Greetings everyone.
I have created a child domain in the AD forest with two domain controllers (both Windows 2003 R2). After that I tried to configure additional DNS server on the second DC. Now I should say, that the 1st DNS server on the 1st DC works fine, but the second one doesn't. In the DNS console both the Forward and Reverse lookup zones are empty and I have 4015 error event accompanied by 4513 and 4514 events (messages are attached below).
As it has been said here, I have found and deleted one duplicating zone record using ADSIEdit (the duplicated zone was storied in Default Naming Context). Now all DNS zones store in appropriate AD partitions - domain-wide zone in DC=DomainDNSZones,DC=child,DC=domain,DC=com, and forest-wide zone in the DC=ForestDNSZones,DC=domain,DC=com - and no duplicating zones have been found (Default naming contex partition contains only Root hints now). All DNS servers were restarted, force replication was made but no luck - errors are still present and the zones are empty in the DNS console.
So, as 4514 and 4515 say, I tried to put my second DC into the apropriate replication scope. This topic should help me. But after
Add NC Replica DC=DomainDNSZones,DC=child,DC=domain,DC=com dc2.child.domain.com
I have got an error:
LDAP error 0x32(50 (Insufficient Rights). Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN SUFF_ACCESS_RIGHTS), data 0 Win32 error returned is 0x2098(Insufficient access rights to perform the operati on.)
I tried to google it, but no luck. So, I need help. Please.
Some additional information.
1. 4015 Error message
Event Type: Error Event Source: DNS Event Category: None Event ID: 4015 Date: 26.12.2012 Time: 17:22:27 User: N/A Computer: DC2 Description: The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "000020B5: AtrErr: DSID-03152395, #1: 0: 000020B5: DSID-03152395, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9067d (msDS-NC-Replica-Locations)". The event data contains the error. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 13 00 00 00 ....
2. 4513 and 5414 error messages:
Event Type: Information Event Source: DNS Event Category: None Event ID: 4513 Date: 26.12.2012 Time: 17:22:27 User: N/A Computer: DC2 Description: The DNS server detected that it is not enlisted in the replication scope of the directory partition ForestDnsZones.domain.com. This prevents the zones that should be replicated to all DNS servers in the child.domain.com forest from replicating to this DNS server. To create or repair the forest-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. The error was 9002. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2a 23 00 00 *#..
Event Type: Information Event Source: DNS Event Category: None Event ID: 4514 Date: 26.12.2012 Time: 17:22:26 User: N/A Computer: DC2 Description: The DNS server detected that it is not enlisted in the replication scope of the directory partition DomainDnsZones.child.domain.com. This prevents the zones that should be replicated to all DNS servers in the domain.com domain from replicating to this DNS server. For information on how to add a DNS server to the replication scope of an application directory partition, please see Help and Support. To create or repair the domain-wide DNS directory partition, open the the DNS console. Right-click the applicable DNS server, and then click 'Create Default Application Directory Partitions'. Follow the instructions to create the default DNS application directory partitions. For more information, see 'To create the default DNS application directory partitions' in Help and Support. The error was 9005. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 2d 23 00 00 -#..
3. DC1 and DC2 ipconfigs:
Windows IP Configuration Host Name . . . . . . . . . . . . : dc2 Primary Dns Suffix . . . . . . . : child.domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : child.domain.com domain.com
Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP Network Team #1 Physical Address. . . . . . . . . : 00-14-C2-3D-B6-9A DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.25.3 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.25.1 DNS Servers . . . . . . . . . . . : 192.168.25.2 192.168.25.3
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc1
Primary Dns Suffix . . . . . . . : child.domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : child.domain.com
domain.com
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP Network Team #1
Physical Address. . . . . . . . . : 00-14-C2-3F-6C-E2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.25.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.25.1
DNS Servers . . . . . . . . . . . : 192.168.25.2
192.168.25.34. dcdiag on DC2
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: spb\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity
Doing primary tests
Testing server: spb\DC2
Starting test: Replications
......................... DC2 passed test Replications
Starting test: NCSecDesc
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
......................... DC2 passed test NetLogons
Starting test: Advertising
......................... DC2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC2 passed test RidManager
Starting test: MachineAccount
......................... DC2 passed test MachineAccount
Starting test: Services
......................... DC2 passed test Services
Starting test: ObjectsReplicated
......................... DC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC2 passed test frssysvol
Starting test: frsevent
......................... DC2 passed test frsevent
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
......................... DC2 passed test systemlog
Starting test: VerifyReferences
......................... DC2 passed test VerifyReferences
Running partition tests on : spb
Starting test: CrossRefValidation
......................... spb passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... spb passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running enterprise tests on : domain.com
Starting test: Intersite
......................... domain.com passed test Intersite
Starting test: FsmoCheck
......................... domain.com passed test FsmoCheck5.Some repadmin output:
repadmin /showreps
child\DC2
DC Options: (none)
Site Options: (none)
DC object GUID: fbb45f38-ee10-4bdd-bf27-18cc6b6f0995
DC invocationID: e62c67e1-1c6e-4bc8-9238-5307714ac4bb
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:45:22 was successful.
CN=Schema,CN=Configuration,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:45:22 was successful.
DC=child,DC=domain,DC=com
child\DC1 via RPC
DC object GUID: a5f877e9-2a9f-4a70-996c-ab602514a456
Last attempt @ 2012-12-27 13:46:54 was successful.6. And ntdsutil output:
ntdsutil: domain management
domain management: connections
server connections: connect to server dc2
Binding to dc2 ...
Connected to dc2 using credentials of locally logged on user.
server connections: q
domain management: list nc replicas DC=DomainDnsZones,DC=child,DC=domain,DC=com
The application directory partition DC=DomainDnsZones,DC=child,DC=domain,DC=com's Replicas are:
CN=NTDS Settings,CN=dc1,CN=Servers,CN=child,CN=Sites,CN=Configuration,D
C=domain,DC=com
domain management: add nc replica DC=DomainDnsZones,DC=child,DC=domain,DC=com dc2.child.domain.com
LDAP error 0x32(50 (Insufficient Rights).
Ldap extended error message is 00002098: SecErr: DSID-03150A48, problem 4003 (IN
SUFF_ACCESS_RIGHTS), data 0
Win32 error returned is 0x2098(Insufficient access rights to perform the operati
on.)
)