Disclaimer: By following this article you accept all responsibility for any damage caused. Ensure you take all appropriate measures to protect yourself, and your infrastructure in case of a disaster.

Background Reading:

• Active Directory Intergrated Storage - http://technet.microsoft.com/en-us/library/cc959270.aspx
• DNS Zone Replication in Active Directory - http://technet.microsoft.com/en-us/library/cc779655(WS.10).aspx

The Scenario:

You have an Active Directory forest and all your DNS and AD servers are running Windows Server 2003. The Forest contains a root domain and multiple child domains. The DNS Zone replication scope for the root level domain is currently set to All domain controllers in the Active Directory domain. You attempt to change the replication scope to All DNS servers in the Active Directory Forest or All DNS Servers in the Active Directory domain and you receive the following error message:

The name limit for the local computer network adapter card was exceeded.

This message indicates that the zone already exists in the destinaton partition. To verify this do the following:

ForestDNSZones Partition:

1. Click Start, click Run, type adsiedit.msc, click OK.
2. In the console tree right-click ADSI Edit, click Connect to.
3. Click Select or type a Distinguished Name or Naming Context, and enter the partition location and click OK: DC=ForestDNSZones, DC=networkfoo, DC=org.
4. In the console tree, double-click DC=ForestDNSZones, DC=networkfoo, DC=org.
5. Double-click CN=MicrosoftDNS

DomainDNSZones Partition:

1. Click Start, click Run, type adsiedit.msc, click OK.
2. In the console tree right-click ADSI Edit, click Connect to.
3. Click Select or type a Distinguished Name or Naming Context, and enter the partition location and click OK: DC=DomainDNSZones, DC=networkfoo, DC=org.
4. In the console tree, double-click DC=DomainDNSZones, DC=networkfoo, DC=org.
5. Double-click CN=MicrosoftDNS

DomainNC Partition:

1. Click Start, click Run, type adsiedit.msc, click OK.
2. in the console tree, double-click Domain NC [servername.networkfoo.org].
3. If Domain NC is not already listed:
   1. In the console tree right-click ADSI Edit, click Connect to.
   2. Click Select or type a Distinguished Name or Naming Context, and enter DC=networkfoo, DC=org.
4. In the console tree, double-click DC=networkfoo, DC=org and double-click CN=System.
5. Double-click CN=MicrosoftDNS.

Under each Partitions MicrosoftDNS folder locate any duplicates of your zone in the DomainDNSZones and ForestDNSZones partitions. If there are any folders with the name InProgress.....GUID, delete these. Essentially each time you attempt to change the zones replication scope but fail these are created and are basically corrupt versions.

To Fix this problem I use the following method:

1. Create a non-domain member Windows Server 2003 DNS server.
2. Create a networkfoo.local non ad-intergrated secondary zone.
3. Replicate the zone from a working DNS server.
4. Change the zone to a Primary Zone and disconnect the server from the network.
5. Backup the zone files from C:\Windows\System32\dns\ on the non domain member server you create above.
6. Based on the results identified when locating the duplicate copies of the zones in adsiedit, delete any copies from the ForestDNSZones and the DomainDNSZones, including any InProgress...GUID folders.
7. On one of your primary DNS server change the zone to a Primary non ad-intergrated zone. This will erase the zone from the application partitions.
8. At this point either allow time for the replication of changes to apply throughout all your domain controllers and DNS servers. Or force replication using Active Directory Sites and Services.
9. Verify replication has occured using the example commands below.
10. Verify that no copies of your zone exist in the ForestDNSZones, DomainDNSZones and the DomainNC partitions. If there is delete them. And wait for replication.
11. On the primary DNS Server:
    1. Recreate the zone as a primary non ad-intergrated zone.
    2. Stop the DNS Server Service.
    3. Copy the zone files from step 4 to C:\Windows\System32\dns\
    4. Start the DNS Server Service.
    5. Verify the zone has successfully populated the contents of the zone file.
    6. Change the zone to ad-intergrated, and then modify the replication scope to All DNS Servers in the Active Directory Forest.
12. This is they key point. Do Not change the replication scope again on any of the other servers. You must go to each server and restart the DNS Server Service.
13. The other servers will pull the zone information from Active Directory and update themselves automatically.

Veryfing and Troubleshooting AD Replication:

Example commands used to verify and troubleshoot AD replication:

• repadmin /showvector /latency DC=ForestDNSZones, DC=networkfoo, DC=org
• repadmin /showvector /latency DC=DomainDNSZones, DC=networkfoo, DC=org
• repadmin /showvector /latency CN=Schema, CN=Configuration, DC=networkfoo, DC=org
• repadmin /showvector /latency CN=Configuration, DC=networkfoo, DC=org
• repadmin /showvector /latency DC=networkfoo, DC=org
• repadmin /showrepl
• dcdiag /test:replications /v
• dcdiag /test:netlogons
• dcdiag /n:networkfoo.org /a
• netdiag

The following links contain can be used to verify and troubleshoot GPO replication and FRS issues:

• Gpotool, which is part of the Windows Server 2003 Resource Kit - http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en
• GPO Troubleshooting Faq - http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/2/GPO-Troubleshooting-FAQ.aspx
• Ultrasound, Monitoring and Troubleshooting tool for FRS - http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50

Incorrect or out of sync clocks on the domain controllers can also cause issues, the following guide is helpful for setting these up correctly - http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html