DCDIAG CrossRefValidation test fails because of the dnsRoot value of ForestDnsZones

Question

A while ago I promoted our DNS server (running 2003) from being a member server to a domain controller so I could enable AD integrated DNS. Often, I am seeing error 9906 (Event ID 4512) pop up in the logs. The body of the message error is:

The DNS server was unable to create the built-in directory partition ForestDnsZones.sub.domain.com.The error was 9906.

Based on what I've read so far people seem to indicate that it is an issue with the server not being able to find the FSMO role holder. However, this doesn't seem to be the case with my scenario as all the domain controllers pass all the tests successfully. I haven't seen any glaring reasons for this but what I've been able to find out is an old value in the Application Partition using ADSIEdit.

Running dcdiag /test:crossrefvalidation, the results are:

  Starting test: CrossRefValidation

         This cross-ref has a non-standard dNSRoot attribute.

          Cross-ref DN:

         CN=0e4820e2-35e2-4fcf-bae9-789ca2003a6b,CN=Partitions,CN=Configuration,DC=sub,DC=domain,DC=com

          nCName attribute (Partition name):

         DC=ForestDnsZones,DC=sub,DC=domain,DC=com

          Bad dNSRoot attribute: xxxx.xxxxx.sub.domain.com

          Check with your network administrator to make sure this dNSRoot

         attribute is correct, and if not please change the attribute to the

         value below.

           dNSRoot should be: ForestDnsZones.sub.domain.com 
            It appears this partition

            (DC=ForestDnsZones,DC=sub,DC=domain,DC=com) failed to get

            completely created.  This cross-ref

            (CN=0e4820e2-35e2-4fcf-bae9-789ca2003a6b,CN=Partitions,CN=Configuration,DC=sub,DC=domain,DC=com)

             is dead and should be removed from the directory. 
         ......................... ForestDnsZones failed test

         CrossRefValidation

I suspect that the xxxxx.xxxxx.sub.domain.com is an entry from an old domain that one of the previous admins created.

I looked at this thread and looked at the Configuration Partition using ADSIEdit and indeed I can see that the dnsRoot value for partition DC=ForestDnsZones,DC=sub,DC=domain,DC=com is xxxxx.xxxxx.sub.domain.com.

This is strange because I don't see any reference to xxxx.xxxxx anywhere in the DNS console.

So the questions are:

Is it safe to change the dnsRoot value using ADSIEdit from xxxxx.xxxxx.sub.domain.com to ForestDnsZones.sub.domain.com?
If I can do that, will it be a problem that the old ID will be attached to the new value?
Is there a clean way I can go about removing any such old references and recreating the ForestDnsZones records?

score 1 · Answer 1 · answered Jul 19 '11 at 19:34

1

transfer role FSMO
try to create zones again

answered Jul 19 '11 at 19:34

Alexander Pavluchenko

458
3
12

score 1 · Accepted Answer · answered Aug 05 '11 at 05:53

The solution for me was to delete the two crossRef objects for the ForestDNSZones and DomainDNSZones using ADSIEdit under the Configuration partition. Then I restarted the Netlogon and the DNS server and they were recreated.

As far as modifying the dnsRoot value...that did not work. I could not replace the old value with the new one.

DCDIAG CrossRefValidation test fails because of the dnsRoot value of ForestDnsZones

2 Answers2