying it should?  Every time I have run this I have had the new DC pointed to the DNS of the root DC.
    Tuesday, June 21, 2011 11:00 AM
  • This time try to create the zone manually in root DNS & can you verify the connectivity & required ports are opened. Do you see any error events in windows 2008/2003 DC. Can you ping root DC from the new server going to be DC for new Domain. Are you using account which is member of enterprise/domain admin group.

    Did you follow suggestion posted by Ace.


    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 11:09 AM
  • During all of this I always have the firewalls disabled on each DC.  Yes, I can always ping the root DC from the new server before running dcpromo.

    I haven't followed Ace's suggestions yet, I have a question on the first step.  He says:

    1. Create the zone on the forest root DNS server. Make the zone Forest Wide.

    Do I need to create a manual delegation by right-clicking the newly created FLZ and choosing "New Delegation"?

    Tuesday, June 21, 2011 11:13 AM
  • Once you create a zone in root DNS, during DCpromo delegation will be taken care automatically & don't worry much about delegation, it can be configured later. Create a zone in root dns let it be AD-integrated & set the replication scope to forest wide & just run the dcpromo on windows 2008 box. Can you list the complete error you are facing during dcrpomo post configuring the DNS.

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 11:18 AM
  • I have created the AD-Integrated zone with forest scope on the root DC and run dcpromo on the new domain tree DC without installing DNS.  I see there were several records created on the root DC DNS.  However, I do not see DomainDnsZones nor ForestDnsZones in the newly created zone.  Should it be there?  I don't have any errors in either of the DC's logs at this point.
    Tuesday, June 21, 2011 12:15 PM
  • I just now got the following on the root DC:

    The attempt to establish a replication link for the following writable directory partition failed. 
     
    Directory partition: 
    CN=Configuration,DC=abc,DC=com 
    Source directory service: 
    CN=NTDS Settings,CN=dc2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=abc,DC=com 
    Source directory service address: 
    f8a84bab-28f7-4f6e-9842-7722544cdec4._msdcs.abc.com 
    Intersite transport (if any): 
     
     
    This directory service will be unable to replicate with the source directory service until this problem is corrected. 
     
    User Action 
    Verify if the source directory service is accessible or network connectivity is available. 
     
    Additional Data 
    Error value: 
    8524 The DSA operation is unable to proceed because of a DNS lookup failure.
    

    So, it says there is a DNS lookup failure.  But this is on the root DC so there can only really be a failure if a record is missing since it's looking at itself for DNS.  Do you know which DNS records would be missing that would cause this particular error?  I can ping the GUIDs, I can ping the servers directly, I can ping anything I try to.  I don't know what DNS record it's looking for.

    Tuesday, June 21, 2011 12:43 PM
  • Sorry not responding earler. My first step incidcated to manually create the new tree's zone name in the forest root DC and make the replication scope Forest-wide.

    If you are getting an error on the Root DCs, then it will cause problems creating a new tree, as well as other problems such as not properly enlisting the application partitions.

    From your post, it clearly indicates that the f8a84bab-28f7-4f6e-9842-7722544cdec4._msdcs.abc.com  record is not resolvable.

    If you manually look undert the _msdcs.abc.com zone, do you see a record called f8a84bab-28f7-4f6e-9842-7722544cdec4?

     

    To better assist you, we'll now need some config information. Please post the following to allow us to better assist:

    • An ipconfig /all from two of the DCs in the forest root domain
    • An ipconfig /all from the new machine you want to promote as a DC in a new tree
    • Any and all Event log errors on all the DCs. Please post which DC they are from, the event ID# and the "Source" name.

    Thanks,
    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 5:31 PM
  • Inside _msdcs folder, you will find there is different subfolder like DC,Domain, GC,PDC which contains srv records necessary for locating a DC in the domain for its services, if subfolder inside _msdcs is either missing or can't be located AD will not work properly. 

