Most of the time, DNS tends to be a very reliable service. So reliable in fact, that it's easy to forget just how critical it really is. Not only is the DNS service necessary for browsing the Internet, but the Active Directory is also completely dependent on it. That being the case, it makes sense to occasionally do some monitoring to make sure the data is being replicated correctly between your DNS servers and the Active Directory. In this article, I will show you how to use the Replication Monitor tool to verify that DNS related replication is functioning correctly.
Installing the Replication Monitor
Although the Replication Monitor is included with Windows, it is not installed by default. The Replication Monitor is a part of the Windows Support Tools. To install the Windows Support Tools, insert your Windows Server 2003 installation CD, and navigate to the CD's \SUPPORT\TOOLS folder. Next, double-click on the SUPPTOOLS.MSI file. When you do, Windows will launch the Windows Support Tools Setup Wizard. Before I walk you through the installation process, I need to mention that the Replication Monitor is not included with the x64 version of Windows Server 2003.
When the wizard starts, click Next to bypass the wizard's welcome screen. At this point, you will see the Windows Support Tools end user license agreement. Accept the license agreement and click Next. The wizard will now prompt you to enter your name and the name of your organization. After doing so, you must verify the installation path. By default the Windows Support Tools will be installed to the C:\Program Files\Support Tools\ folder. Click the Install Now button and at the necessary files will be copied. When the file copy process completes, click the Finish button to complete the installation process.
Working with the Replication Monitor
Now that the Replication Monitor is installed, you can launch it by entering the REPLMON command at the Run prompt. When the replication monitor starts, you'll be looking at an empty console. The first thing that you will have to do, is to select the server that you want to monitor. To do so, right-click on the Monitored Server object in the console window and select the Add Monitored Server command from the resulting shortcut menu. Doing so will launch the Add Server to Monitor Wizard.
The first screen you'll see asks you if you want to specify the server explicitly by name, or if you would prefer to search the directory for the server to add. I'm assuming that you probably know the names of the servers on your network, so choose the Add the Server Explicitly by Name option and click Next to continue.
At this point, you will be prompted to enter the name of the server that you want to monitor. Enter your DNS server's fully qualified domain name, and click the Finish button. The console will now be populated with the information from the server that you selected including five different Active Directory partitions.
The Replication Monitor is actually an Active Directory monitoring tool, not a DNS server monitoring tool. When you select the server to monitor, the Replication Monitor displays the Active Directory partitions that are installed on that server. Assuming that the server that you are monitoring is both a domain controller and a DNS server though, there should be five different partitions that are displayed. In the sections below, I will explain what these five partitions are and what they do. For demonstration purposes, I will assume that the server being monitored is a domain controller for the Contoso domain and that the server also functions as a DNS server which contains an Active Directory integrated zone for the Contoso domain.
The first partition on the list should be the DC=contoso,DC=com partition. This is the domain partition for the Contoso domain. The domain partition typically contains Active Directory objects, such as users and computers. Each domain controller within the domain contains a replica of the domain partition.
The domain partition has another use as well. DNS information is stored in the domain partition for backward compatibility with Windows 2000 Servers.
The CN=Configuration,DC=contoso,DC.com partition is the configuration partition for the Contoso domain. The configuration partition is used to store configuration information for the Active Directory. The configuration partition is a forest level partition. Every domain controller in the entire forest contains a replica of the configuration partition. An example of the type of information that would be stored in the configuration partition is the replication topology for the forest. Although the configuration partition is displayed in the Replication Monitor, it really does not have anything to do with the DNS services. The configuration partition contains no DNS zone data.
The CN=Schema,DC=Contoso,DC=com partition is the schema partition for the forest. Once again, this is a forest level partition. Every domain controller in the entire forest contains a replica of this partition. The schema partition defines the types of objects that can exist in the Active Directory. It also defines what the valid attributes of those objects are. Like the configuration partition though, the schema partition does not contain any DNS zone data.
The DC=DomainDnsZones,DC=contoso,DC=com partition is a type of application directory partition. That Domain DNS Zones partition is a domain level partition. The interesting thing about the partition though is that it is not replicated to all of the domain controllers within a domain. Instead, only domain controllers that also function as DNS servers receive a replica of this partition. Because this is a domain level partition, it only contains DNS zone data associated with DNS servers within that particular domain. The partition is not replicated across the forest.
Like the Domain DNS Zones partition, the DC=ForestDnsZones,DC=Contoso,DC=com partition Â is also an application directory partition. Like the Domain DNS Zones partition, this partition contains DNS zone information. The difference is that this is a forest level partition. Therefore it contains zone information related to all of the DNS servers across the forest. Although this is a forest level partition, it does not get replicated to every domain controller in the forest. Instead, it is only replicated to Windows Server 2003 domain controllers that also function as DNS servers.
Which zones are being used
Now that I have explained what the various partitions are used for, it should be fairly easy to figure out which partitions contain Active Directory integrated DNS zone information. If you need a little help figuring out which partition zone data is stored in, then you can get a hint through the DNS console.
