none
_msdcs AD integrated zone RRS feed

  • Question

  • I know this question may sound repeditive, as the topic has been on a couple forums already, but i had some more specific questions about it. I recently had upgraded my domain from a 2003 domain and forest function level with one 2003 DC and one 2008r2 DC, to 2 2008r2 DCs. After running the BPA for DNS i got the error notification that everyone would expect (can't find that _msdcs AD zone). After completing the steps in making it a new primary AD zone, all of the errors in the BPA went away. 

    The question that I have is would the absence of a _msdcs zone cause an application to fail, if the application was using ldap to query my domain controller for user credentials? Also, would it cause ldap errors sometime and not other times? I keep thinking that SRV records live on the DC and the application points to the DC, so there shouldnt have been any problem. Maybe this issue is just specific with this application? I need some answers from somebody who may have come across a similar problem.

    Friday, May 10, 2013 3:20 AM

Answers

  • so when you send an LDAP query it will use DNS to locate the srv records to identify which DC should respond to the ldap query. So if that zone was missing then yes it is unlikely your application would work, but it is also unlikely AD would be working without that zone.

    It might be possible I guess, that if your application is coded in such a way, and the query is written in such a way, that it could talk directly to a dc without DNS - but weather you would get the correct results if this zone was missing im not sure.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    LinkedIn:

    Note: Posts are provided “AS IS” without warranty of any kind

    Tuesday, May 14, 2013 6:30 AM

All replies

  • it's unlikely that this would have caused the errors you are / were seeing.

    SRV records live in DNS as they are a type of DNS record. They refer back to the DC's and are created by the DC's but they don't live on the DC's, they live in DNS.


    Denis Cooper MCITP EA - MCT

    Friday, May 10, 2013 7:43 AM
  • Not sure how you lost the _msdcs zone, but I'm not sure how users would be able to authenticate without this.  The dcLocator process on each workstation/server uses this zone to be provided the list of services within a site.  These services point your clients to DC's.  If the applicaiton is site aware, then yes it is possible the application could fail if it is attempting to reach out based on the site DC's, but if they were authenticating then it seems that the applicaiton would be just as aware as the workstation was.  So I am not sure exactly what is going on in your environment.
    http://technet.microsoft.com/en-us/library/cc961719.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, May 10, 2013 12:12 PM
    Moderator
  • Please read that for more details about the _msdcs.domain.com DNS zone: http://windowsitpro.com/networking/q-whats-dns-msdcs-zone-forest-root-domain-used

    For your applications in use, you need first to understand how they locate the DCs to see if this will impact them or not. As an example, if the application is configured to use a specific DC, it will not be impacted if the SRV records are missing as it does not need them to locate the closest DC. Only applications based on the use of DNS resolution to locate closest DCs will be impacted. So, you need first to understand how your AD-based applications are working.

    For the removal of this zone, I think that someone mistakenly removed it on a DC and that this was replicated to all the DC / DNS servers in your domain / forest. For the newly created DNS zone, please make sure that it is AD-Integrated and that it is set to be replicated to all your DC / DNS servers in your AD forest.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Sunday, May 12, 2013 2:52 PM
  • Thanks to everyone's responses. Just to clarify a couple things: through some research I am to understand that with 2003 domains, the _msdcs zone is not a forward lookup zone by default so it must be added manually, I am aware that the SRV records live on DNS but our internal DNS is on our DCs and I forgot to mention that; the application itself is configured to look at and resolve through only one of our DCs and use the other purely as a failover. Other than that, I think we are all on the same page when it comes to my issue. I had to make sure that this wouldnt cause an issue that I was unaware of. I guess I need to fix MY issue with explaining the situation a little better, which i apologize for.

    Since the application itself sends ldap queries directly to our DC itself, there shouldnt be a reason (related to AD or DNS) that the "missing" zone would create a failure. If any more ideas pop into anybody's head please comment further.

    Thanks again to all.

    Tuesday, May 14, 2013 1:58 AM
  • so when you send an LDAP query it will use DNS to locate the srv records to identify which DC should respond to the ldap query. So if that zone was missing then yes it is unlikely your application would work, but it is also unlikely AD would be working without that zone.

    It might be possible I guess, that if your application is coded in such a way, and the query is written in such a way, that it could talk directly to a dc without DNS - but weather you would get the correct results if this zone was missing im not sure.


    Regards,

    Denis Cooper

    MCITP EA - MCT

    LinkedIn:

    Note: Posts are provided “AS IS” without warranty of any kind

    Tuesday, May 14, 2013 6:30 AM
  • Do you still need further help on this?


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Wednesday, May 29, 2013 8:57 AM