    Please upload the below info to skydrive only apart from info requested by Ace, do not post the results here.

    DCDIAG /V/C/D/E /S:DCNAME >C:\DCDIAG.LOG

    http://explore.live.com/windows-live-skydrive 

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 6:20 PM
  • Alright boys and girls we have replication.  My problem was that the new domain tree DC didn't have IPv6 installed.  It was fully disabled (ComponentsDisabled=0xffffffff) while the root DC had it installed.  I have been messing with so many configurations lately and somehow that setting was disabled in one of my snapshots.  I noticed the problem when I saw some mention of IPv6 in the Directory Service eventlog when I increased the logging to "5", although a simple ipconfig would have told me the same :S.  So, I enabled IPv6 and voila!  I could see DomainDnsZones in the new tree and dcdiag didn't report any errors.  After that I did what you said, Ace.  Installed DNS on the new tree DC, walked away for 30 minutes, change the zone to DomainDnsZones on the new tree DC, then created AD-Integrated stub zones on each of the DCs pointing to the other with domain scope.  Everything seems to be happy.

    One last question:

    9. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

    Does that mean I need to add the search suffix on only the DCs in each domain?  Or does this mean I'd need to set it as a DHCP option for ALL computers (including member servers and workstations)?  This is to just allow everything to contact each other by "Comp1" rather than "Comp1.abc.com" from the xyz.com domain, right?  So, I guess this would be more important on the DCs and probably not even necessary on the member computers?

    Tuesday, June 21, 2011 8:20 PM
  • Alright boys and girls we have replication.  My problem was that the new domain tree DC didn't have IPv6 installed.  It was fully disabled (ComponentsDisabled=0xffffffff) while the root DC had it installed.  I have been messing with so many configurations lately and somehow that setting was disabled in one of my snapshots.  I noticed the problem when I saw some mention of IPv6 in the Directory Service eventlog when I increased the logging to "5", although a simple ipconfig would have told me the same :S.  So, I enabled IPv6 and voila!  I could see DomainDnsZones in the new tree and dcdiag didn't report any errors.  After that I did what you said, Ace.  Installed DNS on the new tree DC, walked away for 30 minutes, change the zone to DomainDnsZones on the new tree DC, then created AD-Integrated stub zones on each of the DCs pointing to the other with domain scope.  Everything seems to be happy.

    One last question:

    9. Make sure you add Search suffixes on each machine in the original forest root for the new tree, and vice-versa.

    Does that mean I need to add the search suffix on only the DCs in each domain?  Or does this mean I'd need to set it as a DHCP option for ALL computers (including member servers and workstations)?  This is to just allow everything to contact each other by "Comp1" rather than "Comp1.abc.com" from the xyz.com domain, right?  So, I guess this would be more important on the DCs and probably not even necessary on the member computers?


    Yep! Exactly. Here are your options to create search suffixes:

    Configuring DNS Search Suffixes
    Published by Ace Fekay, MCT, MVP DS on Feb 12, 2011 at 12:27 PM
    http://msmvps.com/blogs/acefekay/archive/2011/02/12/configuring-dns-search-suffixes.aspx

    Don't forget to create Stubs!!!

     

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Tuesday, June 21, 2011 9:11 PM
  • Thanks a lot for your help fellas.  This forum has been an excellent resource.
    Wednesday, June 22, 2011 3:16 PM
  • You are welcome. The forums are a great resource. We are all here to provide a collaborative help environment. :-)

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, June 22, 2011 3:50 PM

  • Good day

    I have a forest parent.local and some trees such as tree1.local, tree2.local and ... via wan link that connected to the forest on different locations.

    dns is configured Decentralized.(according to the following article : DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest)

    on forest DCs dns is set to  Domain wide and for trees stub zone is created.

    on tree DCs dns is set to  Domain wide and for forest stub zone is created.

    on clients of the trees dns is set to the tree.


