Share via

DNS duplicate zone removal - how to determine which zone to remove

Gary Babin 21 Reputation points
2021-04-22T15:39:27.113+00:00

I found Mr. Fekay's article on ADSI Edit and duplicate DNS zones very helpful. Using that guide, I located both InProgress and CNF zones which I was confident to delete.

These all replicated out and have not returned. But I am still getting event ID 4515 entries about once a month. I am pretty sure I have figured out what to do but would like to get some expert opinion to avoid stepping on any landmines. :)

The event 4515 text describes what is happening (I've redacted the actual domain name):

"The zone xxxx.local was previously loaded from the directory partition DomainDnsZones.xxxx.local but another copy of the zone has been found in directory partition ForestDnsZones.xxxx.local. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible."  

My replication scope is domain, not forest, on all DCs

As shown in the attached capture from ADSI Edit, my forest and domain containers both have a zone called xxxx.local (yellow highlights).

I believe this is a duplicate zone situation and one of these zones should be removed. But because these are not named InProgress or CNF, I hesitate.

The details pane shows data from the Forest copy and this zone has references to a site that was removed long ago called TB (circled in red). These references do not exist in the domain copy of this zone.

Considering the event ID details, the old AD site reference (in only the Forest copy) and my scope settings I believe I should delete the ForestDNSZone called xxxx.local.

90405-duplicate-dns.jpg

So my specific questions are -

  • Is my reasoning correct about removing that zone?
  • If just right click and delete this zone will it safely stop the event ID 4515s or are there other actions I should take?
  • Will the deletion replicate around to the other DCs or will it need to be deleted manually on all DCs?

Any input is really appreciated.

Warmest regards..

@afekay

Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
0 comments
Accepted answer
  1. Anonymous
    2021-04-23T07:16:41.697+00:00

    Hello @Gary Babin ,

    Thank you for posting here.

    1-After my view in my lab, the zone name is DC=domain.com under the DomainDNSZones and the zone name is DC=_msdcs.domain.com under the ForestDNSZones.

    For example:

    90618-dns1.png

    2-Based on "My replication scope is domain, not forest, on all DCs", do you mean the following setting?
    90634-dns2.png

    3-Did you make any change then you see the same zone under ForestDNSZones and DomainDNSZones?

    For example:

    I have create the same zone as below.
    90671-dns5.png

    4-Did the content in the same zone (in your case) the same or not?

    Is your AD forest single forest with single domain?
    How many DCs are there in each domain?
    Is it the same display on all DCs ( the same zone under ForestDNSZones and DomainDNSZone)?

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Babin 1 Reputation point
    2021-04-23T14:29:34.583+00:00

    Thank you for a quick reply, Daisy. @Anonymous

    I'll answer your questions:

    1 Lab View - I assume your lab example looks like the way the records "should" be, In my case it is like having a "b.local" in both DomainDnsZones and ForestDnsZones. I have only one _msdcs.b.local which is in the DominDnsZones (I assume because of my scope settings).

    2 Replication Scope - yes, my settings are exactly as your example. I checked all my DCs, too.

    3 Did you make any change? - No, nothing anytime recently. This is something that probably happened a long time ago during promo of a new DC. DNS has run fine all along, but I want to clean things before increasing my functional level and bringing in my first 2019 Domain Controller.

    4 Is content the same in both records - No, but neither is empty. As noted in my description, the data in the ForestDnsZones copy seems outdated since it has references to a site that no longer exists. That is the main reason I feel pretty sure this is the zone to remove.

    The active directory is single forest and single domain, yes.

    There are six total DCs and four sites

    The two records with the same name do look the same on every domain controller.

    Is there a way to know when a zone was last accessed or updated? That info might also confirm this is an unused zone ok to remove.

    I am hoping I could just delete the b.local record in ForestDnsZones and leave the b.local copy in the DomainDnsZones. Then let replication clean up the rest. What do you think?

    Thank you --

    0 comments
  2. Anonymous
    2021-04-27T06:54:07.173+00:00

    Hello @Gary Babin ,

    Thank you for your update.

    And I am sorry for the late reply.

    Is there a way to know when a zone was last accessed or updated? That info might also confirm this is an unused zone ok to remove.
    A: I am sorry, I did not find such way.

    If the data in the ForestDnsZones copy is outdated since it has references to a site that no longer exists. You can delete the zone in the ForestDnsZones copy.

    Before you delete them:

    1.We can check if AD replication works fine by running the following commands on PDC.

    repadmin /syncall /AdeP >c:\rep1.txt

    repadmin /showrepl >c:\rep2.txt

    repadmin /replsum >c:\rep3.txt

    repadmin /showrepl * /csv >c:\repsum.csv

    If all the results are OK without any error message, it means AD replication work fine.

    2.Check replication scope on DC=XXXX.local in the DomainDnsZones and check replication scope on DC=XXXX.local in the ForestDnsZones again.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  3. Anonymous
    2021-04-28T06:23:30.957+00:00

    Hello @Gary Babin ,

    Thank you for your update.

    Yes, I find zone _msdcs_domain.com in your screenshot, also.

    By default, the replication scope is "all dns servers in this forest".
    91965-dns1.png

    So it is in ForestDnsZones.
    92001-dns2.png

    But in your case, in your production domain (with the duplicate zone) the zone _msdcs.xxxx.local is set for "all dns servers in this domain" .

    So it is in DomainDnsZones.

    I think as long as your AD environment is normal and there is no problem with replication, you can change or not change the replication scope as needed.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  4. Gary Babin 1 Reputation point
    2021-04-28T12:37:48.097+00:00

    Thank you for confirming the scope question. I have run all the replication tests as you suggested. Replication is working flawlessly. I will remove the duplicate zone at my first opportunity and report results here.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.