none
DNS: Zone _msdcs.xxx.com is an Active Directory integrated DNS Zone and must be available. RRS feed

  • Question

  • ·         Hi

    When I run DNS Best Practice Analyzer I get the following critical error:
    DNS: Zone _msdcs.xxx.com is an Active Directory integrated DNS Zone and must be available.

    The output of Dcdiag /test:DNS /e /v
    Summary of DNS test results:
    Auth Basc Forw Del Dyn RReg Ext
    Domain: xxx.com
    DC1 PASS PASS PASS PASS PASS PASS n/a
    DC2 PASS PASS PASS PASS PASS PASS n/a
    ......................... xxx.com passed test DNS

    My domain have been (in place) upgraded from Windows 2003 to Windows 2008 R2, domain and forest functional level is Windows 2008 R2.
    xxx.com is an Active Directory-Integrated zone.

    _msdcs is a sub zone under xxx.com. It should be at the root level of my Forward Lookup Zones eq _msdcs.xxx.com. This is, I think, why BPA complains.

    I followed the suggestions in Case 2http://support.microsoft.com/kb/817470
    When trying to add _msdcs.xxx.com to Forward Lookup Zones I get the error: The Zone cannot be created. The request is not supported.
    I am a member of the Enterprise Administrators group.
    Tried to change replication from: To all dc in this domain (for w2k compatibility) to: To all DNS server on DC in this forest xxx.com.
    I get the error: The replication scope could not be set. The specified directory partition does not exist. I tried to create Default Active Directory partitions and get error messages similar to those mentioned above.

    No errors found in Active Directory logs.

    How could I correct the DNS BPA error? Should I remove _msdcs and then be able to create _msdcs.xxx.com to Forward Lookup Zones?

    Thanks!

    Tuesday, January 3, 2012 6:34 PM

Answers

  • In addition to Marius' suggestions, just to point out, the subzone should be a grayed out folder, which means it is a Delegated zone, delegated to the server itself, but that should mean a zone called _msdcs.xxx.com should exist.

    Is the subfolder a grayed out folder?

    If not grayed out, then that's why you can't create it. Try this:

    1. Right click xxx.com
    2. New - Delegation
    3. Type in _msdcs
    4. Provide the IP of the DC itself. If you have more than one DC, specify more than one.
    5. Under Forward Lookup Zones, create the _msdcs.xxx.com zone
    6. Set updates to Secure Only
    7. Change replication scope to All DCs in the Forest
    8. In a command prompt: run ipconfig /registerdns
    9. Run net stop netlogon
    10. Run net start netlogon

    (Restarting the netlogon service will populate the SRV data in the zone.)

     

    If the sub zone is not grayed out, and the above doesn't work, meaning not able to create the _msdcs.xxx.com zone, then:

    • Under xxx.com, delete the _msdcs subfolder
    • Follow the steps above

     

    If still having problems, let's double check to make sure you don't have a duplicate zone in the AD database. The following will guide you to determine this. Check all 5 partitions, as explained in the link. If you find any, delete them right away.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

     

    Also to better help and further diagnose this:

    • Let's see an unedited ipconfig /all from your DCs, please. Also, how many DCs exist?
    • Are you seeing an Event ID 4015? If not, good, but list any that you do see in any of the other logs, please.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, January 4, 2012 12:30 AM
  • ADSIEdit: No duplicate exists. Yes, DC1 is using DC2 as first DNS entry and istelf as second. DC2 is using DC1 as first DNS entry and istelf as second.

    I have managed to set up this configuration in a Lab environment. That is, _msdcs under xxx.com and so on.
    But I don't get the errors when trying to correct it (as described in Case 2 http://support.microsoft.com/kb/817470)
    It works fine, no problem to correct it.

    Regards
    Topic054




    Wednesday, January 4, 2012 3:24 PM

All replies

  • Hi

    When I run DNS Best Practice Analyzer I get the following critical error:
    DNS: Zone _msdcs.xxx.com is an Active Directory integrated DNS Zone and must be available.

    The output of Dcdiag /test:DNS /e /v
             Summary of DNS test results:
                                                 Auth Basc Forw Del  Dyn  RReg Ext
             Domain: xxx.com
                   DC1                      PASS PASS PASS PASS PASS PASS n/a
                   DC2                      PASS PASS PASS PASS PASS PASS n/a
             ......................... xxx.com passed test DNS

    My domain have been (in place) upgraded from Windows 2003 to Windows 2008 R2, domain and forest functional level is Windows 2008 R2.
    xxx.com is an Active Directory-Integrated zone.

    _msdcs is a sub zone under xxx.com. It should be at the root level of my Forward Lookup Zones eq _msdcs.xxx.com. This is, I think, why BPA complains.