    DNS search suffix for all domains are set on the gpo and the clients receave them on the tree and forest.

    but when the wan link of the forest is down, the workstations of trees  can not be logon to the windows and the error incorrect password is displayed.

    when I log on to the windows localy and ping my tree domain, the result is correct.

    our windows servers are 2016 standard edition.

    what can I do so users can login to the windows when wan link of forest is down?

    thank you

    Wednesday, February 21, 2018 2:28 PM

  • Good day

    I have a forest parent.local and some trees such as tree1.local, tree2.local and ... via wan link that connected to the forest on different locations.

    dns is configured Decentralized.(according to the following article : DNS Design Options in a Multi-Domain Forest – How to create a Parent-Child DNS Delegation, and How to Configure DNS to create a new Tree in the Forest)

    on forest DCs dns is set to  Domain wide and for trees stub zone is created.

    on tree DCs dns is set to  Domain wide and for forest stub zone is created.

    on clients of the trees dns is set to the tree.


    DNS search suffix for all domains are set on the gpo and the clients receave them on the tree and forest.

    but when the wan link of the forest is down, the workstations of trees  can not be logon to the windows and the error incorrect password is displayed.

    when I log on to the windows localy and ping my tree domain, the result is correct.

    our windows servers are 2016 standard edition.

    what can I do so users can login to the windows when wan link of forest is down?

    thank you

    Hi Askari,

    There are a few possible options in a decentralized design, but you didn't specify which. 
    https://blogs.msmvps.com/acefekay/2010/10/01/dns-parent-child-dns-delegation-how-to-create-a-dns-delegation  

    Decentralized with a Parent-Child Delegation

    Other designs involving decentralization, such as with global infrastructure where there may be local legal regulations involved, you may want to allow them to handle their own DNS servers and their own zones. In such a decentralized model, the parent zone is set to domain-wide replication, and the child zones are delgated to the DC/DNS servers in the child domains.

    Decentralized but all Child Domain Resources only use the Forest Root DNS Servers

    I haven’t seen this design scenario in the field as of yet, rather see it more in a classroom or lab setup, but it’s another option, yet not recommended. Basically the same as the above but without a delegation. All child domain resources will only use the root’s DNS servers. However in such a design, if the child domains are across WAN links, if the WAN link goes down, the whole child domain will be useless until it’s up again

    Essentially, you didn't provide enough info to analyze or provide specific suggestions.

    Generally speaking, if you are not able to login when the WAN is down, it's telling me that either there are no DCs at the client's AD site (location), and or the client machines at the site are configured with a DNS server across the WAN link.

    In your scenario, I would probably setup a Secondary zone of the forest Root domains (the domain.com and the _Msdcs.domain.com zonees) at the trees, and vice-versa, and ensure local machines are only configured to use local DNS servers.


    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn



    Friday, February 23, 2018 1:56 PM
  • Dear Ace

    Thank you for your reply.

    I configured Decentralized with a parent-child Delegation.

    I have a forest and some trees via wan link and each tree has some childs. i defined conditional forwarder or stub zone for trees on the forest's DNS, and on the Trees's DNS, Forwarder is set to Forest DCs. on childs of tree forwarder is the DNS is set to tree's DCs and for childs, delegation is defined in the tree's DNS.

    In the site of trees i have 2 DCs and Clients of the same network use ip of these DCs as DNS and they are in the local network.

    In the child i have one DC and in their network clients use ip of child DC as DNS and it is in the local network of child.

    before i have defined DNS search Suffix for trees and forest in the GPO, when wan link of between forest and tree Interrupted and goes down, clients of the tree and its childs could not login to windows with their accounts Although they had already logged in the wan link is interrupted and i can not create any new user on the DC of tree or Child.

    But when i define DNS search Suffix According to your article on the above link , when the wan link  is interrupting, the users that had already logged in their clients before the wan link is interrupted, after reset their system can login to windows and i can create new users on the Tree DCs, but we can not login to windows with a new user.

    the clients uses their DC as DNS  and each Tree and Child have their DC in their local network.

