I recently came across a fairly serious DNS issue.  Here's what had happened.

A customer had decided to add a new DC.  They had run DCPROMO and everything ran without a hitch.  After the reboot they thought that it would be good to enable the DC as a DNS server (fair enough).  The existing zone was AD-integrated. 

Here's where things went awry.  There are a couple of ways in which a DC can be made a DNS Server.  The one that is probably most familiar to us is to go to Control Panel -> Add/Remove Programs -> Add/Remove Windows Components -> Networking Services -> Details -> Domain Name System (DNS).

This method would have been fine.

The alternative method is to use the Configure Your Server Wizard to add a role, as shown below.

At the next screen (after simply selecting Next above) things get a little tricky.  All you want to do is to install DNS Server on this machine.  That's it.  Finshed.  Nothing else to do, because we know AD Integrated DNS will simply replicate the zone infromation to our new DC without any other effort required.  But the wizard doesn't know this and so tries to be helpful by suggesting you do something else (see below) when you select Next.

Clicking Cancel at this point will achieve the desired result.  Unfortunately, my customer became confused and went ahead and created the forward lookup zone THAT ALREADY EXISTED.  The effect of this was to overwrite the existing zone information.  Oops - not good.

Personally, I think it would be helpful if the wizard offered an extra option in the screen above.  For example, something that says, "This is a DC in an existing forest with these AD integrated zones (X, Y and Z) already configured."

Tony

www.activedir.org