Tuesday 28 October 2014

Domain Upgrade to Server 2012 R2: DNS Servers ""The server with this IP address is not authoritiative for the required zone." & “An unknown error occurred while validating the server.” when Configuring Cross Forest Name Resolution

After a recently domain upgrade from Windows Server 2008 to Windows Server 2012 R2 a number of inconsistent DNS issues have started causing issues for users accessing resources in a remote domain. At present there are two domains (which are the forest root domains) in separate forests, there is a two-way trust between these domains. For it to function correctly each domain should host a secondary zone containing a copy of the trusted domains Forward Lookup Zone.

This was worked before the domain upgrade but since then I have been receiving the error "The server with this IP address is not authoritative for the required zone.” this is preventing the zone being replicated to the secondary zone within the trusted domain. 

A similar error is happening on the other domain when I try to configure a zone transfer the error on this side is “An unknown error occurred while validating the server.”

There was nothing obvious in the DNS Server Event Logs on either side so I decided to run the DNS BPA from the Windows Server 2012 Server Manager. It raised a number of alarming errors the first being “Error DNS:Zone_msdcs.domain.com is an Active Directory integrated DNS Zone and must be available. The Active Directory Integrated DNS Zone _msdcs.domain.com was not found.
After some research I came across the following TechNet article http://technet.microsoft.com/en-us/library/ff807395(v=ws.10).aspx although this was no good to be as I could not get a backup copy of the zone. I checked on the DNS server and I could see the _mcdsc zone underneath the domains Forward Lookup Zone.

I then created a new Primary Zone on the Server 2012 R2 side.

As this was the only domain in the forest I configured it to replicate To all DNS servers running on domain controllers in this domain: domain.bom.

I named the zone _msdcs.domain.com.

After a few minuted I reloaded the DNS zone and it was populated with all the required records.

The next stage was to delete the old zone folder, this was under the domains Forward Lookup Zone.

Now when I run the DNS BPA there is only two minor errors raised, both of which can be ignored at this stage.

Now when I try to configure Zone Transfers from both sides the remote servers resolve correctly.

As my new Domain Controllers had to have secondary copy of the remote domains DNS zone I created a new Secondary zone on the new DC.

I named it the same as the remote domain’s FLZ.

It resolved correctly.

Now clients and devices in each domains can resolve resources in each domains using their local DNS server.