none
_msdcs subdomain best practice with NS records?

    Question

  • I have the _msdcs subfolder under my domain (the grey folder). example below

    It has only one DC inside of it for a NS server. This DC is old and no longer exists. I checked my test environment and it has the same scenario (an old DC that does that not exist). example below

    I'm just wondering:

    1) Is this normal, should this folder update itself with other servers?

    2) should I be adding one of my other DC's? and removing the original?

    I have a single forest, single domain setup 2008 functional level. My normal _msdcs Zone does behave as expected and removes and add the appropriate records. Thanks.

    Thursday, December 12, 2013 4:15 AM

Answers

  • And I hope I was able to answer all of your questions.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Hi.Craig Friday, December 13, 2013 4:27 AM
    Friday, December 13, 2013 4:27 AM

All replies

  • The current DC should have shown up as an NS record. Add the FQDN manually. It should resolve to the proper IP address. And there should only be one IP. If it two or more show up, then that means your DCs is multihomed, wich is not recommended, and may explain why it may not have properly registered automatically as an NS record.

    And delete any old and nonexistent entries.

    Also check the following to make sure the NS records are correct:

    • parent.local
    • DomainDnsZones subfolder
    • ForestDnsZones subfolder

    -

    The fact that it didn't register, besides being multihomed, could also be attributed to other issues or config errors, such as:

    • Multihomed DC (mentioned above)
    • Using an external DNS address (such as an ISP's or router IP address)  in the NIC 
    • Other ...

    Any errors in the event logs? Please check all Event log error, such as the Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Copy and paste the whole error into your post. 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 12, 2013 5:55 AM
  • All my other zones fine. My AD checks out 100% with dcdaig and repadmin. I guess my question is why is it only the original DC for the domain? And does that record apply to anything?

    I've ran dcpromos on test environments and its the same outcome. I think it has to do with being the original delegate of that AD zone?

    Thursday, December 12, 2013 3:35 PM
  • Ok,

    So I deleted botht eh grey folder and the one at the root (_msdcs). when I restarted netlogon it only made one folder as the subdomain.

    So it replaced the grey folder with the information from the folder originally listed at the root and does not recreate the one at the root.


     
    Thursday, December 12, 2013 4:56 PM
  • I apologize for the late response. I see you've gone further than what I've recommended.

    No, you shouldn't have deleted the _msdc.parent.local zone!!!!!! I'm not sure why you did that. Are you working with someone else on this that recommended to do that? If not, you're over-thinking it. I provide specifics to fix it by simply  updating the NS records, that's it. If you only found the _msdcs folder had the wrong record, then that's all you had to change.

    In cases where DCs are removed, replaced, upgraded, etc, it's also best practice to check a few things to make sure things are in order, and one of them is check the NS records on all zones and delegations. Delegation's NS records won't update automatically with changes, but zone NS records will if DCs are properly demoted.

    The _msdcs delegated zone is required by Active Directory. And yes, based on your thread subject, it's best practice. When Windows 2000 came out, and IF you had created the initial domain with it, it did not have it this way, but all domains initially created with Windows 2003 and newer are designed this way. If you had upgraded from 2000 to 2003, then one of the steps that we must perform is to create the _msdcs delegation.

    Please re-create it in this order:

    1. In the DNS console, right-click Forward Lookup Zones, and then click New Zone. Click Next
    2. On the Zone Type page in the New Zone Wizard, click Primary zone, and then click to select the Store the zone in Active Directory check box. Click Next
    3. On the Active Directory Zone Replication Scope page, click "To all DNS servers in the Active Directory forest parent.local.
    4. On the Zone Name page, in the Zone Name box, type _msdcs.parent.local
    5. Complete the wizard by accepting all the default options.

    -

    After you've done that:

    1. Delete the _msdcs subfolder under parent.local.
    2. Right-click parent.local, choose New Delegation.
    3. Type in _msdcs
    4. In the Nameserver page, type in the name of your server, and its IP address.
    5. Complete the wizard
    6. You should now see a grayed out _msdcs folder under parent.local.
    7. Go to c:\windows\system32\config\ folder
    8. Find netlogon.dns and rename it to netlogon.dns.old
    9. Find netlogon.dnb and rename it to netlogon.dnb.old
    10. Open a command prompt
    11. Run ipconfig /registerdns
    12. Run net stop netlogon
    13. Run net start netlogon
    14. Wait a few minutes, then click on the _msdcs.parent.local zone, and click the F5 button to refresh it.
    15. You should see the data populate.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 12, 2013 8:32 PM
  • Oops...Its Ok it was just in a test environment. But I will run through your steps. Thanks.

    So in my production environment:) I should remove the old server in the delegation and add another active AD server?


    • Edited by Hi.Craig Thursday, December 12, 2013 10:17 PM
    Thursday, December 12, 2013 10:08 PM
  • Oh, this is a lab? Ok. And yes, you simply update the delegate(s).

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 13, 2013 4:27 AM
  • And I hope I was able to answer all of your questions.

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by Hi.Craig Friday, December 13, 2013 4:27 AM
    Friday, December 13, 2013 4:27 AM
  • Thanks for your the insight. It was good to learn the rebuild process
    Friday, December 13, 2013 4:28 AM
  • You are welcome! Glad to help any time!

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Friday, December 13, 2013 5:25 AM
  • The question is - can we delete that delegation to _msdtc in domain.name zone?

    By default this delegation always contains only on record to the first domain controller and becomes incorrect if it renamed or demoted. So this delegation isn't maintained after creation at all.


    MCITP: EA, SA, EMA, LSA, VA; MCSA

    Wednesday, December 03, 2014 12:46 PM
  • The question is - can we delete that delegation to _msdtc in domain.name zone?

    By default this delegation always contains only on record to the first domain controller and becomes incorrect if it renamed or demoted. So this delegation isn't maintained after creation at all.


    MCITP: EA, SA, EMA, LSA, VA; MCSA

    Generally, you can add as many NS records in a delegation as you like. You can do that in the properties, by right-clicking on the _msdcs folder under the contoso.com zone, choose properties, click on the Nameservers tab, and add them under the Nameservers tab.

    Please note, that this thread is a year old and has been answered. In most cases, it's best to start a new thread for your own specific issues, since in many cases, each issue is unique, and most of all, you control your own thread, mark or unmark as answers, etc.


    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, December 03, 2014 4:55 PM
  • Dear Ace, my question was not about how to add or edit those NS records. The question is - can we delete that delegation to _msdcs in domain.name zone and so eliminate any clues to _msdcs subdomain in domain.name zone?

    This article says like we can do it http://support.microsoft.com/kb/817470

    And the purpose of posting here -- to get you notified.


    MCITP: EA, SA, EMA, LSA, VA; MCSA


    Thursday, December 04, 2014 5:40 AM
  • I see. Yes, you can, essentially making it a separate zone, but I don't see why you would want to do that. What's your reason to delete it?

    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Thursday, December 04, 2014 1:20 PM