How to replicate dns record to a second dns server

2012-03-12

Question

_{Monday, March 12, 2012 6:13 PM}

I have my main DNS server installed on a windows 2008 r2 .

I installed another windows 2008 r2, and installed DNS on it. I want the second server be a second dns server(backup)

How I suppose to do that?

Thanks

Jason

All replies (23)

_{Monday, March 12, 2012 6:37 PM ✅Answered | 1 vote}

Is the first DNS server a domain controller? If so, and the new server is also a domain controller, you can use AD integrated zones. This will *automatically* replicate to all DCs within their replication scope settings.

Active Directory-Integrated Zones: Domain Name System (DNS ...Mar 28, 2003 ... DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a ...
http://technet.microsoft.com/en-us/library/cc772746(WS.10).aspx

Active Directory-Integrated DNSTo use DNS integration within Active Directory, assign the zone type Active Directory-integrated when you create the zone. (For more information about how ...
http://technet.microsoft.com/en-us/library/cc978010.aspx

If they are not domain controllers, or if the first one is and the second server is not, then you can create a Secondary zone on the new server, which will use zone transfers from the first DNS server, which is the "Master" for the zones, whichi holds the Primary copy of the zone.

Zone transfers allow you to put a read only copy (Secondary zone) elsewhere from a read/write copy (Primary zone). Primary and Secondary zones store their data as text files. On a Windows machine, the files can be found in the \system32\dns folder with a file name such as "domain.com.dns". You can have numerous read only copies, but there can only be one read/write of that zone.

If they were domain contrrollers, you can use AD integrated zones, which work as and are similar to Primary zones, however their data is stored as binary data in the actual AD database and not as a text file. The specific place in the AD database depends on the type of operating system and replication scope which is AD based.

Create a secondary zone: Domain Name System (DNS);
http://technet.microsoft.com/en-us/library/cc775491(v=ws.10).aspx

Add a secondary server for an existing zone: Domain Name System
http://technet.microsoft.com/en-us/library/cc757524(v=ws.10).aspx

============================================================================

Here's a background:

Also discussed in:
Technet forum question; "Secondary Zones?"
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1b0f3ac-c8af-4f4e-a5bc-23d034c85400

The basics:
•A Secondary is a read-only copy
•A Secondary zone stores it's data in a text file (by default in the system32\dns folder)
•A Seondary gets a copy of the zone data from the Primary
•A Primary is the writeable copy
•A Primary stores it's zone data in a text file (by default in the system32\dns folder)
•There can only be one Primary, but as many Secondaries as you want.
•You must allow zone transfer capabilities from the Primary zone if you want to create a Secondary.

Active directory Integrated Zones changes this a bit:
•The "only one Primary Zone" rule is changed by introducing the Multi-Master Primary feature. This is because the data is not stored as a text file, rather it is stored in the actual, physical AD database (in one of 3 differenc logical locations or what we call the Replication Scope), and any DC that has DNS installed (based on the replication scope) will be a writeable copy.
•The zone data is replicated to other DCs in the replication scope where the data is stored (based on one of the 3 logical locations)
•Each DC in the replication scope that has DNS installed, will automatically make available the zone data in DNS
•Each DC that hosts the zone can "write" to the zone, and the changes get replicated to other DCs in the replication scope of the zone/
•The DC that makes a change becomes the SOA at that point in time, until another DC makes a change to the zone, then it becomes the SOA
•An AD Integrated zone can be configured to allow zone transfers to a Secondary, but the Secondary CANNOT be a DC in the same replication scope as the zone you are trying to create as a Secondary, otherwise the DC you are attempting to create the Seconary on will automatically change it to AD integrated, since it "sees" it in the AD database. IN some cases, if this is forced or done incorrectly, it can lead to duplicate zones in the AD database, which is problematic until fixed.

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, March 12, 2012 7:03 PM ✅Answered}

Are these domain controllers?

If they are not domain controllers, yes.

If they are domain controllers, no, because it's done automatically.

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, March 12, 2012 7:00 PM}

Thanks very much.

If I have multiple zones Do I need to create second zones one by one ?

Jason

_{Tuesday, June 11, 2013 11:41 AM}

hello,

I have two domain controllers.I just added the new DC as an additional DC,

I need their DNS servers to replicate..so that they can be similar.. except offcourse for the IP..

how can i go about achieving this?

_{Tuesday, June 11, 2013 2:34 PM}

If the zone is AD integrated (that means the zone is stored in the AD database and automatically replicates with the AD replication process), then ALL YOU HAVE TO DO is promote the server to a domain controller, install DNS service on it, and it will automatically "see" the zone in the AD database and it will show up in the DNS console.

If it didn't show up, then it means there is a problem possibly due to misconfiguration. Let us know if it doesn't show up automatically.

