Is it safe to delete these two crossRef objects in ADSIEdit? This is in a Win2K8 environment where the DCs are running DNS and these two zones are missing.
I would like to do this because I cannot create any new zones, forward or reverse. When I attempt to do so, the error I get is
"The zone cannot be created. There was a server failure."
I also see Event ID 4512 repeatedly in the DNS logs with the message
The DNS server was unable to create the built-in directory partition ForestDnsZones.domain.com. The error was 9906.
In a test environment, I was able to delete them safely and upon restarting netlogon and the DNS services the zones/crossRef objects were recreated.
Would deleting them in ADSIEdit be the same as deleting the replication contexts via ntdsutil?
Is there a way to back them up in case something goes wrong?
Thank you.
Update:
The result of:
ldifde -f con -d CN=0e4820e2-35e2-4fcf-bae9-789ca2003a
6b,CN=Partitions,CN=Configuration,DC=sub,DC=domain,DC=com
is:
Connecting to "dc2.sub.domain.com"
Logging in as current user using SSPI
Exporting directory to file con
Searching for entries...
Writing out entries.dn: CN=0e4820e2-35e2-4fcf-bae9-789ca2003a6b,CN=Partitions,CN
=Configuration,DC=sub,DC=domain,DC=com
changetype: add
objectClass: top
objectClass: crossRef
cn: 0e4820e2-35e2-4fcf-bae9-789ca2003a6b
distinguishedName:
CN=0e4820e2-35e2-4fcf-bae9-789ca2003a6b,CN=Partitions,CN=Configuration,DC=sub,D
C=domain,DC=com
instanceType: 4
whenCreated: 20071129065500.0Z
whenChanged: 20110702063659.0Z
nCName: DC=ForestDnsZones,DC=sub,DC=domain,DC=com
uSNCreated: 6080
uSNChanged: 8091
showInAdvancedViewOnly: TRUE
Enabled: FALSE
name: 0e4820e2-35e2-4fcf-bae9-789ca2003a6b
objectGUID:: RIDFRdDkrUO7JUySD8iRig==
dnsRoot: nonexistent.nonexistent.sub.domain.com
systemFlags: 5
objectCategory:
CN=Cross-Ref,CN=Schema,CN=Configuration,DC=sub,DC=domain,DC=com
dSCorePropagationData: 16010101000000.0Z
msDS-NC-Replica-Locations:
CN=NTDS Settings,CN=dc2,CN=Servers,CN=My-Site,CN=Sites,CN=Configuration,DC
=sub,DC=domain,DC=com
1 entries exported
The command has completed successfully
The error I get when trying to establish new naming context for ForestDNSZones and DomainDNSZones:
And for the sake of clarity, a screenshot of the crossRef objects:
OK so it seems you need a lot of guidance on this than I planned. Sorry but I wasn't envisaging a long chat about your issue but merely a couple of posts to steer you in right direction. In case it wasnt clear, I was merely offering my thoughts on what I would do if I were you. I expect you know the ramifications of what is been done here. I also hope this helps resolve your issue. So here is the final updated version of my reply.
OK so personally, I'd backup the AD before attempting to delete the crossref. You need a backup of at least one DC that holds a writable of any partition you wish to restore. If you aren't sure who hosts what partition, backup all DCs.
You have already tried this process in an environment. So you know whats involved. You can use any tool that is capable of deleting the crossref to get rid of the partitions. I have deleted crossrefs using adsiedit.msc before and expect you can delete forestdnszones and domaindnszones with it. You will lose data if you go down this route which in the worst case scenario may require domain/forest restores and other application specific recovery procedures. Its unlikely, but possible. So lets get that disclaimer out of the way.
Else you can use ntdsutil as you seem to be aware to delete these partitions. "ntdsutil - partition management - delete nc " does crossref removal. When crossref is deleted, the DCs replicate the change in and delete the partitions from their database. Data is indeed lost in this process so only do it if you are sure.
Note as you say one DC is in msDS-NC-Replica-Locations, check to see what zones you have by using adsiedit to connect to that DC and see what is stored in forestdnszones and domaindnszones. Navigate the partitions and see whats under MicrosoftDNS container for list of zones. Deleting crossref will delete all zone data on any server that properly hosts the application partitions.
Your screenshots and comments imply inability to see if there are any zones. In that case unless your zones are elsewhere I expect major DNS issues to be present. Either you are doing this wrong when checking or your zones arent in domaindnszones and forestdnszones at all. Just remember, if there are any, you will lose them when the crossref is deleted.
Its possible that you have some other zoneshosted in these partitions. Check your DNS/DCs in dnsmgmt.msc to see what zones they have and open the properties of the zone and check replication scope top see if it matches the partitions/crossref you are about to delete. AS each DNS server stores config in registry for zones you can examine HKLM\Software\microsoft\windows nt\currentversion\dns server\zones on each dc/dns for each zone to see where the zone is loaded from. If you have static records or any records of interest check out dnscmd as it has the /zoneexport option to export zone data as a file based zonefile. You can later use these backups to create zones again and convert them to dsintegrated too.
You can recreate partitions once deleted with dnscmd createbuiltindirectorypartitions switch as per http://technet.microsoft.com/en-us/library/cc756116(WS.10).aspx#BKMK_4 .
You could also create your own application partitions with different names like DC=MyDnsPartition and store the zones in them and choose all DCs of forest or all DCs of domain or a custom pick and choose list of DCs as members of the application partition to control where the zones replicate. The ForestDNSZones and DomainDNSZones are default application partitions as it meets most admin's needs. You don't have to use them. You can make your own and that flexibility can be used as an option if you cant fix the crossref and bring it back to default state.
something like the following executed on a DC/DNS like DC1 will create the partition and enlist. You will likely need enterprise admin rights. I havent checked.
dnscmd /createdirectorypartition MyDNSApp
Then add other DCs as a replica destination by enlisting.
dnscmd /enlistdirectorypartition MyDNSApp
If you do the above on DC2, You will find a partition called DC=MyDNSApp eventually replicated from DC1 to DC2. This obviously assumes you have site links and replica topology configuration allowing you to replicate from these sources. I dont want to go into that here as its a big topic.
Once partitions are deleted, you will need to create any zones as necessary. If you had zones to represent AD domains in these partitions you need to recreate zones. I would temporarily point all DC in forest at one DC where you first created the partitions and then the zones. Then either restart netlogon or use "nltest /dsregdns" against each dc to get the netlogon service to re-register records. This could take some time. I have also on occasion when dcs didnt register records quickly enough, created a blank zone (non ad integraed) to represent the domain, copied all the content from netlogon.dns of all DCs as necessary to the domain.com.dns file in c:\windows\system32\dns, added A records for the DCs as necessary and reloaded zone from file in dnsmgmt.msc console and then converted it to AD integrated to replicate out. I am not saying you will need to do this. I am saying it to give you an idea of the work you may need to do if things go wrong.
Hopefully this all makes sense. Good luck!
I might look into your domain naming master role and see if you can see any problems with that.
Make sure your Domain Naming Master FSMO role owner is up and running. You can find who owns this role by opening the AD Domains and Trusts mmc and right clicking AD domains and Trusts. Select "Operations Master". It will tell you what server holds that role. You can also use that same method to transfer the role to another server.