    Also the _Msdcs.domain.com zone  is forest wide and is shown on all DNSs of tree and childs.

    Example of a tree configuration shown in the following:

    C:\Users\psme>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : OST-FAN-10664
       Primary Dns Suffix  . . . . . . . : KHN.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : khn.local
                                           ikrf.local
                                           esfrn.khn.local
                                           farouj.khn.local
                                           germeh.khn.local
                                           jajarm.khn.local
                                           khnm1.khn.local
                                           khnm2.khn.local
                                           mansam.khn.local
                                           razger.khn.local
                                           shirvan.khn.local

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       Physical Address. . . . . . . . . : 40-8D-5C-94-6E-A0
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::a541:5dfc:5731:3ced%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.24.193.67(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, February 22, 2018 7:34:01 AM
       Lease Expires . . . . . . . . . . : Thursday, March 1, 2018 7:33:55 AM
       Default Gateway . . . . . . . . . : 172.24.193.1
       DHCP Server . . . . . . . . . . . : 172.24.193.1
       DHCPv6 IAID . . . . . . . . . . . : 54562140
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-74-32-99-40-8D-5C-94-6E-A0
       DNS Servers . . . . . . . . . . . : 172.24.193.3
                                           172.24.193.5
       NetBIOS over Tcpip. . . . . . . . : Enable

    ----

    C:\Users\psme>nslookup khn.local
    Server:  KHN-PDC.KHN.local
    Address:  172.24.193.3

    Name:    khn.local
    Addresses:  172.24.193.5
              172.24.193.3

    --

    C:\Users\psme>nltest /sc_query:khn.local
    Flags: 30 HAS_IP  HAS_TIMESERV
    Trusted DC Name \\adc-khn.khn.local  
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    ---

    ADC-KHN is additional server and GC like KHN-PDC and all in the local network of clients with the same subnet.

    ikrf.local is my forest.

    Thanks

    Saturday, February 24, 2018 6:18 AM
  • Dear Ace

    Thank you for your reply.

    I configured Decentralized with a parent-child Delegation.

    I have a forest and some trees via wan link and each tree has some childs. i defined conditional forwarder or stub zone for trees on the forest's DNS, and on the Trees's DNS, Forwarder is set to Forest DCs. on childs of tree forwarder is the DNS is set to tree's DCs and for childs, delegation is defined in the tree's DNS.

    In the site of trees i have 2 DCs and Clients of the same network use ip of these DCs as DNS and they are in the local network.

    In the child i have one DC and in their network clients use ip of child DC as DNS and it is in the local network of child.

    before i have defined DNS search Suffix for trees and forest in the GPO, when wan link of between forest and tree Interrupted and goes down, clients of the tree and its childs could not login to windows with their accounts Although they had already logged in the wan link is interrupted and i can not create any new user on the DC of tree or Child.

    But when i define DNS search Suffix According to your article on the above link , when the wan link  is interrupting, the users that had already logged in their clients before the wan link is interrupted, after reset their system can login to windows and i can create new users on the Tree DCs, but we can not login to windows with a new user.

    the clients uses their DC as DNS  and each Tree and Child have their DC in their local network.

    Also the _Msdcs.domain.com zone  is forest wide and is shown on all DNSs of tree and childs.

