2

We have been having issues with DNS and active directory on occasion and as part of the investigation we have found a conflicting entry for our forest in the forestDNSzones partition. This does not seem to be causing an obvious issue in that our sites are working correctly, replication is happening throughout the forest and there are no errors in any event logs.

From what I can see on the item it has a changed date from back in 2013 which makes me think that it would be safe to delete but everything I have read suggests that it is a one way process and you may need to restore back on each domain controller. I am probably being over cautious but I wanted to get some advice as to whether the removal would cause more problems that solutions and if there is a procedure for performing this in a forest. The duplicate is of the root domain with the CNF and GUID after so I fear that deleting is going to have an effect across the whole forest.

Our forest is functional level 2003 while most domains are 2008 or 2008 R2 if that would have an effect.

Simon Moore
  • 23
  • 3

1 Answers1

1

Yes you can delete them. The issue is best described here:

http://blogs.msmvps.com/acefekay/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones/

You probably want to make a backup of your DNS zone data first: 

DNSCMD.exe dcName /ZoneExport zonename zonename.txt

E.g.: 

DNSCMD.exe CONTOSODC1 /ZoneExport contoso.com contoso.com.txt  
DNSCMD.exe CONTOSODC1 /ZoneExport _msdcs.contoso.com _msdcs.contoso.com.txt

That will create the backup txt files in %systemroot%\system32\dns\

Greg Askew
  • 34,339
  • 3
  • 52
  • 81