none
New Child domain

    Question

  • Hello I have some problem:

    My task was to install new child domain for partialy independent branch. Normal process is "easy". I configure two sites, assign subnets, promote new DC and assign to given site. All other is automatic. (and then lot of post-configuration..)

    Server is 2008 R2 SP1 and parent is hosted partialy on 2008 and 2008 R2 sp1. It is 2008 domain functional and forest level.

    Problem is that customer has Primary DNS zone _msdcs.domena.lan but not integrated to Active Directory and Zone transfer only to Name servers.

    This zone is replicated to second parent DC as secondary.

    When I added new child DC replications not worked.

    Primary reason was, that copy of _msdcs was not created on child site in DNS. So I manually created _msdcs zone as secondary and Transfer from Master.  This helps partialy.

    Because biggest problem is that records for child domain in _msdcs.domain.lan was not automatically created. There is also no records about sites and domain. For succesful replication: dc record is required, CNAME record in root of _msdcs is required and also domain record is required.

    I would like to leave _msdcs primary zone intact but I want to force the system to create required things. I found that sometimes can help restart of Directory services on primary _Msdcs server, but not at all cases. I don´t want to create it manually (required SIDs probably can be found using ADSIEDIT, but based on my experience system must create those itself)

    Other non standard thing is that dynamic updates on standard domain.lan zone are not allowed.

    Reason for those non-standard settings was that in history here was Linux server with Directory services (openLDAP+SAMBA).

    Any ideas? I  also think about demotion, cleanup and promotion back. But I think that it can be resolved faster and not so agressive.

    Wednesday, February 15, 2017 6:45 PM

All replies

  • Hi Michal,

    >>Problem is that customer has Primary DNS zone _msdcs.domena.lan but not integrated to Active Directory and Zone transfer only to Name servers

    Based on my understanding, AD integrated zone could be sync to other servers using AD replication technology.

    These integrated zones was stored in AD database and was copied into sysvol folders for sync purpose.

    Official explanation is here:

    When Windows 2000 DNS server is installed on at least one domain controller and has Active Directory–integrated zones, the zone data is always replicated to every domain controller in the domain.

    https://technet.microsoft.com/en-us/library/cc978010.aspx?f=255&MSPPError=-2147217396

    You could try to use repadmin.exe command to do the replication from other zones.

    >>Reason for those non-standard settings was that in history here was Linux server with Directory services (openLDAP+SAMBA).

    Please check if the following link is helpful:

    http://serverfault.com/questions/6273/how-can-i-get-bind-and-microsoft-dns-to-work-together-well

    Note: Since the web site is not hosted by Microsoft, the link may change without notice.
    Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 16, 2017 7:38 AM
    Moderator
  • Hello, I worked on this and we changed all _msdcs zones to Active Directory integrated which allowed to replicate between controllers well. repadmin shows no issues, logs are after this clean.

    we restarted domain services which recreate _msdcs with appropriate CNAME and domain records. But on FSMO server i have one problem. Because zone was originaly (primary zone) hosted on non-FSMO server, _MSDCS zone on FSMO server was created without one record pointing to SRV record for DC in newly created locality.

    This means:

    On non-FSMO server I have correct records to both localities. (local and remote) and on FSMO server only local. And I cannot force the system to replicate this change.  (I tried SOA increment, was changed but this setting was not reflected, probably due to duplicity?). This record probably can be setup manualy because it is only one SRV record pointing to DC, so no dynamic GUID etc. But in this zone I don´t want to do this.

    Any ideas? What about delete _msdcs from FSMO and reboot? But this can cause global problem.


    Thursday, February 16, 2017 10:21 AM
  • Hi Michal,

    >>Any ideas? What about delete _msdcs from FSMO and reboot? But this can cause global problem.

    If you delete this zone, it will also be removed from AD and DNS, effects all DC which has been replicated.

    So, you'd better not delete it. I have test in my lab, couldn't restore without other DCs replication.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 4:20 AM
    Moderator