To understand what an AD integrated zone is, read the following, please:

DNS Zone Types Explained, and their Significance in Active Directory
http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, June 16, 2013 2:05 PM}

I had two domain controllers running under windows server 2003 R2

Replication was okay before the demotion

I demoted one DC which was old and was left with the other one

However,

I am getting this error whenever I try to create a user in the new DC

Cannot create the object because
directory service was unable to allocate a
relative identifier

With only one domain controller now,i did an fsmo check and confirmed
all the five roles are with the new DC

Pls guide me on how I can resolve this

_{Sunday, June 16, 2013 3:55 PM}

It appears the two DCs are not communicating properly. To better assist, please provide the following information:

Unedited ipconfig /all from both DCs
Event log errors from both DCs
Results of "netdom query fsmo" from both DCs

Thank you.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, June 16, 2013 4:37 PM}

It appears the two DCs are not communicating properly. To better assist, please provide the following information:

Unedited ipconfig /all from both DCs

Event log errors from both DCs

Results of "netdom query fsmo" from both DCs

Thank you.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Thanks,

i dont have two DC's.I demoted one and i am left with only one, that is giving me that error when i try to create a user,

I have checked the fsmo roles holders and the new domain Controller owns them all

What could be the issue?

_{Sunday, June 16, 2013 4:49 PM}

It will help to see the information from the single DC, for starters.

Did you also run a metadata cleanup?

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, June 16, 2013 5:03 PM}

It will help to see the information from the single DC, for starters.

Did you also run a metadata cleanup?

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

I am yet to run a metadata cleanup.

_{Sunday, June 16, 2013 5:08 PM}

It will help to see the information from the single DC, for starters.

Did you also run a metadata cleanup?

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

I am yet to run a metadata cleanup.

Apparently that's what you should do to make sure the old DC is no longer being referenced. Follow the procedure in this link:

Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, cleanup DNS (Nameserver tab), AD Sites (old DC references), transfer or fix time settings, WINS settings, etc.
Published by Ace Fekay, MCT, MVP DS on Oct 5, 2010 at 12:14 AM
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, June 16, 2013 5:11 PM}

And please provide the information I asked for to make sure your DC is configured properly. If not configured properly, your problem may not go away whether you run the metadata cleanup procedure or not. That's why we ask for that information. Just change the domain name in the configs to keep it private, but the IP is already private, so nothing to worry. Many posters provide this information. It's the only real way to diagnose and provide a specific prognosis for each individual case, since after all, everyone's configuration is unique.

If you can't provide it, the next best suggestion is to call Microsoft support.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, June 17, 2013 6:23 AM}

rogram Files\Support Tools>dcdiag

in Controller Diagnosis

orming initial setup:
one gathering initial info.

g initial required tests

esting server: Default-First-Site-Name\**** ****
Starting test: Connectivity
......................... ***** **** passed test Connectivity

g primary tests

esting server: Default-First-Site-Name\**** ****
Starting test: Replications
......................... ***** **** passed test Replications
Starting test: NCSecDesc
......................... NTKE01 passed test NCSecDesc
Starting test: NetLogons
......................... ***** **** passed test NetLogons
Starting test: Advertising
Warning: ***** **** is not advertising as a time server.
......................... ***** **** failed test Advertising
Starting test: KnowsOfRoleHolders
Warning: CN=NTDS Settings\0ADEL:41a9671b-7fe3-418a-b064-4cb5e09bb22f,CN
E01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=*****
the PDC Owner, but is deleted.
Warning: CN=NTDS Settings\0ADEL:41a9671b-7fe3-418a-b064-4cb5e09bb22f,CN
E01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=*****
the Rid Owner, but is deleted.
......................... NTKE01 failed test KnowsOfRoleHolders
Starting test: RidManager
Warning: FSMO Role Owner is deleted.
Warning: attribute rIdSetReferences missing from CN=NTKE01,OU=Domain Co
llers,DC=*****
Could not get Rid set Reference :failed with 8481: The search failed to
rieve attributes from the database.
......................... NTKE01 failed test RidManager
Starting test: MachineAccount
......................... NTKE01 passed test MachineAccount
Starting test: Services
......................... NTKE01 passed test Services
Starting test: ObjectsReplicated
......................... NTKE01 passed test ObjectsReplicated
Starting test: frssysvol
......................... NTKE01 passed test frssysvol
Starting test: frsevent
......................... NTKE01 passed test frsevent
Starting test: kccevent
......................... NTKE01 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:18
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:15:18
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:43
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:43
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:43
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:44
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:44
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 08:34:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:01:29
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:01:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:01:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:01:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:01:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:45
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:46
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:46
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:46
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:46
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 06/17/2013 09:10:47
(Event String could not be retrieved)
......................... NTKE01 failed test systemlog
Starting test: VerifyReferences
......................... NTKE01 passed test VerifyReferences

unning partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

unning partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation

Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

unning partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

unning partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

unning partition tests on : *****
Starting test: CrossRefValidation
......................... ***** passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ***** passed test CheckSDRefDom

unning enterprise tests on : *****
Starting test: Intersite
......................... ***** passed test Intersite
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 135

A Good Time Server could not be located.
......................... ***** failed test FsmoCheck

pls check and advise..

