OK, one of our onsite consultants solved it (he's actually working on a completely separate Cisco-related project, but figured he'd take a shot at it). We were waiting to have our manager finish setting up our VSLC so that we would be authorized to open a tech support case. Meanwhile, he just went and fixed it ..
He said he followed this doc: Task 2 - Resolve the AD replication failure In this task, you will fix the broken DNS delegation for the child domain. Perform this task on DC1. 1. Open up the DNS management snap-in (dnsmgmt.msc) 2. Expand Forward Lookup Zones, expand root.contoso.com and select child 3. Open up the properties of the (same as parent folder) NS record 4. Select the entry for lamedc1.child.contoso.com and then select Remove 5. Add a valid child domain DNS server to the delegation settings a. Select Add b. In the Server fully qualified domain name (FQDN) text box, type: childdc1.child.root.contoso.com c. In the IP Addresses of this NS record section, type the IP address of ChildDC1: 192.168.10.11 d. Select OK and then select OK again. e. Select Yes to the dialogue window that opens up asking if you want to delete the glue record lamedc1.child.contoso.com [192.168.10.1] In effect, exactly what the list recommended (creating DNS records). I thought that's all we would need, but I wanted to verify with an actual trained MS support person, before I went and poked into a production domain, doing something I was just stumbling through. Regardless, it's fixed, replication is all working, I have glue records for all DCs, and all dcdiag seems to pass (according to our consultant). Me, I've been busy re-configuring a SQL 2012 multisubnet cluster. But at least all seems well .. Thanks everybody for the help. On Wed, Feb 3, 2016 at 3:28 PM, Coleman, Hunter <[email protected]> wrote: >> I suspect I should be seeing what you are (i.e., 6 glue records, 1 for each DC in the child domain). > > Yes, add those on the 'Name Servers' tab of the child domain zone when you are pointed at one of the root DCs. > > -----Original Message----- > From: [email protected] [mailto: [email protected]] On Behalf Of Michael Leone > Sent: Wednesday, February 3, 2016 10:29 AM > To: [email protected] > Subject: Re: [NTSysADM] Re: Missing DNS Glue records > > On Wed, Feb 3, 2016 at 10:29 AM, Coleman, Hunter <[email protected]> wrote: >>> Shouldn't it list other DCs for this child domain? >> >> >> >> Yes. What do you get if you run ‘dnscmd.exe rootDC#5.rootdomain.com >> /enumrecords rootdomain.com. childdomain.rootdomain.com. /glue’ ? Is >> there any difference if you target rootDC#4 or rootDC#6? > > Returned records: > @ 3600 NS rootDC#5 > > Same result, no matter what root DC I specify (4,5 or 6). > > >> Returned records: >> >> @ 0 NS childDC1.child.foo.bar. >> >> 0 NS childDC2.child.foo.bar. >> >> 0 NS childDC2.child.foo.bar. >> >> childDC1 3600 A 10.1.1.1 >> >> childDC2 3600 A 10.1.1.2 >> >> childDC3 3600 A 10.1.1.3 > > > Yeah, I don't see a returned entry that specifies any child DC. Only for one of the root DCs. > I suspect I should be seeing what you are (i.e., 6 glue records, 1 for each DC in the child domain). > >
