Announcement

Collapse
No announcement yet.

Removing DNS does not automatically Removes replication.!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing DNS does not automatically Removes replication.!

    Just wanted to share with you in case you were wondering.
    As you all might know in Windows 2003 there are two Extra Application Partition that are meant for DNS ,DomainDNSZones & ForestDNSZones.
    the 1st replicates on a Domain Level and the Other replicates on a Forest level (All domains in the Forest).
    The difference Between the 2000 AD to the 2003 AD, is that the DNS in 2000 were located in the Domain data Partition meaning that every DC in the domain would be replicated with the DNS records
    regardless if it was a DNS Service holder or not.
    in 2003 by placing the DNS in either one of the Partitions would replicate
    the DNS records only to DC's that are Running DNS Server Service - up to now it is the background.

    When we add the DNS server service to a DC this DC is automatically added to the replica members of the DNS partition, but uninstalling the DNS Server service doesn’t remove it from the replica members of the partition in question.

    To remove the member from the replica we must do the following command:

    Ntdsutil

    Domain management

    Connections

    Connect to server fqdn.of.the.server.that.we.want.to.remove

    Quit

    Remove nc replica dc=forestdnszones,dc=domain(…)

    Remove nc replica dc=domaindnszones,dc=domain(…)

    To verify the deletion:

    List nc replicas dc=forestdnszones,dc=domain(…)

    List nc replicas dc=domaindnszones,dc=domain(…)

    Just wanted to share this with you guys.
    Last edited by Akila; 13th June 2008, 13:13.

  • #2
    Re: Removing DNS does not automatically Removes replication.!

    Interesting... I would expect the DomainDNSZones and ForestDNSZones partitions to be automatically removed upon removal of DNS service.

    Did you restart the DC/restarted netlogon service after removing the DNS service?
    How long did you wait before manually removing the partitions from the replica set using ntdsutil ?
    Was that DC also a site bridgehead ? (the following could happen: DC was bridgehead for DNS app partitions and KCC did not yet recalculate the topology, hence the partitions deletion was deferred till bridgehead was transferred to another DC holding the DNS partitions)
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Removing DNS does not automatically Removes replication.!

      Originally posted by guyt View Post
      Interesting... I would expect the DomainDNSZones and ForestDNSZones partitions to be automatically removed upon removal of DNS service.

      Did you restart the DC/restarted netlogon service after removing the DNS service?
      How long did you wait before manually removing the partitions from the replica set using ntdsutil ?
      Was that DC also a site bridgehead ? (the following could happen: DC was bridgehead for DNS app partitions and KCC did not yet recalculate the topology, hence the partitions deletion was deferred till bridgehead was transferred to another DC holding the DNS partitions)
      I would expect the same, but it seems it doesn't work that way.
      waiting is not the problem , the 2 DC's were no longer a DNS server since 2005.
      after looking up I found that a DC doesn't remove it self from the replication ring when you Uninstall the DNS.
      a Bridge head is defined per Partition, if the partition is gone then a new bridge head should be assigned.

      Comment


      • #4
        Re: Removing DNS does not automatically Removes replication.!

        Do you have an official reference to this behavior ?
        I think that the right thing to do for a DC in such a case is to remove its enlistment from the DNS app partitions.

        Do not have an environment handy right now, but I'd like to reproduce it in a test environment (any chance you have any? ) and if this is indeed the case, I'll try to send some feedback to the relevant folks.
        I see those partitions as leftovers that should be gone after uninstalling the DNS service. If you still want the partitions for fine-tuning the replication routes, the enlistment should be explicit.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Removing DNS does not automatically Removes replication.!

          Originally posted by guyt View Post
          Do you have an official reference to this behavior ?
          Yes I do. (SRZ080525000029 Pro/MOM 2007/Slow Replication on DomainDNSZone Partition.)
          MS SA/Premier Case I opened for my Slow replication on my DNS Partition, after I did my finding that it did not remove the replication of the DNS Partition even though the DC was no longer a DNS Server, he confirmed what me and you can't understand how come.. and he said that how it is done.
          meaning adding a DNS adds it automatically to the replication Ring for the partition, but Uninstalling the DNS Does not remove it automatically, you must manually remove the Replication of this Partition, this is b/c it is an Application Partition. Application partition in away needs to be manually removed.
          I don't know why but that is what I saw on my DC's that I removed the DNS and he confirmed.
          So I guess this is how it is being done.
          Actually my last part of my post talking about the Partition/Replica removal is his quote (Premier Support).

          BTW - to delete any DNS reference Records of a DC you need to run the following command:
          nltest /dsderegdns:MyDC.Domain.com

          Originally posted by guyt View Post
          Do not have an environment handy right now, but I'd like to reproduce it in a test environment (any chance you have any? )
          Sure I got more then one Test labs of my production, what do you want me to test?
          Last edited by Akila; 13th June 2008, 13:28.

          Comment


          • #6
            Re: Removing DNS does not automatically Removes replication.!

            Originally posted by Akila View Post
            Yes I do. (SRZ080525000029 Pro/MOM 2007/Slow Replication on DomainDNSZone Partition.)
            [SNIP]
            Sure I got more then one Test labs of my production, what do you want me to test?
            If this is confirmed, no need to reproduce. So they are saying this is "by design"... I say: "bullocks! this should not be like this for DNS NCs". I'll try to see if I can get some feedback from DEV guys - PSS folks will almost never admit that something should be fixed when the behavior is "by design" and sometimes the design is not 100% bullet proof.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Re: Removing DNS does not automatically Removes replication.!

              Originally posted by guyt View Post
              If this is confirmed, no need to reproduce. So they are saying this is "by design"... I say: "bullocks!
              He never actually used the Word "by design", but following his words you could assume it is "by design", I agree with you.
              it is not really feasible on why it works that way , but it does (at least that is how it works on my Production system).
              I wonder if the same is on Win2008 DC/DNS..?
              Last edited by Akila; 13th June 2008, 14:36.

              Comment


              • #8
                Re: Removing DNS does not automatically Removes replication.!

                Well, I asked around and looks like this was a design decision.

                As far as I recollect, this is by design because removal of an NC as part of the service uninstall could be unintentionally destructive. Consider what would occur in the smaller deployments where the DNS service was removed at the same time (or thereabouts) from the only two DNS servers in the entire org -> everything gone and, though not technically difficult to recreate, I think we’d all agree that the last thing Microsoft needs to do is introduce a behavior that _increases_ the chances for DNS to cause problems. In larger orgs. the same is potentially true though much less likely.
                Of course this can be handled by checking whether there are other DCs enlisted for NC and doing the unenlistment only on Domain Naming Master, just like this is done during DC demotion, but they did not do it this way.

                Meanwhile you can use a script Dean Wells has just written for searching for DCs enlisted for DNS NCs that do not have DNS installed:
                ftp://falcon.msetechnology.com/scrip...Cbloat.cmd.txt

                You will need adfind.exe in the path (get from here: http://www.joeware.net/freetools/tools/adfind/index.htm)
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment


                • #9
                  Re: Removing DNS does not automatically Removes replication.!

                  thanks for the heads up

                  Comment

                  Working...
                  X