    I followed the suggestions in Case 2 http://support.microsoft.com/kb/817470
    When trying to add _msdcs.xxx.com to Forward Lookup Zones I get the error: The Zone cannot be created. The request is not supported.
    I am a member of the Enterprise Administrators group.
    Tried to change replication from: To all dc in this domain (for w2k compatibility) to: To all DNS server on DC in this forest xxx.com.
    I get the error: The replication scope could not be set. The specified directory partition does not exist.

    No errors found in Active Directory logs.

    How could I correct the DNS BPA error? Should I remove _msdcs and then be able to create _msdcs.xxx.com to Forward Lookup Zones?

    Thanks!

     


    Tuesday, January 3, 2012 9:28 AM
  • Though written for W2K > W2K3 upgraded systems, it is general enough to be valid for your case. Give it a try http://support.microsoft.com/kb/817470/en-us

    Regards

    Milos

    Tuesday, January 3, 2012 2:12 PM
  • http://support.microsoft.com/kb/817470/en-us

    Already tried that with no success.
    Regards
    Topic054

    Tuesday, January 3, 2012 2:28 PM
  • I moved this question to the Network Infrastructure forum.

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/c1aa07a4-6137-4487-9224-d8e7ad431fbb

    Regards

    Topic054

     

    Tuesday, January 3, 2012 6:36 PM
  •  Please check the following article from Microsoft:
     
    DNS: Zone <zone name> is an Active Directory integrated DNS Zone and must be available:

    http://technet.microsoft.com/en-us/library/ff807395(WS.10).aspx


    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 3, 2012 8:20 PM
  • In addition to Marius' suggestions, just to point out, the subzone should be a grayed out folder, which means it is a Delegated zone, delegated to the server itself, but that should mean a zone called _msdcs.xxx.com should exist.

    Is the subfolder a grayed out folder?

    If not grayed out, then that's why you can't create it. Try this:

    1. Right click xxx.com
    2. New - Delegation
    3. Type in _msdcs
    4. Provide the IP of the DC itself. If you have more than one DC, specify more than one.
    5. Under Forward Lookup Zones, create the _msdcs.xxx.com zone
    6. Set updates to Secure Only
    7. Change replication scope to All DCs in the Forest
    8. In a command prompt: run ipconfig /registerdns
    9. Run net stop netlogon
    10. Run net start netlogon

    (Restarting the netlogon service will populate the SRV data in the zone.)

     

    If the sub zone is not grayed out, and the above doesn't work, meaning not able to create the _msdcs.xxx.com zone, then:

    • Under xxx.com, delete the _msdcs subfolder
    • Follow the steps above

     

    If still having problems, let's double check to make sure you don't have a duplicate zone in the AD database. The following will guide you to determine this. Check all 5 partitions, as explained in the link. If you find any, delete them right away.

    Using ADSI Edit to Resolve Conflicting or Duplicate AD Integrated DNS zones
    http://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

     

    Also to better help and further diagnose this:

    • Let's see an unedited ipconfig /all from your DCs, please. Also, how many DCs exist?
    • Are you seeing an Event ID 4015? If not, good, but list any that you do see in any of the other logs, please.

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, January 4, 2012 12:30 AM
  • Its two DCs, no Eventid 4015.

    The _msdcs  zone under xxx.com is not graeyd out. (=not delegated)

    I will try Ace suggestion (next week) and delete _msdcs. Hopfully I am then able to create _msdcs.xxx.com at the Forward Lookup Zones level.
    However when I tried this before deleting _msdcs I got the error message: The request is not supported

    Adisiedit: My zones are under Default Naming Context, no duplicates. However I cant find _msdsc (DC=_msdcs)

    I dont think IP configuration is an issue here, DC1 has preffered DNS DC2 and DC2 has preffered DNS DC1.

    Thanks!



    Wednesday, January 4, 2012 10:56 AM
  • Marius
    Yes, I read the MS article.
    However restoring the zone _msdsc is not what I want. I want to create a new _msdsc.xxx.com under Forward Lookup Zones then deleting _msdcs under xxx.com and finally make an delegation. But I admit the MS article could be the solution, or parts of it.

    Regards
    Topic054

    Wednesday, January 4, 2012 12:17 PM
  • Its two DCs, no Eventid 4015.

    The _msdcs  zone under xxx.com is not graeyd out. (=not delegated)

    I will try Ace suggestion (next week) and delete _msdcs. Hopfully I am then able to create _msdcs.xxx.com at the Forward Lookup Zones level.
    However when I tried this before deleting _msdcs I got the error message: The request is not supported

    Adisiedit: My zones are under Default Naming Context, no duplicates. However I cant find _msdsc (DC=_msdcs)

    I dont think IP configuration is an issue here, DC1 has preffered DNS DC2 and DC2 has preffered DNS DC1.

    Thanks!




    You will not find a zone for _msdcs in ADSI Edit if it is a subfolder (non-delegated) under the xxx.com zone. Check the other partitions to make sure no dupes exist.

    Also, I assume that DC one is using DC2 as first DNS entry, and second entry is itself, and not using an ISP, router or any other outside DNS.

