none
_msdcs subdomain missing for non forest root domain RRS feed

  • Question

  • All,

    I'm looking for some guidance on a Windows DNS issue but please bear with me as I work more on the Unix/Linux side.

    We are running Windows AD at a 2008 functional level with a root domain of "corp.example.com".  We also run DNS for a few other domains, including "example.com".  We solely use AD DNS for all of our servers.  Our Windows systems are part of the "corp.example.com" domain and our Unix/Linux servers are part of the "example.com" domain.

    My motivation is to enable a one-way trust from FreeIPA to AD for user authentication on our Linux side.  The configuration process on the FreeIPA side runs a "trust-add" script that makes the necessary configurations (cifs, smb, etc) to the master FreeIPA servers.  The trust-add says it needs the following DNS SRV records created, as they currently do not exist:

    _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 389 ipaserver.example.com.
    _kerberos._udp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 ipaserver.example.com.
    _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 ipaserver.example.com.
    _kerberos._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 88 ipaserver.example.com.
    _ldap._tcp.dc._msdcs.example.com. 86400 IN SRV 0 100 389 ipaserver.example.com.
    _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com. 86400 IN SRV 0 100 88 ipaserver.example.com.

    The problem is there is no _msdcs.example.com subdomain and therefore seemingly no ability to create *.dc._msdcs.example.com records.

    I have searched and read about missing _msdcs zones but they seem to be specific to upgrading from 2003 to 2008.  I've also seen articles about recreating the example.com zone which is not an option.

    Can anyone point me in the right direction as to how I can possibly remedy my situation?  Or is this not possible?

    Thanks in advance,

    HB
    Wednesday, August 1, 2018 9:09 PM

All replies

  • Hi,

    Thanks for your question.

    I have a question, since "corp.example.com" is a root domain, how does "example.com" exist?

    Please forgive me for not knowing Linux well.

    If you want to know how to recreate the _msdcs DNS zone on a Windows DNS Server, please refer to the link below  :

    https://www.dell.com/support/article/sg/en/sgdhs1/sln155826/how-to-delete-and-recreate-the-_msdcs-dns-zone-on-a-windows-dns-server?lang=en  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, August 2, 2018 2:46 AM
    Moderator
  • Thank you for your reply.

    Please forgive my confusion here as well.  I'm not sure exactly how to answer your question but both:

    corp.example.com 

    and

    example.com

    Are forward lookup zones in our AD DNS.  I was able to add several required SRV records for the one-way trust, i.e.:

    _kerberos._tcp.example.com. 86400 IN SRV 0 100 88 ipaserver.example.com

    and

    _ldap._tcp.example.com. 86400 IN SRV 0 100 389 ipaserver.example.com

    However, I am not sure how to handle the missing _msdcs (subdomain/folder?, it does exist as a folder under the corp.example.com forward lookup zone) for example.com.

    The link you included talks about deleting and recreating a _msdcs zone.  My issue is that it does not exist for the example.com forward lookup zone.  Is this what I want?

    I apologize if I am completely confusing the situation here, but my many years of DNS experience is on the BIND DNS side.

    Any guidance is appreciated..

    HB

    Thursday, August 2, 2018 4:35 AM
  • Hi,

    Thanks for your reply.

    In my opinion, if you have a AD-integrated zone"example.com" ,and you can rebuild the _msdcs zone.

    However, I am not  familiar with the configuration of the LINUX side. 

    Maybe you should ask for help on the Linux forum.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, August 3, 2018 9:06 AM
    Moderator