Empty DNS Zones on secondary Domain Controller RRS feed

  • Question

  • Hi Guys,

    I have a Domain with one Domain Controller. In the past the domain had an SBS 2008 Server. The server has been removed and replaced with a new DC (DC-A, Win2012R2 - Data).... long time ago (Just in case its relevant, i dont know how exactly the SBS 2008 was removed by the old admin)

    I have set up a new server and promoted it to a secondary DC ("DC-B", also Win 2012 R2 Datacenter).

    I promoted the server a week ago, so all replications should be done.

    When I open the DNS Manager of the first DC-A and add in the MMC-console the secondary DC ("DC B") then all looks fine. All zones (AD integrated) are fine and filled with DNS entrys.

    DNS-Manager on "DC-B" list all zones, but in the zones only the nameserver entrys are present.

    When I open the "DC A" over the MMC of "DC B", then also all zones are listed, but only the namserver entrys are present.

    So I checked the replication status. All fine!

    No errors... i double checked it with the Microsoft "AD Replication Status Tool".

    When I open on the "DC B" the AD computer & server or AD location & service all changes getting replicated fine.

    Also creating a new AD user or a new AD-Site location works fine.

    Even when I change a password von "DC B", the changes are replicated to "DC A".

    So it seems to work fine.

    But my DNS Zones on "DC B" are always empty. DNS resolving works like a charm (Also tested different network DNS settings on both DC´s... primary DNS / DC A / DC B /... and so on and rebooted many times)

    DCdiag /TEST:DNS also fine.

    When I create a new AD-integrated forward zone or DNS entry its not replicated to the other server (tested from both sides).

    The eventlog on DC-B tell me "Source: DNS-Server-Service, ID:4". So the DNS server tell me the loading, replication of zones was successfully.

    So I thought, bad luck and tried to demote the server "DC B"... this failed.

    In DNS Manager I found "Forward-Zone -> Domain.local -> _msdcs" only the nameserver of the SBS 2008 server, I changed it but this solve not my problem.

    In the eventlog I just see errors regarding to PKI (remains of the old SBS 2008), but I think the certificates should not effect the AD-Integrated DNS-Zones (no DNSSEC in use).

    Source: CertificateServicesClient-CertEnroll - ID 82 and ID 13

    At this time, I have no idea what to do next.

    I could force a removal of the new DC-B, but what if this happens again by the next promote?

    When the replication works, the DNS AD-Integrated zones schould be also replicated without problems. What could cause this problem?

    Hopefully someone can give me a hint.

    Kind regards,


    Sunday, June 16, 2019 7:11 AM


All replies