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Wednesday, January 4, 2012 3:10 PM
  • ADSIEdit: No duplicate exists. Yes, DC1 is using DC2 as first DNS entry and istelf as second. DC2 is using DC1 as first DNS entry and istelf as second.

    I have managed to set up this configuration in a Lab environment. That is, _msdcs under xxx.com and so on.
    But I don't get the errors when trying to correct it (as described in Case 2 http://support.microsoft.com/kb/817470)
    It works fine, no problem to correct it.

    Regards
    Topic054




    Wednesday, January 4, 2012 3:24 PM
  • The solution does not work in the production environment.

    When trying to create _msdcs.xxx.com at the Forward Lookup Zones Level (Primary Zone - Store the zone in AD, Store in all DC in this forest, Allow only secure updates:

    When trying to change replication scope for xxx.com from "All domain controllers in this domain" to "All domain controllers in this forest:xxx.com":

    Regards
    Topic054

     

     

     

     

     

     

    Monday, January 9, 2012 1:14 PM
  • And, when trying to "Create default Active Directory partitions":

    Any ideas?

    Regards
    Topic054

     

     

    Monday, January 9, 2012 1:15 PM
  • I found a solution to my problem.

    Its because that the registry key EnableDirectoryPartions is set to 0 (disable). This prevents the creation of the default DNS application directory partitions. When set  EnableDirectoryPartions to 1 everything works ok. Furthermore when set to 0 it may prevent Scavening to work as expected. (Event ID 2502)

    Regards

    Topic054

    • Proposed as answer by Leif Creutzer Thursday, January 12, 2012 3:45 PM
    Thursday, January 12, 2012 3:45 PM
  • Interesting. Thanks for sharing that. Glad it worked out!
    MCTS - Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/
    Thursday, January 12, 2012 5:47 PM
  • I found a solution to my problem.

    Its because that the registry key EnableDirectoryPartions is set to 0 (disable). This prevents the creation of the default DNS application directory partitions. When set  EnableDirectoryPartions to 1 everything works ok. Furthermore when set to 0 it may prevent Scavening to work as expected. (Event ID 2502)

    Regards

    Topic054


    Tpic054,

    I didn't realize you were getting an Event ID 2502. I looked back in the thread, but I didn't see it posted anywhere. I checked http://eventid.net/display-eventid-2502-source-DNS-eventno-4171-phase-1.htm , which led to Microsoft'sKB:

    After you set the EnableDirectoryPartitions registry entry to 0 on a Windows Server 2003 DNS server, DNS scavenging fails, and event ID 2502 is logged 
    http://support.microsoft.com/?id=942923

     

    Curious, did you have a previous problem on the Windows 2003 server that prompted you to install Hotfix 830689 on them (Windows 2003: "You cannot scavenge old DNS records after you restart the DNS service")? 

    If so, and you directly upgraded the machines to Windows 2008 R2, then that brings into focus what may have occured, but doesn't explain why it would change that registry entry.

    This is part of my reasons I hate doing upgrades and rather install a new OS from scratch! :-)

     

    Anway, I'm glad you've figured it out! :-)

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Thursday, January 12, 2012 6:25 PM
  • I found a solution to my problem.

    Its because that the registry key EnableDirectoryPartions is set to 0 (disable). This prevents the creation of the default DNS application directory partitions. When set  EnableDirectoryPartions to 1 everything works ok. Furthermore when set to 0 it may prevent Scavening to work as expected. (Event ID 2502)

    Regards

    Topic054


    Tpic054,

    I didn't realize you were getting an Event ID 2502. I looked back in the thread, but I didn't see it posted anywhere. I checked http://eventid.net/display-eventid-2502-source-DNS-eventno-4171-phase-1.htm , which led to Microsoft'sKB:

    After you set the EnableDirectoryPartitions registry entry to 0 on a Windows Server 2003 DNS server, DNS scavenging fails, and event ID 2502 is logged 
    http://support.microsoft.com/?id=942923

     

    Curious, did you have a previous problem on the Windows 2003 server that prompted you to install Hotfix 830689 on them (Windows 2003: "You cannot scavenge old DNS records after you restart the DNS service")? 

    If so, and you directly upgraded the machines to Windows 2008 R2, then that brings into focus what may have occured, but doesn't explain why it would change that registry entry.

    This is part of my reasons I hate doing upgrades and rather install a new OS from scratch! :-)

     

    Anway, I'm glad you've figured it out! :-)

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn

    Hi Ace,

    Would it be possible you to have a quick look at https://social.technet.microsoft.com/Forums/en-US/0298edd9-3020-4a2a-ba73-91a718be79e3/dns-bpa-gives-error-quotthe-active-directory-integrated-dns-zone-msdcsuppltdlocal-was-not?forum=winserverNIS ?

    Under forward lookup zone under upp-ltd.local it appears i have a sub folder called _MSDCS. Does this one need to be deleted?

    Monday, December 9, 2019 10:34 AM