Found it! In the parent DNS, go to the zone for the child domain. Right click, properties. On the "Name Servers" tab that comes up, one of the servers had an asterisk (*) next to its name, indicating that the IP was resolved via DNS, and *not* entered statically here.
To fix: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_24428898.html Basically, delete that entry, and re-add, making sure to type in the IP (not resolve). Once I did that (and for good measure, I did it on the DNS of every DC in the parent), all those DNS errors - POOF! - went away ... So the glue A record in the error message referred to this record, which is - apparently - different than the glue A record that dnslint looks for ... In any event, I am good to go ... On Mon, May 18, 2015 at 9:42 AM, Michael Leone <[email protected]> wrote: > Here's a weird one. I have a parent-child domain structure. Parent has > 3 DCs (all Win 2008 R2); child has 6 DCs (all Win2008 R2). Now we are > updating the AD to Win2012 R2. > > Last week I added 3 Win2012 R2 DCs to the parent domain; went fine. No > replication errors; no dcdiag errors. So now I have 3 Win2008 R2 DCs, > and 3 Win2012 R2 DCs (eventually we will retire the 2008 DCs, and > upgrade the FFL/DFL to Win 2012 R2). > > This weekend I added 3 Win2012 R2 DCs to the child domain, planning on > doing the same. And now I am seeing errors in dcdiag, in the parent > domain. > > From the parent domain, I run "dcdiag /c /e /v". On the the Win 2008 > R2 DCs in the parent, 1 of the child Win 2012 R2 DCs just does not > show up in the DNS delegation list; it's just not there (in the DNS > tests; it does show in all the other tests). On the 3 Win2012 R2 DCs > in the parent, they all show "IP:<unavailable" [missing glue A > record]". > > At least they are listing that child DC as a DNS server in the > delegated child domain; the Win2008 R2 DCs don't even show it at all. > > More weirdness: a "dnslint /ad" shows me glue records for that > (partially) missing DC (aka CHILD-DC4). > > The other dcdiag tests (advertising, CheckSecurityError, etc) - they > all showCHILD-DC4, and all other tests pass. It's just that DNS test > that is failing. > > So: how can the 3 old DCs not even know there is a missing server in > those DNS tests? And how can the new servers know that there should be > a record for it, but not find it, if dnslint *does* find it? > > No replication errors (using "repadmin /showrepl" and "repadmin > /replsummary"); CHILD-DC4 shows up in the replication on all parent > DCs, old and new. > > CHILD-DC4 does show up as an NS record in the child domain entry on > the parent DCs (old and new); and does show up in the properties of > the child domain as a name server. > > I'm sorted stumped. Thoughts?
