question

GaryBabin-0701 avatar image
0 Votes"
GaryBabin-0701 asked DaisyZhou-MSFT commented

DNS duplicate zone removal - how to determine which zone to remove

I found Mr. Fekay's article on ADSI Edit and duplicate DNS zones very helpful. Using that guide, I located both InProgress and CNF zones which I was confident to delete.

These all replicated out and have not returned. But I am still getting event ID 4515 entries about once a month. I am pretty sure I have figured out what to do but would like to get some expert opinion to avoid stepping on any landmines. :)

The event 4515 text describes what is happening (I've redacted the actual domain name):

"The zone xxxx.local was previously loaded from the directory partition DomainDnsZones.xxxx.local but another copy of the zone has been found in directory partition ForestDnsZones.xxxx.local. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible."  

My replication scope is domain, not forest, on all DCs

As shown in the attached capture from ADSI Edit, my forest and domain containers both have a zone called xxxx.local (yellow highlights).

I believe this is a duplicate zone situation and one of these zones should be removed. But because these are not named InProgress or CNF, I hesitate.

The details pane shows data from the Forest copy and this zone has references to a site that was removed long ago called TB (circled in red). These references do not exist in the domain copy of this zone.

Considering the event ID details, the old AD site reference (in only the Forest copy) and my scope settings I believe I should delete the ForestDNSZone called xxxx.local.


90405-duplicate-dns.jpg

So my specific questions are -

  • Is my reasoning correct about removing that zone?

  • If just right click and delete this zone will it safely stop the event ID 4515s or are there other actions I should take?

  • Will the deletion replicate around to the other DCs or will it need to be deleted manually on all DCs?

Any input is really appreciated.

Warmest regards..



@afekay

windows-dhcp-dns
duplicate-dns.jpg (93.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT commented

Hello @GaryBabin-0701,

Thank you for posting here.

1-After my view in my lab, the zone name is DC=domain.com under the DomainDNSZones and the zone name is DC=_msdcs.domain.com under the ForestDNSZones.

For example:

90618-dns1.png


2-Based on "My replication scope is domain, not forest, on all DCs", do you mean the following setting?
90634-dns2.png

3-Did you make any change then you see the same zone under ForestDNSZones and DomainDNSZones?

For example:

I have create the same zone as below.
90671-dns5.png


4-Did the content in the same zone (in your case) the same or not?


Is your AD forest single forest with single domain?
How many DCs are there in each domain?
Is it the same display on all DCs ( the same zone under ForestDNSZones and DomainDNSZone)?


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



dns1.png (212.3 KiB)
dns2.png (36.1 KiB)
dns5.png (50.9 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


I would love to click Accept Answer and upvote it.. and feel a little foolish that I don't see it? Where is this button?

0 Votes 0 ·

Hello @GaryBabin-0701,

I am so glad to receive your reply.

Did you sign in your Q&A account? If so, we can see "Accept Answer button and Vote button" here.

93771-ace.png


For more information about "Accept Answer button and Vote button", we can refer to link below.

https://docs.microsoft.com/en-us/answers/articles/25904/verified-answers.html

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou




============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·
ace.png (195.3 KiB)

Interestingly, I could not see the accept buttons if logged in to Chrome. I switched to Opera and can see them.

If I can choose only one answer will others see the whole thread or just that answer? I ask because the entire thread will be helpful to others, including my last statement pointing to Ace's article.

Otherwise, if I choose the last answer.. (which is actually my own reply).. will that cause the whole thread be viewable (all the questions and answers in the thread)?

0 Votes 0 ·
Show more comments
GaryBabin-7127 avatar image
0 Votes"
GaryBabin-7127 answered DaisyZhou-MSFT commented

Thank you Daisy, @DaisyZhou-MSFT

I deleted the Forest copy of the zone and all replicated out of the DCs cleanly. It has been several hours and things are running fine. DNS looks nice and clean.

For those reading -- there is good information in this thread that might clarify certain questions if you are researching duplicate DNS zone issues. For those with such issues I recommend Ace Fekay's very informative article which is where I started. https://blogs.msmvps.com/acefekay/category/cnf/

That article gave me needed background along with what to do and how to do it. I used that info to clear up most duplicate zones issues but there was one remaining duplicate zone not covered enough for me to confidently eliminate it. I sought more expert feedback - that is what this thread is about.

