none
_msdcs subdomain best practice with NS records?

    Question

  • I have the _msdcs subfolder under my domain (the grey folder). example below

    It has only one DC inside of it for a NS server. This DC is old and no longer exists. I checked my test environment and it has the same scenario (an old DC that does that not exist). example below

    I'm just wondering:

    1) Is this normal, should this folder update itself with other servers?

    2) should I be adding one of my other DC's? and removing the original?

    I have a single forest, single domain setup 2008 functional level. My normal _msdcs Zone does behave as expected and removes and add the appropriate records. Thanks.

    Thursday, December 12, 2013 4:15 AM

Answers

  • And I hope I was able to answer all of your questions.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by fiveninesnope Friday, December 13, 2013 4:27 AM
    Friday, December 13, 2013 4:27 AM

All replies

  • The current DC should have shown up as an NS record. Add the FQDN manually. It should resolve to the proper IP address. And there should only be one IP. If it two or more show up, then that means your DCs is multihomed, wich is not recommended, and may explain why it may not have properly registered automatically as an NS record.

    And delete any old and nonexistent entries.

    Also check the following to make sure the NS records are correct:

    • parent.local
    • DomainDnsZones subfolder
    • ForestDnsZones subfolder

    -

    The fact that it didn't register, besides being multihomed, could also be attributed to other issues or config errors, such as:

    • Multihomed DC (mentioned above)
    • Using an external DNS address (such as an ISP's or router IP address)  in the NIC 
    • Other ...

    Any errors in the event logs? Please check all Event log error, such as the Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Copy and paste the whole error into your post. 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 12, 2013 5:55 AM
  • All my other zones fine. My AD checks out 100% with dcdaig and repadmin. I guess my question is why is it only the original DC for the domain? And does that record apply to anything?

    I've ran dcpromos on test environments and its the same outcome. I think it has to do with being the original delegate of that AD zone?

    Thursday, December 12, 2013 3:35 PM
  • Ok,

    So I deleted botht eh grey folder and the one at the root (_msdcs). when I restarted netlogon it only made one folder as the subdomain.

    So it replaced the grey folder with the information from the folder originally listed at the root and does not recreate the one at the root.


     
    Thursday, December 12, 2013 4:56 PM
  • I apologize for the late response. I see you've gone further than what I've recommended.

    No, you shouldn't have deleted the _msdc.parent.local zone!!!!!! I'm not sure why you did that. Are you working with someone else on this that recommended to do that? If not, you're over-thinking it. I provide specifics to fix it by simply  updating the NS records, that's it. If you only found the _msdcs folder had the wrong record, then that's all you had to change.

    In cases where DCs are removed, replaced, upgraded, etc, it's also best practice to check a few things to make sure things are in order, and one of them is check the NS records on all zones and delegations. Delegation's NS records won't update automatically with changes, but zone NS records will if DCs are properly demoted.

    The _msdcs delegated zone is required by Active Directory. And yes, based on your thread subject, it's best practice. When Windows 2000 came out, and IF you had created the initial domain with it, it did not have it this way, but all domains initially created with Windows 2003 and newer are designed this way. If you had upgraded from 2000 to 2003, then one of the steps that we must perform is to create the _msdcs delegation.

    Please re-create it in this order:

    1. In the DNS console, right-click Forward Lookup Zones, and then click New Zone. Click Next
    2. On the Zone Type page in the New Zone Wizard, click Primary zone, and then click to select the Store the zone in Active Directory check box. Click Next
    3. On the Active Directory Zone Replication Scope page, click "To all DNS servers in the Active Directory forest parent.local.
    4. On the Zone Name page, in the Zone Name box, type _msdcs.parent.local
    5. Complete the wizard by accepting all the default options.

    -

    After you've done that:

    1. Delete the _msdcs subfolder under parent.local.
    2. Right-click parent.local, choose New Delegation.
    3. Type in _msdcs
    4. In the Nameserver page, type in the name of your server, and its IP address.
    5. Complete the wizard
    6. You should now see a grayed out _msdcs folder under parent.local.
    7. Go to c:\windows\system32\config\ folder
    8. Find netlogon.dns and rename it to netlogon.dns.old
    9. Find netlogon.dnb and rename it to netlogon.dnb.old
    10. Open a command prompt
    11. Run ipconfig /registerdns
    12. Run net stop netlogon
    13. Run net start netlogon
    14. Wait a few minutes, then click on the _msdcs.parent.local zone, and click the F5 button to refresh it.
    15. You should see the data populate.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 12, 2013 8:32 PM
  • Oops...Its Ok it was just in a test environment. But I will run through your steps. Thanks.

    So in my production environment:) I should remove the old server in the delegation and add another active AD server?


    Thursday, December 12, 2013 10:08 PM
  • Oh, this is a lab? Ok. And yes, you simply update the delegate(s).

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 13, 2013 4:27 AM
  • And I hope I was able to answer all of your questions.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by fiveninesnope Friday, December 13, 2013 4:27 AM
    Friday, December 13, 2013 4:27 AM
  • Thanks for your the insight. It was good to learn the rebuild process
    Friday, December 13, 2013 4:28 AM
  • You are welcome! Glad to help any time!

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 13, 2013 5:25 AM