    Example of a tree configuration shown in the following:

    C:\Users\psme>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : OST-FAN-10664
       Primary Dns Suffix  . . . . . . . : KHN.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : khn.local
                                           ikrf.local
                                           esfrn.khn.local
                                           farouj.khn.local
                                           germeh.khn.local
                                           jajarm.khn.local
                                           khnm1.khn.local
                                           khnm2.khn.local
                                           mansam.khn.local
                                           razger.khn.local
                                           shirvan.khn.local

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
       Physical Address. . . . . . . . . : 40-8D-5C-94-6E-A0
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::a541:5dfc:5731:3ced%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.24.193.67(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, February 22, 2018 7:34:01 AM
       Lease Expires . . . . . . . . . . : Thursday, March 1, 2018 7:33:55 AM
       Default Gateway . . . . . . . . . : 172.24.193.1
       DHCP Server . . . . . . . . . . . : 172.24.193.1
       DHCPv6 IAID . . . . . . . . . . . : 54562140
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-74-32-99-40-8D-5C-94-6E-A0
       DNS Servers . . . . . . . . . . . : 172.24.193.3
                                           172.24.193.5
       NetBIOS over Tcpip. . . . . . . . : Enable

    ----

    C:\Users\psme>nslookup khn.local
    Server:  KHN-PDC.KHN.local
    Address:  172.24.193.3

    Name:    khn.local
    Addresses:  172.24.193.5
              172.24.193.3

    --

    C:\Users\psme>nltest /sc_query:khn.local
    Flags: 30 HAS_IP  HAS_TIMESERV
    Trusted DC Name \\adc-khn.khn.local  
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    ---

    ADC-KHN is additional server and GC like KHN-PDC and all in the local network of clients with the same subnet.

    ikrf.local is my forest.

    Thanks

    Hi M.Askari,

    I just spent an hour putting together a very detailed response with pictures and suggested links for diagnostics, but the TechNet forum deleted it thinking it's spam. Oh well.

    Due to lack of time to recreate the post, I'll keep this brief.  I don't see search suffixes for the forest root child domains. You didn't indicate if AD sites are configure properly.

    Try an nslookup to resolve machines between all child domains to see if they are successful. Enable netlogon logging to see what DCs and AD Sites a client is trying to connect to when the WAN link goes down.

    How to enable netlogon logging:
    https://support.microsoft.com/en-us/help/109626/enabling-debug-logging-for-the-netlogon-service/ 


    Ace Fekay
    MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
    Microsoft Certified Trainer
    Microsoft MVP: Enterprise Mobility
    Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, February 24, 2018 8:39 PM
  • Dear Ace Fekay

    Thank you for your time.

    i dont have any child on forest. there are trees and on trees we have childs. So i dont have any search suffixes for the forest root child domains.

    I have 32 Trees and about 400 childs that I can not define all of them in the dns suffix search list so I define for every tree forest and its childs for dns search suffix.

    i define a site for each tree and its subnet and on inter-site transports in IP alink for each tree and forest defined.

    on client computer of tree when wan link goes down, i tried nslookup and name of dcs and computers resolve correctly.

    i enable netlogon logging and DCs and ADsite that cleint want to connect is correctly apparently .

    but if i login with user that has been login when the wan link was up, login is successfull but when i try to login with a user that has been created new, i can not login to client.

    also when i want to create user on DC, the process of creation user is to long.

    partly of this log are below:

    "

