http://www.eventid.net/display.asp?eventid=1265&source= http://www.eventid.net/display.asp?eventid=1645&source=
-----Original Message----- From: [EMAIL PROTECTED] [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Saturday, October 19, 2002 10:47 To: 'Tucker, Mark '; '[EMAIL PROTECTED] ' Subject: [ActiveDir] AD Integration of DDNS Zone and zone replication Solution! First I want to thank you all for you comments, It is really nice to be able to pick some of your brains as part of my troubleshooting. First DDNS integration into AD. When you AD integrate a pre-exsiting Zone into AD, it takes some time for the zone storage to be written to AD partition. Once it is fully written, it begins to be replicated around the domain. When you have a secondary of a integrated zone, and want to change it to AD integrated, it will ask you as part of the conversion if you want to overwrite the exsiting zone information. (Choose no). The problem we were experiencing though was actually due to a problem with replication from the DDNS1 server to the rest of the AD. It's AD replication partners did not have SPN ID's from DDNS1. These were the Event ID that were throwing. Directory Replication 1645 1265 I worked with PSS and we verified that DNS was working, name resolution was working, etc. Then when we ruled out all these issues, we then used a resource kit utility called "SETSPN.EXE" and ran it on DDNS1 replication parners pointing it at DDNS1, and on DDNS1 and pointing at itself. What we found is that DDNS1 had all its SPN's, but that not of the partners did, so we copied the SPN's to a text file, (This is a command line utility). Then piped it into a replication partner using the SETSPN add switch. Replication started to occur right away. So to get a better handle on these types of problems, we will be monitoring directory replication event logs for the above ID's. Now a chance for Gil K, from NETPRO to throw in some of his wisdom... Gil, does NETPRO Directory Analyzer monitor and offer troubleshooting KB for this type of problem? Todd -----Original Message----- From: Tucker, Mark To: [EMAIL PROTECTED] Sent: 10/18/2002 4:48 PM Subject: RE: [ActiveDir] AD Integration of DDNS Zone and zone replication. Todd, Roger is correct you need to delete the secondary zones on DDNS2 and DDNS3. Keep in mind that when you convert the zone to AD integrated, it becomes a multi-master primary zone. In your scenario, if you convert either of the secondary zones to AD integrated after converting the primary you are creating another instance of the zone in AD. This is why you were having problems. If you simply convert the primary zone to AD integrated on DDNS1 and delete the secondary copies from DDNS2 and DDNS3, a copy of the zone file will automatically exist on DDNS2 and DDNS3 once replication has taken place. - Mark -----Original Message----- From: Roger Seielstad [mailto:roger.seielstad@;inovis.com] Sent: Thursday, October 17, 2002 1:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Integration of DDNS Zone and zone replication. Ahh yes - I've hit the DNS issue before as well. After changing the DDNS1 zone from Primary to AD integrated, you have to delete the secondary zone's off the other DCs. As long as there is an entry for a secondary zone the AD Integrated one's won't work. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Myrick, Todd (NIH/CIT) [mailto:myrickt@;mail.nih.gov] > Sent: Thursday, October 17, 2002 1:09 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] AD Integration of DDNS Zone and zone replication. > > > AD Fokes, > > We are currently trying to AD integrate our DDNS zones on three Domain > controllers and seem to have ran into a problem getting the zones to > replicate and also an issue with delegation. > > Here is what we did. > > We have three DDNS servers. > > DDNS1, DDNS2, and DDNS3, all are Windows 2000 DC's, AD replication is > working fine and they are service pack 2. > Master Sec Sec > > > We converted one of DDNS1's Zones to AD Integrated from Primary. We > then converted the same Secondary Zone on DDNS3's server to AD > Integrated as well. > Replication didn't work as expected. (Records changes from > DDNS1 are not > showing up to DDNS3). > > In an effort to undo what we did, we converted the DDNS1 Zone back to > primary, and the DDNS3 zone back to Secondary. Changes made on DDNS1 > are not replicating to DDNS3. > The entire time though, chances made on DDNS1 were showing up > in DDNS2. > > My question is do you think that in order to establish AD > integrated zones > of an existing zone, you should AD integrate the primary DDNS > server zone > (DDNS1). Delete the secondry zone on DDNS3, then recreate the zone as > AD-integrated, and allow it to import the data from AD? > > Delegation of administration of a zone. > > In order allow someone control over their DNS zone, we have > been finding > that you must grant full control through the DNS admin tool. > We have tried > using the admin tool to grant only partial authority over the zone > (Read,Change,Delete) but it doesn't seem to work. Our concern is that > granting full control over the zone, allows the delegated DNS > admins to > remove Directory Admins from having administrative access to > the zone, and > we want to mitigate this, Any work arounds? > > Thanks > > Todd > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
