I was doing a bit of an AD spring clean today and came across a few errors which had me stumped for a little while.
The short of the story is, when running DCDIAG, I was getting a couple of errors relating to DNS:
(Note: you can run DCDIAG from any server, just tell it which one your DC is, ‘dcdiag /s:dcname’)
……………………. DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
This cross-ref has a non-standard dNSRoot attribute.
Cross-ref DN:
CN=be758fb4-2703-4b71-b69c-89c781e4a1d5,CN=Partitions,CN=Configuration,
DC=my,DC=domain,DC=dom
nCName attribute (Partition name):
DC=DomainDnsZones,DC=my,DC=domain,DC=dom
Bad dNSRoot attribute: veryold-dc.my.domain.dom
Check with your network administrator to make sure this dNSRoot
attribute is correct, and if not please change the attribute to the
value below.
dNSRoot should be: DomainDnsZones.my.domain.dom
It appears this partition (DC=DomainDnsZones,DC=my,DC=domain,DC=dom)
failed to get completely created. This cross-ref
(CN=be758fb4-2703-4b71-b69c-89c781e4a1d5,CN=Partitions,CN=Configurat
ion,DC=my,DC=domain,DC=dom)
is dead and should be removed from the directory.
……………………. DomainDnsZones failed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
……………………. ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
This cross-ref has a non-standard dNSRoot attribute.
Cross-ref DN:
CN=7a70a0e7-8815-49ed-9949-3bd4701b19a5,CN=Partitions,CN=Configuration,
DC=my,DC=domain,DC=dom
nCName attribute (Partition name):
DC=ForestDnsZones,DC=my,DC=domain,DC=dom
Bad dNSRoot attribute: veryold-dc.my.domain.dom
Check with your network administrator to make sure this dNSRoot
attribute is correct, and if not please change the attribute to the
value below.
dNSRoot should be: ForestDnsZones.my.domain.dom
It appears this partition (DC=ForestDnsZones,DC=my,DC=domain,DC=dom)
failed to get completely created. This cross-ref
(CN=7a70a0e7-8815-49ed-9949-3bd4701b19a5,CN=Partitions,CN=Configurat
ion,DC=my,DC=domain,DC=dom)
is dead and should be removed from the directory.
……………………. ForestDnsZones failed test
CrossRefValidation
The basic problem was that both my DomainDnsZones and ForestDnsZones were inaccurate. In DNS, if I right clicked on a server and went to ‘Create Default Application Directory Partitions’ it was throwing an error, this was then giving me all sorts of problems trying to create new zones.
Anyway, first things first, take a full system state backup of your DC – just in case. In Server 2008 you can use Windows Backup, although you will need to install this feature first.
There’s a neat article here on using Windows Backup.
Anyway, with my backup done, it was time to fire open ADSI Edit, which comes with server 2008. If I opened either of the top 2 entries (in CN=Configuration,CN=Partitions,DC=my,DC=domain,DC=dom) I would see the same very old dc that was mentioned in the earlier DCDIAG error.
After quite a bit of reading, and with my fingers crossed, I deleted these top 2 entries.
With that all done, I first went to ‘Create Default Application Directory Partitions’ in DNS and it worked first time. When I looked back in ADSI Edit (and F5’d) the two entries that I had removed had been re-created, correctly this time though).
And when I ran DCDIAG, the errors had vanished.
