Field Notes: Access denied when removing Active Directory integrated DNS Zones

With Windows Server 2008 R2 reaching end of life in January 2020, many organizations have been migrating their workloads to Windows Server 2016 or newer.  This period is also an opportunity for some to decommission and consolidate domains to reduce complexities where possible.  I posted about an upgrade blocker when the File Replication Service is still in use for replicating SYSVOL content here.  In there, I also share a link on where you can find useful information on the End of Life Dashboard that one of my follows blogged about.

I this post, I would like to discuss an additional check point you may want to include in your upgrade plan as one of the clean-up actions after removing a domain.  This tip would also be applicable when you are looking at removing Active Directory-Integrated Zones that are no longer required or wanted.

Repro Environment Details

I leveraged one of the Azure Quickstart Templates to help accelerate a deployment of a 3-domain forest in my Azure subscription.  In there, I have:

  • A forest root domain named forestroot.co.za
  • 2 child domain named east.forestroot.co.za and west.forestroot.co.za

For demonstration, I decommission one of the child domains (west.forestroot.co.za) and go through the process of cleaning up the expired stub DNS zone that was created in the other child domain (east.forestroot.co.za).  Here’s what it initially looks like in the DNS Management Console.

West domain stub zone

Protecting DNS Zones from accidental deletion

It is recommended to have DNS zones protected from accidental deletion.  Here is an oldie but goodie with details:

In the test lab, I ran the following piece of PowerShell code to protect the west.forestroot.co.za DNS stub zone hosted in the east domain from accidental deletion:

Get-ADObject -Server EASTDC01.east.forestroot.co.za -Filter 'Name -eq "west.forestroot.co.za"' -SearchBase "DC=DomainDNSZones,DC=east,DC=forestroot,DC=co,DC=za" -Properties ProtectedFromAccidentalDeletion | Set-ADObject -ProtectedFromAccidentalDeletion $true

Protect DNS zone from accidental deletion

Decommissioning the child domain

We are now at a point where we need to decommission the west domain.  As part of the removal process, the Active Directory Domain Services configuration wizard removes the DNS zone for the west domain, as well as the DNS delegation.

ADDS domain removal options

However, the stub zone remains and traces of it are visible in the DNS Management Console after the domain removal.  The DNS server from the east domain is unable to load the zone as the transfer of zone data from the master server (the decommissioned DC) failed.

Zone not loaded by DNS Server

Additionally, there is an error (Event ID 6527) logged in the DNS Server event log stating that the zone expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone.

Expired DNS zone.

The clean-up process

With protection from accidental deletion in place, an attempt to remove this stale zone results in the following error:

The zone cannot be deleted.  Access was denied

The zone cannot be deleted.  Access was denied.

In this case, I am using an account belonging to the Enterprise Admins group.  From a perspective of group membership, inadequate permissions is not an issue here and we already have an idea that this is due to the protection we put on earlier.

The account is a member of the Enterprise Admins group.

What I need to do here is to remove the protection flag by running the following PowerShell code:

Get-ADObject -Server EASTDC01.east.forestroot.co.za -Filter ‘Name -eq “west.forestroot.co.za”‘ -Properties ProtectedFromAccidentalDeletion | Set-ADObject -ProtectedFromAccidentalDeletion $false

To confirm, here is the PowerShell code that can help us:

Get-ADObject -Server EASTDC01.east.forestroot.co.za -Filter ‘Name -eq “west.forestroot.co.za”‘ -Properties ProtectedFromAccidentalDeletion

Remove the protection flag

With this flag turned off (or set to false), removal of this zone succeeds.

One more thing to watch out for…

So far, this is pretty straightforward but I would like to leave you my last tip.  You may have come across the warning (Event ID 4515) depicted below.  The zone west.forestroot.co.za was previously loaded from the directory partition MicrosoftDNS but another copy of the zone has been found in directory partition DomainDnsZones.east.forestroot.co.za.  

Duplicate zone

So what do we have here?  The zone west.forestroot.co.za is stored in two partitions – one in DomainDNSZones and another in the domain partition.

Duplicate zone

Be sure to check if you don’t have a duplicate copy of the zone too if you are not sure why you still get access denied with everything that has been mentioned above in place. 

In closing

Protect your Active Directory-Integrated DNS zones from accidental deletion, but don’t forget about this when it’s time to get rid of DNS zones you no longer require.  Also please watch out for duplicate copies of DNS zones and remember that storing zones in the domain partition is not recommended.  Happy upgrading!

Till next time…

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.