Daisy stepped up with responsive and accurate feedback. Bravo!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @GaryBabin-0701,

Thank you for your update and sharing. I am very glad that the information is helpful and the problem has been solved.

If any answer is helpful to you, please accept helpful answer to accept answer. This can help other people with similar problems on the forum to find the answer to the question easily and fast.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Thank you very much for your understanding and support.


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
GaryBabin-7127 avatar image
0 Votes"
GaryBabin-7127 answered

Thank you for confirming the scope question. I have run all the replication tests as you suggested. Replication is working flawlessly. I will remove the duplicate zone at my first opportunity and report results here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @GaryBabin-0701,

Thank you for your update.


Yes, I find zone _msdcs_domain.com in your screenshot, also.

By default, the replication scope is "all dns servers in this forest".
91965-dns1.png

So it is in ForestDnsZones.
92001-dns2.png

But in your case, in your production domain (with the duplicate zone) the zone _msdcs.xxxx.local is set for "all dns servers in this domain" .

So it is in DomainDnsZones.

I think as long as your AD environment is normal and there is no problem with replication, you can change or not change the replication scope as needed.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



dns1.png (39.2 KiB)
dns2.png (5.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered GaryBabin-7127 commented

Hello @GaryBabin-0701,

Thank you for your update.

And I am sorry for the late reply.


Is there a way to know when a zone was last accessed or updated? That info might also confirm this is an unused zone ok to remove.
A: I am sorry, I did not find such way.


If the data in the ForestDnsZones copy is outdated since it has references to a site that no longer exists. You can delete the zone in the ForestDnsZones copy.


Before you delete them:

1.We can check if AD replication works fine by running the following commands on PDC.

repadmin /syncall /AdeP >c:\rep1.txt

repadmin /showrepl >c:\rep2.txt

repadmin /replsum >c:\rep3.txt


repadmin /showrepl * /csv >c:\repsum.csv

If all the results are OK without any error message, it means AD replication work fine.

2.Check replication scope on DC=XXXX.local in the DomainDnsZones and check replication scope on DC=XXXX.local in the ForestDnsZones again.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daisy.

We have online testing underway -- I will wait for that to pass as we are busy with students and client issues. I'll be able to do all this probably next week and will report results.

Thank you for all the help and advice.

G

0 Votes 0 ·

If I might ask one other replication scope question. I had a chance to look at a newly installed AD domain and compare it with my own.

I noticed that zone _msdcs_domain.com's replication scope is set to "all dns servers in this forest" and the zone domain.com is set to "all dns servers in this domain".

On my production domain (with the duplicate zone) the zone _msdcs.xxxx.local is set for "all dns servers in this domain" which is the same setting as xxxx.local

I'm thinking this doesn't matter as long as the setting is the same on all DCs. But I would like to confirm this.

Otherwise, if _msdcs.xxxx.local should be set for "all dns servers in this forest" perhaps that is how I got the duplicate zone to begin with? and should I change it?




0 Votes 0 ·
GaryBabin-7127 avatar image
0 Votes"
GaryBabin-7127 answered GaryBabin-7127 edited

Thank you for a quick reply, Daisy. @DaisyZhou-MSFT

I'll answer your questions:

1 Lab View - I assume your lab example looks like the way the records "should" be, In my case it is like having a "b.local" in both DomainDnsZones and ForestDnsZones. I have only one _msdcs.b.local which is in the DominDnsZones (I assume because of my scope settings).

2 Replication Scope - yes, my settings are exactly as your example. I checked all my DCs, too.

3 Did you make any change? - No, nothing anytime recently. This is something that probably happened a long time ago during promo of a new DC. DNS has run fine all along, but I want to clean things before increasing my functional level and bringing in my first 2019 Domain Controller.

4 Is content the same in both records - No, but neither is empty. As noted in my description, the data in the ForestDnsZones copy seems outdated since it has references to a site that no longer exists. That is the main reason I feel pretty sure this is the zone to remove.

The active directory is single forest and single domain, yes.

There are six total DCs and four sites

The two records with the same name do look the same on every domain controller.

Is there a way to know when a zone was last accessed or updated? That info might also confirm this is an unused zone ok to remove.

I am hoping I could just delete the b.local record in ForestDnsZones and leave the b.local copy in the DomainDnsZones. Then let replication clean up the rest. What do you think?

Thank you --

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.