To do so, open the DNS console by choosing the DNS command from the Administrative Tools menu. When the console opens, navigate through the console tree to the DNS zone in question. Now, right-click on the zone and choose the Properties command from the resulting shortcut menu. When you do, you'll see the zone's properties sheet.
If you look at the properties sheet's General tab, you should see that the zone type is set to Active Directory Integrated. Just below the zone type, is a Replication field. As you can see in Figure A, this field does not give you the name of the Active Directory partition that the zone data is stored in. What it does give you, is a plain English description of where the zone data is being replicated to.
|The zone's properties sheet does not list the actual Active Directory partition that the zone data is being replicated to.|
For example, if you look at Figure A, you'll see that the zone data is being replicated to all DNS servers in the Active Directory domain. If you take this information and cross reference it with what I told you about the various partitions, then it's easy to see that in this particular case the zone data is being stored and the Domain DNS Zones partition.
Monitoring DNS replication
Our goal from the beginning has been to determine if DNS zone information is being replicated correctly between the Active Directory and the DNS server itself. Now that we know which Active Directory partition DNS zone data is being stored in, we can move forward with figuring out whether or not replication is functioning correctly.
Probably the most effective way of determining whether or not DNS zone information is being replicated correctly, is to use the Replication Monitor to search for replication errors. To do so, choose the Domain | Search Domain Controllers for Replication Errors commands from the Replication Monitor's Action menu. When you do, you will see the Search Domain Controllers for Replication Failures dialog box, shown in Figure B.
|The Search Domain Controllers for Replication Failures dialog box allows you to search for DNS related replication errors.|
As you can see in the figure, this dialog box is pretty simple. There are really only two check boxes that you have to worry about. The Hide Retired Partners check box is selected by default. Normally there is no reason to search for replication failures on replication partners that have been retired.
The other check box allows you to use an alternate set of credentials. Whether or not you need to specify a different set of credentials really just depends on how you are logged in. As long as you have administrative permissions over the servers that you are checking, you should be OK.
Click the Run Search button and you will be prompted to enter the DNS domain name for which to search for replication failures. Keep in mind that this prompt is asking you to enter a fully qualified domain name for the domain that you are testing. It is not asking you to enter the name of a DNS server.
Click OK and the search for replication errors will begin. With any luck, the Search Domain Controllers for Replication Failures dialog box will look the same after the search completes as it does in Figure B.
Hopefully your search for replication errors did not turn anything up. If you did find any replication errors though, the first thing that you probably want to do is to try to force replication. To do so, right-click on the Active Directory partition that contains the DNS zone information and select the Synchronize This Directory Partition with All Servers command from the resulting shortcut menu. When you do, you'll see the Synchronizing Naming Context with Replication Partners dialog box, shown in Figure C.
|The Synchronizing Naming Context with Replication Partners dialog box can be used to force Active Directory replication.|
As you can see in the figure, this dialog box contains three different options. By default, none of these options are selected, but they are there if you need them.
The first check box disables transitive replication. If you select this check box, then replication will only occur between the selected server and adjacent servers.
The second check box enables push mode. Normally when changes are made to an Active Directory partition, the domain controller to which the changes were made notifies the other domain controllers of the change, and then those domain controllers download the changes from the domain controller containing the updates. This is known as pull replication. Push mode kind of does the opposite. If you enable push mode, the domain controller containing the changes will actually push the changed data out to the other domain controllers using transitive replication.
The last option on the list is the Across Site Boundaries option. Normally, when Active Directory replication occurs, only the domain controllers with the same site as the domain controller containing the changes initially receive the updates. If there are other sites on the network, then a bridgehead server will periodically send updates to a bridgehead server in the other sites. The remote bridgehead server is then responsible for replicating the changes to remote domain controllers. If you enable the across site boundaries option, then replication will occur with all domain controllers regardless of which site they are in.
The DNSCMD utility
The Replication Monitor is primarily used to help you spot replication errors, and to force replication when necessary. If you need more advanced troubleshooting capabilities, and I recommend checking out the DNSCMD utility. The DNSCMD utility as a command line tool that is specifically designed for interacting with your DNS servers. The tool itself is fairly involved, and space limitations prevent me from showing you all that the tool has to offer. Even so, I want to give you at least a sample of what the DNSCMD tool can do.
As you may recall, or the first steps that we took earlier in the article was to figure out which Active Directory partition DNS zone data was being stored in. The DNSCMD utility is also capable of retrieving this information. To get this information, you would enter the DNSCMD command followed by the DNS server's IP address, the /ZONEINFO switch and the domain name. For example, if you wanted to get the zone information for the Contoso domain, the command would look something like this:
address> /ZONEINFO contoso.com
If you look at Figure D, you'll see that the ZONE DN portion of the results shows which Active Directory partition zone data is stored in. As I said though, this is an extremely powerful tool, and I highly recommend taking a look at it.
|The DNSCMD utility can retrieve the same types of DNS zone information as the Replication Monitor can.|