    02/26 14:08:51 [MISC] [1496] DsGetDcName function returns 0 (client PID=1660): Dom:KHN Acct:(null) Flags: FORCE IP KDC 
    02/26 14:08:56 [LOGON] [1496] SamLogon: Interactive logon of KHN\test098 from OST-FAN-10664 Entered
    02/26 14:09:01 [CRITICAL] [1496] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
    02/26 14:09:01 [LOGON] [1496] SamLogon: Interactive logon of KHN\test098 from OST-FAN-10664 Returns 0xC0000064
    02/26 14:09:09 [LOGON] [12936] SamLogon: Interactive logon of KHN\nemanean from OST-FAN-10664 Entered
    02/26 14:09:14 [CRITICAL] [12936] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
    02/26 14:09:14 [LOGON] [12936] SamLogon: Interactive logon of KHN\nemanean from OST-FAN-10664 Returns 0xC0000064
    02/26 14:09:39 [MISC] [880] DsGetDcName function called: client PID=1660, Dom:KHN.LOCAL Acct:(null) Flags: FORCE IP KDC 
    02/26 14:09:39 [MISC] [880] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:09:39 [MAILSLOT] [880] NetpDcPingListIp: KHN.LOCAL: Sent UDP ping to 172.24.193.5
    02/26 14:09:39 [MISC] [6664] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:09:39 [MAILSLOT] [6664] NetpDcPingListIp: KHN.local.: Sent UDP ping to 172.24.193.3
    02/26 14:09:39 [MISC] [6664] NlPingDcNameWithContext: Sent 1/1 ldap pings to KHN-PDC.KHN.local
    02/26 14:09:39 [MISC] [880] NetpDcAllocateCacheEntry: new entry 0x0000021581DFD9B0 -> DC:ADC-KHN DnsDomName:KHN.local Flags:0x1f1f8 
    02/26 14:09:39 [MISC] [880] NetpDcGetName: NetpDcGetNameIp for KHN.LOCAL returned 0
    02/26 14:09:39 [MISC] [880] NetpDcDerefCacheEntry: destroying entry 0x0000021581DFC4E0
    02/26 14:09:39 [MISC] [880] LoadBalanceDebug (Flags: FORCE IP KDC DNS RET_DNS ): DC=ADC-KHN, SrvCount=2, FailedAQueryCount=0, DcsPinged=1, LoopIndex=0
    02/26 14:09:39 [MISC] [880] DsGetDcName: results as follows: DCName:\\ADC-KHN.KHN.local DCAddress:\\172.24.193.5 DCAddrType:0x1 DomainName:KHN.local DnsForestName:ikrf.local Flags:0xe001f1f8 DcSiteName:KHN-Site ClientSiteName:KHN-Site
    02/26 14:09:39 [MISC] [880] DsGetDcName function returns 0 (client PID=1660): Dom:KHN.LOCAL Acct:(null) Flags: FORCE IP KDC 
    02/26 14:09:39 [MISC] [6664] NetpDcAllocateCacheEntry: new entry 0x0000021580D64010 -> DC:KHN-PDC DnsDomName:KHN.local Flags:0x1f1b9 
    02/26 14:09:39 [MISC] [6664] NlPingDcNameWithContext: KHN-PDC.KHN.local responded over IP.
    02/26 14:09:39 [PERF] [6664] NlSetServerClientSession: Not changing connection (0000021582096068): "\\KHN-PDC.KHN.local"
        ClientSession: 0000021581B56350NetpDcDerefCacheEntry: destroying entry 0x0000021580D64010
    02/26 14:09:44 [LOGON] [880] SamLogon: Interactive logon of (null)\test098@khn.local from OST-FAN-10664 Entered
    02/26 14:09:52 [MISC] [12860] DsGetDcName function called: client PID=2152, Dom:(null) Acct:(null) Flags: DS BACKGROUND 
    02/26 14:09:52 [MISC] [12860] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:09:52 [MISC] [12860] NetpDcGetName: KHN.local. using cached information ( NlDcCacheEntry = 0x0000021581DFC980 )
    02/26 14:09:52 [MISC] [12860] DsGetDcName: results as follows: DCName:\\KHN-PDC.KHN.local DCAddress:\\172.24.193.3 DCAddrType:0x1 DomainName:KHN.local DnsForestName:ikrf.local Flags:0xe001f1b9 DcSiteName:KHN-Site ClientSiteName:KHN-Site
    02/26 14:09:52 [MISC] [12860] DsGetDcName function returns 0 (client PID=2152): Dom:(null) Acct:(null) Flags: DS BACKGROUND 
    02/26 14:10:00 [CRITICAL] [880] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000064)
    02/26 14:10:00 [CRITICAL] [880] KHN: NlFinishApiClientSession: timeout call to \\KHN-PDC.KHN.local.  Count: 1 
    02/26 14:10:00 [LOGON] [880] SamLogon: Interactive logon of (null)\test098@khn.local from OST-FAN-10664 Returns 0xC0000064
    02/26 14:10:39 [MISC] [6664] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:10:39 [MAILSLOT] [6664] NetpDcPingListIp: KHN.local.: Sent UDP ping to 172.24.193.3
    02/26 14:10:39 [MISC] [6664] NlPingDcNameWithContext: Sent 1/1 ldap pings to KHN-PDC.KHN.local
    02/26 14:10:39 [MISC] [6664] NetpDcAllocateCacheEntry: new entry 0x0000021580D64010 -> DC:KHN-PDC DnsDomName:KHN.local Flags:0x1f1b9 
    02/26 14:10:39 [MISC] [6664] NlPingDcNameWithContext: KHN-PDC.KHN.local responded over IP.