_{Monday, June 17, 2013 6:38 AM}

Since i did a dcpromo demotion, i have only one DC..

trying to transfer the rid master role

gives me this error

Ldap extended error message is 000020AF: SvcErr: DSID-0321093D, problem 5002 (UN
AVAILABLE), data 8

Win32 error returned is 0x20af(The requested FSMO operation failed. The current
FSMO holder could not be contacted.)
)
Depending on the error code this may indicate a connection,
ldap, or role transfer error.

_{Monday, June 17, 2013 8:03 AM}

Run a netdom query fsmo. See which roles are not being held by this DC. Then use ntdsutil to seize them:

http://support.microsoft.com/kb/255504

I'm not exactly sure why you can't provide the information I've asked for. Apparently you have a major problem going on, and it's the demotion and/or the prior promotion had problems. Seizing the roles is just part of resolving it, based on the dcdiag. The configuration info is for us to help YOU.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, June 17, 2013 8:05 AM}

To add, the whole thing could be due to a simple DNS configuration error, and/or multihoming.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, June 17, 2013 8:12 AM}

Run a netdom query fsmo. See which roles are not being held by this DC. Then use ntdsutil to seize them:

http://support.microsoft.com/kb/255504

-

I'm not exactly sure why you can't provide the information I've asked for. Apparently you have a major problem going on, and it's the demotion and/or the prior promotion had problems. Seizing the roles is just part of resolving it, based on the dcdiag. The configuration info is for us to help YOU.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

pls check the dcdiag results above.i have already provided you with the info

kindly advise

_{Monday, June 17, 2013 8:34 AM}

I looked back but did not see the ipconfig /all. Did I miss it somewhere in your post?

Please follow the advise I've already provided, which is based on the dcdiag. There is more, such as setting the time service, but the FSMOs MUST be straightened out first. And this is based on the limited information you've provided. That's all I can provide at this point until I see the ipconfig /all and the Event log errors.

Then rerun the dcdiag.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, June 17, 2013 9:31 AM}

Run a netdom query fsmo. See which roles are not being held by this DC. Then use ntdsutil to seize them:

http://support.microsoft.com/kb/255504

-

I'm not exactly sure why you can't provide the information I've asked for. Apparently you have a major problem going on, and it's the demotion and/or the prior promotion had problems. Seizing the roles is just part of resolving it, based on the dcdiag. The configuration info is for us to help YOU.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

when i run fsmo check, all the roles are in the new DC..which is correct...

_{Monday, June 17, 2013 9:47 AM}

When i try to join a machine to a network.. it says machine couldnt join the domain - DNS error

_{Monday, June 17, 2013 3:27 PM}

when i run fsmo check, all the roles are in the new DC..which is correct...

Then it means a simple DNS problem, but you won't post an ipconfig /all to verify it. I'm really trying to help you, but it's difficult and it comes down to GUESS WORK without configuration information.

If you are using your ISP's DNS server, or your router's IP address as a DNS address on any machine (DC, client, etc), then this can occur.

Active Directory's Reliance on DNS, and why you should never use an ISP's DNS address or your router as a DNS address, or any other DNS server that does not host the AD zone name
Published by Ace Fekay, MCT, MVP DS on Aug 17, 2009 at 7:35 PM 1058 2
http://msmvps.com/blogs/acefekay/archive/2009/08/17/ad-and-its-reliance-on-dns.aspx

If your DC is multihomed, meaning it has more than one NIC, IP and/or RRAS is on it, then this can also occur. The combination of this and using the ISP or router, is even worse.

Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, management interfaces, backup interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure a DC with registry mods:
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

Active Directory communication fails on multihomed domain controllers
http://support.microsoft.com/kb/272294/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Tuesday, June 18, 2013 5:21 AM}

Thanks Ace,

greatest mistake i was making was using my ISP DNS in the DC.

Removing it helped

since client machines have static IP,what should be put in the alternate dns server ?

_{Tuesday, June 18, 2013 5:33 AM}

Thanks Ace,

greatest mistake i was making was using my ISP DNS in the DC.

Removing it helped

since client machines have static IP,what should be put in the alternate dns server ?

See, I could have advised you of that long ago if I saw the configs. :-)

Put nothing else as the second entry. Only the DC. DC only points to itself. That's it.

Configure a forwarder to your ISP's DNS in DNS properties, forwarders tab.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

How to replicate dns record to a second dns server

Question

All replies (23)

============================================================================

Additional resources