Issues:
In reviewing the DNS Server event logs you find the following message over and over again.
Event ID: 4521
Source: DNS
Type: Warning
Description:
The DNS server encountered error 9002 attempting to load zone . from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.
Error 9002 means a DNS server failure occurred.
The zone “.” refers to the Root Hints (aka Cache.dns file) being loaded into (or from) the Active Directory DNS partition. In this case the affected partition was the AD-Domain partition (see below). Using dnscmd.exe you can determine which AD partition is affected and the Distinguished Name (DN) to access that zone.
C:\>dnscmd 10.1.1.1 /zoneinfo .
Zone query result:
Zone info:
ptr = 00082FE0
zone name = .
zone type = 0
update = 0
DS integrated = 1
data file = (null)
using WINS = 0
using Nbstat = 0
aging = 0
refresh interval = 0
no refresh = 0
scavenge available = 0
Zone Masters
NULL IP Array.
Zone Secondaries
NULL IP Array.
secure secs = 0
directory partition = AD-Domain flags 00000015
zone DN DC=RootDNSServers,cn=MicrosoftDNS,DC=DomainDnsZones,
DC=domain,DC=local
Command completed successfully.
An attempt to use ADSIEdit to connect to the AD-Domain partition results in the following error message
A referral was returned from the server.
While attempting to create a new AD integrated zone on the AD-Domain partition you receive the following error message.
The zone cannot be created.
There was a server failure.
Cause:
Replication of the specified partition (typically AD-Domain but could be AD-Forest) has failed. The partition is most likely still present, but is in an unusable and unstable state.
This issue has been reported to occur in some cases after installing SP2 or after moving from a Mixed-mode domain to a Native or Window 2003 mode domain.
Workaround:
If only the Cache Zone (Root Hints) is affected, you can change where these settings are stored to a file or registry using the DNS GUI as shown below.
This does not correct the underlying issue of the partition.
Solution:
Login to one of the Domain Controllers / DNS servers that is having this issue. You must be an Enterprise Admin to perform these steps. You will also need the Windows 2003 Support Tools installed to run the DnsCmd command.
1) Determine which, if any, DNS zones are being stored in the problem partition (AD-Domain in this our example above.)
Command: dnscmd /enumzones
C:\>dnscmd /enumzones
Enumerated zone list:
Zone count = 4
Zone name Type Storage Properties
. Cache AD-Domain
domain1.com Primary AD-Forest
domain2.com Forwarder AD-Forest
domain3.local Secondary File
domain4.net Forwarder AD-Forest
a. Review the Storage location for AD-Domain, if any of the zones are stored in this location you should export the DNS zone via the DNS GUI or DNSCMD.
2) Use the ntdsutil to list Replicas of the affected partition
Command: ntdsutil
Example: make sure to specify the correct DnsZones partition!!!!
ntdsutil: domain mananagement
domain management: connections
server connections: connect to server servername
Binding to servername ...
Connected to servername using credentials of locally logged on user.
server connections: quit
domain management: list nc replicas dc=domaindnszones,dc=domain,dc=local
The application directory partition dc=domaindnszones,dc=domain,dc=local's Replicas are:
CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Site1,CN=Sites,CN=Configuration,
DC=domain,DC=local *
CN=NTDS Settings,CN=SERVER2,CN=Servers,CN=Site2,CN=Sites,CN=Configuration,
DC=domain,DC=local *
NOTE: Couldn't verify the instantiated/uninstantiated state of these replicas.
3) You should now remove the Replica from each DC Server name listed. To do this, follow the example given below. Make sure to specify the correct DnsZones partition!!!!
ntdsutil: domain mananagement
domain management: connections
server connections: connect to server SERVER1
Binding to server1 ...
Connected to server1 using credentials of locally logged on user.
server connections: quit
domain management: remove NC Replica dc=domaindnszones,dc=domain,dc=local NULL
domain management: connections
server connections: connect to server SERVER2
Binding to server2 ...
Connected to server2 using credentials of locally logged on user.
server connections: quit
domain management: remove NC Replica dc=domaindnszones,dc=domain,dc=local NULL
4) Use Active Directory Sites and Services to force replication or wait until replication takes place. Force replication on all DC’s in all Sites.
5) Now remove the DomainDnsZone partition using the following ntdsutil command. You only need to do this once while connected to a DC / DNS server that is a member of the same domain as the DomainDnsZone partition.
ntdsutil: domain mananagement
domain management: connections
server connections: connect to server SERVER1
Binding to server1 ...
Connected to server1 using credentials of locally logged on user.
server connections: quit
domain management: delete NC dc=domaindnszones,dc=domain,dc=local
The operation was successful. The partition has been marked for removal from the enterprise. It will be removed over time in the background.
Note: Please do not create another partition with the same name until the servers which hold this partition have had an opportunity to remove it. This will occur when knowledge of the deletion of this partition has replicated throughout the forest, and the servers which held the partition have removed all the objects within that partition. Complete removal of the partition can be verified by consulting the Directory event log on each server.
6) Use Active Directory Sites and Services to force replication or wait until replication takes place.
7) Verify the DnsZones partition has been deleted.
a. Make sure to specify the correct DnsZones partition!!!!
b. For AD-Domain run the following common on each DC / DNS Server that is a member of the domain.
c. For AD-Forest run the following common on each DC / DNS Server that is a member of the domain.
dnscmd servername /directorypartitioninfo domaindnszones.domain.local
C:\dnscmd servername /directorypartitioninfo domaindnszones.domain.local
Directory partition info query failed
status = 9901 (0x000026ad)
Command failed: DNS_ERROR_DP_DOES_NOT_EXIST 9901 (000026ad)
8) Run the following command to create the appropriate partition.
DnsCmd <ServerName> /CreateBuiltinDirectoryPartitions <Option>
Option must be one of:
/Domain -- Creates the built-in domain-wide DNS directory partition for
the Active Directory domain where the DNS server specified by
ServerName is located.
/Forest -- Creates the built-in forest-wide DNS directory partition for
the Active Directory forest where the DNS server specified by
ServerName is located.
/AllDomains -- Creates the built-in domain-wide DNS directory partitions
on a DNS server in each domain in the Active Directory forest where
the user running this command is logged on. The ServerName argument
is ignored for this operation.
9) Verify the partition was created.
C:\>dnscmd Server /enumdirectorypartitions
Enumerated directory partition list:
Directory partition count = 3
DomainDnsZones.domain1.local Enlisted Auto Domain
DomainDnsZones.domain2.local Not-Enlisted
ForestDnsZones.domain1.local Enlisted Auto Forest
10) Use Active Directory Sites and Services to force replication or wait until replication takes place.
11) Test creating a DNS zone in the appropriate DNS partition.
More Information:
Add or remove an application directory partition replica
Create or delete an application directory partition
How to re-install an AD-Legacy Active Directory DNS Partition
By default, the DNS Server service will attempt to locate and create the default DNS application directory partitions in Active Directory. If the DNS Server service is unable to do this, the administrator can manually create the application directory partitions as described above.
Default Application Partition Names used in DnsCmd
AD-Domain = DomainDnsZones.domain.local
Is located here: cn=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=local
AD-Forest = ForestDnsZones.root.domain.local
Is located here: cn=MicrosoftDNS,DC=ForestDnsZones,DC=root,DC=domain,DC=local
AD-Legacy = doesn’t have a specified name but is located in this location of every domain in the forest.
cn=MicrosoftDNS,cn=System,DC=domain,DC=local
Change DC=domain,DC=local as needed for each domain in the forest.
The AD-Legacy can never go missing from DNS, because the DNS information is stored within the Domain AD partition.