    02/26 14:10:39 [PERF] [6664] NlSetServerClientSession: Not changing connection (0000021582096068): "\\KHN-PDC.KHN.local"
        ClientSession: 0000021581B56350NetpDcDerefCacheEntry: destroying entry 0x0000021580D64010
    02/26 14:13:11 [SESSION] [14088] KHN: NlTimeoutApiClientSession: Unbind from server \\KHN-PDC.KHN.local (TCP) 0.
    02/26 14:13:32 [LOGON] [880] SamLogon: Network logon of khn\khnkom from KHN-PDC Entered
    02/26 14:13:32 [LOGON] [880] SamLogon: Network logon of khn\khnkom from KHN-PDC Returns 0x0
    02/26 14:13:38 [LOGON] [6664] SamLogon: Network logon of khn\khnkom from KHN-PDC Entered
    02/26 14:13:38 [LOGON] [6664] SamLogon: Network logon of khn\khnkom from KHN-PDC Returns 0x0
    02/26 14:13:40 [SESSION] [6664] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [SESSION] [6664] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [SESSION] [6664] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [SESSION] [1496] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [SESSION] [6664] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [SESSION] [6664] I_NetLogonGetAuthData called: (null) KHN.local (Flags 0x1)  
    02/26 14:13:40 [MISC] [6664] DsGetDcName function called: client PID=1392, Dom:(null) Acct:(null) Flags: LDAPONLY BACKGROUND RET_DNS 
    02/26 14:13:40 [MISC] [6664] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:13:40 [MISC] [6664] NetpDcGetName: KHN.local. using cached information ( NlDcCacheEntry = 0x0000021581DFC290 )
    02/26 14:13:40 [MISC] [6664] DsGetDcName: results as follows: DCName:\\KHN-PDC.KHN.local DCAddress:\\172.24.193.3 DCAddrType:0x1 DomainName:KHN.local DnsForestName:ikrf.local Flags:0xe001f1b9 DcSiteName:KHN-Site ClientSiteName:KHN-Site
    02/26 14:13:40 [MISC] [6664] DsGetDcName function returns 0 (client PID=1392): Dom:(null) Acct:(null) Flags: LDAPONLY BACKGROUND RET_DNS 
    02/26 14:13:40 [MISC] [1496] DsGetDcName function called: client PID=696, Dom:KHN Acct:(null) Flags: DS NETBIOS RET_DNS 
    02/26 14:13:40 [MISC] [1496] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:13:40 [MISC] [1496] NetpDcGetName: KHN.local. using cached information ( NlDcCacheEntry = 0x0000021581DFC980 )
    02/26 14:13:40 [MISC] [1496] DsGetDcName: results as follows: DCName:\\KHN-PDC.KHN.local DCAddress:\\172.24.193.3 DCAddrType:0x1 DomainName:KHN.local DnsForestName:ikrf.local Flags:0xe001f1b9 DcSiteName:KHN-Site ClientSiteName:KHN-Site
    02/26 14:13:40 [MISC] [1496] DsGetDcName function returns 0 (client PID=696): Dom:KHN Acct:(null) Flags: DS NETBIOS RET_DNS 
    02/26 14:13:40 [MISC] [6664] DsrEnumerateDomainTrusts: Called, Flags = 0x1
    02/26 14:13:40 [MISC] [6664] KHN: DsrEnumerateDomainTrusts: Domain List collected from \\KHN-PDC.KHN.local
    02/26 14:13:40 [MISC] [1496] DsGetDcName function called: client PID=1392, Dom:(null) Acct:(null) Flags: LDAPONLY BACKGROUND RET_DNS 
    02/26 14:13:40 [MISC] [1496] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c0fffff1
    02/26 14:13:40 [MISC] [1496] NetpDcGetName: KHN.local. using cached information ( NlDcCacheEntry = 0x0000021581DFC290 )
    02/26 14:13:40 [MISC] [1496] DsGetDcName: results as follows: DCName:\\KHN-PDC.KHN.local DCAddress:\\172.24.193.3 DCAddrType:0x1 DomainName:KHN.local DnsForestName:ikrf.local Flags:0xe001f1b9 DcSiteName:KHN-Site ClientSiteName:KHN-Site
    02/26 14:13:40 [MISC] [1496] DsGetDcName function returns 0 (client PID=1392): Dom:(null) Acct:(null) Flags: LDAPONLY BACKGROUND RET_DNS 
    02/26 14:13:40 [DOMAIN] [6664] Setting LSA NetbiosDomain: KHN DnsDomain: KHN.local. DnsTree: ikrf.local. DomainGuid:1f1e93c8-3c97-41d6-96ef-108aed2d0bcb
    02/26 14:13:40 [LOGON] [6664] NlSetForestTrustList: New trusted domain list:
    02/26 14:13:40 [LOGON] [6664]     0: IKRF ikrf.local (NT 5) (Forest Tree Root) (Direct Outbound) (Direct Inbound) ( Attr: 0x20 )
    02/26 14:13:40 [LOGON] [6664]        Dom Guid: df5c7405-2e24-4039-8756-f426ae9e4a71
    02/26 14:13:40 [LOGON] [6664]        Dom Sid: S-1-5-21-3112939202-695628720-502479942
    02/26 14:13:40 [LOGON] [6664]     1: KHNM2 KHNM2.KHN.local (NT 5) (Forest: 294) (Direct Outbound) (Direct Inbound) ( Attr: 0x20 )

