Event ID 4515 – zone exists in more than 1 location in Active Directory

15 pts.
Tags:
Active Directory
Availability
DNS
Microsoft Windows
Networking
I posed a question a couple of weeks ago and had no response so I'm hoping I just worded it badly. I'm desperate to sort this out so I'm having another try.

The first error I got in my DNS log was Event ID 4515 "The zone contoso.com was previously loaded from the directory partition ForestDNSZones.contoso.com but another copy of the zone has been found in directory partition DomainDnsZones.contoso.com. The DNS server will ignore this new copy of the zone. Please resolve this conflict ASAP". I now get it the other way around too with Forest & DomainDNS zones reversed.

Apparently the way to correct this is to use adsiedit.msc to delete one of the zones but it says to confirm that a duplicate zone exists before doing this. So I went in and had a look using adsiedit.msc and sure enough there are records in both forest and domain DNS zones. But they don't look the same.

The Forest zone within DC=_msdcs.techset.local contains the following:- 

DC=@ DC=_kerberos._tcp.dc DC=_kerberos._tcp.Default-First-Site-Name._sites.dc DC=_ldap._tcp.48b60e56-...etc. DC=_ldap._tcp.dc DC=_ldap._tcp.Default-First-Site-Name._sites.dc DC=_ldap._tcp.Default-First-Site-Name._sites.gc DC=_ldap._tcp.gc DC=_ldap._tcp.pdc DC=10d556611-...etc. DC=677cc99c-...etc. DC=arwen (this is a new DC which has the same name as my old PDC) DC=c8721c1-... DC=gc DC=legolas (this is my PDC)


There is no mention of the other DC on the network.

Also within the Forest Zone in DC=254.168.192.in-addr.arpa are all the pointer records for the whole network.

In the Domain Zone under DC=techset.local there are:- 

DC=A DC=_gc._tcp DC=_gc._tcp.Default-First-Site-Name._sites DC=_kerberos._tcp DC=_kerberos._tcp.Default-First-Site-Name DC=_kerberos._udp DC=_dpasswd._tcp DC=_kpasswd._udp DC=_ldap._tcp DC=_ldap._tcp.Default-First-Site-Name._sites DC=_ldap._tcp.Default-First-Site-Name._sites.DomainDNSZones DC=_ldap._tcp.Default-First-Site-Name._sites.ForestDNSZones DC=_ldap._tcp.DomainDnsZones DC=_ldap._tcp.ForestDnsZones DC=_msdcs DC=DomainDnsZones DC=ForestDnsZones DC=Aragorn DC=arwen DC=Ben DC=Bilbo etc. (all records for all computers on network)


Sorry for so much typing but my question is this. Is it normal for the Forest zone to have so few records in it? I'm really asking which one I should get rid of. The forest zone is missing records for 1 of my DC's and doesn't have any DNS records apart from pointer records for the network. Is that normal? And the Domain Zone doesn't have any pointer records at all. Which one should I delete?

I'd really appreciate an answer if anyone knows!

Thanks.
Asked: Last updated:
Related Questions
1

Answer Wiki

Thanks. We'll let you know when a new response is added.

Since no one else has responded, I will take a crack at this. I would look at the logs and see which system complained first about the duplication. My guess would be to remove the copy this first message objected to. Naturally you shouldn’t try any of this without having a good backup of all of these DCs in case you have to restore the current state.
Playing with adsiedit is dangerous in any case so make sure you have a good back out plan. In kb 322692 they give a few hints about the pitfalls of backing out of a change in domain level. Sorry I don’t have a better suggestion for you.
rt

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Sonyfreek
    EventID.net includes the information about ADSIEdit, but also talks about stopping DNS on all servers but one, removing the AD integration on it, clearing the logs, re-integrating them into AD and then restarting the other DNS servers. This seems like it would work because your DNS server sounds like it was upgraded from a previous Windows 2000 domain. In cases such as that, the DNS needs to be upgraded from a Win2k zone to the newer Windows 2003 DNS zones. It's worth checking out because it sounds like your problem is synchronizing the DNS in AD. http://www.eventid.net/display.asp?eventid=4515&eventno=3593&source=DNS&phase= Don
    0 pointsBadges:
    report
  • ITBird
    Thanks very much for your suggestions. I went with Sonyfreeks answer "...EventID.net includes the information about ADSIEdit, but also talks about stopping DNS on all servers but one, removing the AD integration on it, clearing the logs, re-integrating them into AD and then restarting the other DNS servers...." because it seemed less destructive than messing about with adsiedit. And it worked like a charm. Thank you!
    15 pointsBadges:
    report
  • Sonyfreek
    Sweet. I'm glad everything worked out for you.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: