Hello all, Eric here again. Just recently I was at a customer site in Japan for a few weeks and they had a number of interesting issues, so while I have some time here in the Naha airport, I thought I’d write about a couple of them.

One issue that we encountered across a number of their domains was that we couldn’t create zones in the DomainDNSZones partition (“All DNS servers in this domain” option). It wasn’t due to permissions; unfortunately I didn’t write down the exact error syntax that was returned, but I’m pretty sure it said “unable to create zone” – “server unavailable” or “server failure”. During further investigation, when trying to manually connect to the DomainDNSZones for that particular domain using ADSIEdit, it would fail no matter which DC in that domain that you tried to connect to and give the following error: “A referral was returned from this server”. The key word here is “referral”. Anyhow, the next thing I looked at was to see if there were even any DC’s enlisted into the partition. You can do that by running DNSCMD /enumdirectorypartitions, or by checking the msDS-NC-Replica-Locations attribute of the CrossRef object (CN=Partitions,CN=Configuration,DC=Domain,DC=Com) for the DomainDNSZones partition.

In checking, there were in fact DCs that were part of the replica set, but it still wasn’t working. Fortunately you can re-create that partition. Before deleting it however, you still want to check to see if any of the DCs have any zones in that partition. To do that just do a quick DNSCMD /enumzones and look for anything that says AD-Domain. If you had zones in there, you would need to move them to another partition before recreating the application partition. In our case, there were no zones there so I could proceed to fix the issue.

There a couple of ways to fix the issue, but they essentially do the same thing. Here are the steps that you can use to remove and re-create the application partition(s):

Note: When completing these steps, understand that you are deleting the whole application partition and all DNS Zones that reside inside of it!

Using NTDSUtil:

  1. Open the CMD prompt
  2. NTDSUtil
  3. Domain Management (In 2008 it changes to “partition management”)
  4. Connections => connect to server ERICSDC01
  5. Quit
  6. List <— to see zones
  7. Delete NC DC=DomainDNSZones,DC=Domain DC=Com (This Deletes the CrossRef Object)
  8. Force replication, validate that the partition is gone.
  9. Restart DNS, the service will re-add the partition.

Using ADSIEdit:

  1. Open ADSIEdit.msc
  2. Navigate to the CrossRef object for the application partition on a specific DC (CN=Partitions,CN=Configuration,DC=Domain,DC=Com)
  3. Delete the CrossRef object, essentially skipping to step 7 above.
  4. Force replication, validate that the partition is gone.
  5. Restart DNS, the service will re-add the partition.

Note: Be sure to pick the correct Domain prior to hitting delete if you have a multi-domain forest!

Alternatively you could also manually re-create the partition using the GUI, using the “Create Default Application Directory Partitions…” option, if for some reason it didn’t re-add to the configuration container.


After I deleted the CrossRef and cycled DNS, a new CrossRef object for that partition was created with a new GUID, and the DNS servers that were DC’s in that domain were then enlisted into the new partition. After that, we could connect to the partition in ADSIEdit and we could also create zones. Unfortunately, I don’t know the root cause of what corrupted those partitions.