    "

    OST-FAN-10664 is computer name that i test from it.

    \\KHN-PDC.KHN.local is the Primary DC and is 172.24.193.3

    \\ADC-KHN.KHN.local is the additional DC and is 172.24.193.5

    DomainName:KHN.local

    DnsForestName:ikrf.local

    SiteName:KHN-Site

    KHN\nemanean is the user that has been login before

    KHN\test098 is the new user

    i don't understand netlogon log correctly. can i have your email address that i  email  you complete netlogon log ?

    best regards


    • Edited by M.Askari Friday, March 2, 2018 3:26 PM
    Monday, February 26, 2018 12:28 PM
  • This is a very old thread, but ran into the same issue, where my Tree didnot have a DomainDNSZones.

    dnscmd dnsserver /CreateBuiltDirectoryPartitions /AllDomains

    Run this command on the Domain Naming Master of the forest this, will create the DomainDNSZones of the tree.

    Root Cause Analysis

    Also, if you connect to the DefaultNamingContext in the Tree domain, under the System Container, there is MicrosoftDNS, which has your DNS Zone of the tree domain. This is because, the DomainDNSZones partition was not present, however the zone is AD-Integrated, thus AD has to store it in the AD, therefore it choses the System Container. This mechanism was used in Windows 2000 and earlier, apparently.

    But, once the DomainDNSZone for the tree root is created, AD automatically moves the zone from the System Container in the DefaultNC to the DomainDNSZones partition for the tree.

    Saturday, August 10, 2019 5:28 PM