Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, July 21, 2020 6:25 PM
Hi everyone,
We recently introduced new domain controllers in our environment and dismissed a couple of old ones. Since I know how important it is the replication between controllers, I focused my attention on SYSVOL, GPO's, DFSR, and AD Sites and Services. Everything looks good in there.
Two weeks ago, before adding a new additional domain controller, I renamed the Default-First-Site-Name in AD Sites & Services (S&S) to reflect our HQ name. One week later, I noticed a discrepancy between AD S&S and the DNS folders. As you can see from the image below, the DNS kept the Default-First-Site-Name folder practically everywhere.
Current situation:
- on the DNS, "almost" all the Default-First-Site-Name folders contain the old domain controllers' records + one of the new domain controllers (likely because I renamed the site after adding the first new DC and before adding the second one)
- on the DNS, all the renamed site folders (SLC) contain the new domain controllers' records, except a few that still show the old PDC (which was demoted and runs AD no more, but it's still online)
- aging/scavenging is NOT enabled (I just joined the IT team at our company and I don't know why the admins before me kept this feature disabled; I read somewhere else that this can be a solution, do you confirm?)
What I tried to do (with no luck or visible improvement):
- I restarted the netlogon service on the new primary domain controller
- I performed a light manual clean-up (I removed a few old DC's records here and there, maybe a total of 5 records, then I stopped because I thought there should be something in place that does that automatically)
Also, I'm not sure if this is related or what can actually cause, but I noticed that the _msdcs folder "under" the local domain zone (grey color) contains just the old PDC record while the _msdcs.mydomain.local folder is correctly populated (as you see it expanded in the image).
Sorry for the long thread. If you need more info, I'll try my best to provide it. Thanks in advance for your support.
All replies (10)
Wednesday, July 22, 2020 5:14 AM
Hi,
Thanks for sharing here!
Before we go further, I would like to confirm the following questions:
How many DCs do you have in the domain?
It is AD-Integrated DNS zones,right?
Did you configure Active Directory-integrated zones for secure dynamic updates?
Following link for your reference:/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones
How to configure DNS dynamic updates in Windows Server 2003:https://support.microsoft.com/en-us/help/816592/how-to-configure-dns-dynamic-updates-in-windows-server-2003
After remove the old DC, did you perform the metadata cleanup, if not ,you can refer to the steps in the following link:
Clean up Active Directory Domain Controller server metadata
Then make sure that the replication among DCs is working well ,you can try the following command:
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
repadmin /showreps *
This "IPAM, DHCP, DNS" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details
Best Regards,
Fan
"IPAM, DHCP, DNS" forum will be migrating to a new home on Microsoft Q&A!
We invite you to post new questions in the "IPAM, DHCP, DNS" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.
Wednesday, July 22, 2020 3:03 PM
Thank you for your reply!
- How many DCs do you have in the domain?
We have a total of 4 (2 per site)
- It is AD-Integrated DNS zones, right?
Correct.
- Did you configure Active Directory-integrated zones for secure dynamic updates?
Yes, as you can see from this screenshot:
I confirm that the replication between DC's is working great. I use "AD Replication Status Tool" to regularly monitor the health of the replication as well as the DFS Management console to generate health reports on the domain system volume:
However, regarding the metadata cleanup, I will review the article you suggested to gain more insights.
Thanks for your advice.
Wednesday, July 22, 2020 6:01 PM
All right, I reviewed this article about the metadata cleanup as you suggested, but I soon realized that the information included in Active Directory Users and Computers (U&C) and Active Directory Sites and Services (S&S) are correct. When I demoted the old DC's, their accounts were removed automatically from the Domain Controllers folder in AD U&C. Instead, in AD S&S, I needed to manually remove the "leftover" of those DC's (which I think it's a common occurrence). All this happened in the past weeks.
So, summarizing, everything is looking good in terms of DNS settings and AD replication and metadata.
I read in this thread that enabling aging\scavenging of DNS record can sort the inconsistency out (in this case I'll need to wait a couple weeks before reporting back the results) although the post publisher never reported back if that worked for him.
And I also read in this thread that this DNS glitch can be a "normal occurrence" and that the cleanup of the Default-First-Site-Name folder on the DNS server can be done manually by deleting it wherever it appears.
What path do you suggest to go down?
Thursday, July 23, 2020 12:33 AM
Hi,
Since the old PDC still displayed in the site and service in your first post, so i would do the same as you:
Do a metadata cleanup :both the gui way and the command to delete it completely.
For the DNS, as you said, we need to clean it manually.
Then run command on the DNS server:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
Then check the results.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, July 23, 2020 4:57 PM
Thanks for your support along the way. I manually cleaned up the DNS zones and they look in a good shape now. All the changes were correctly replicated to all other DC's.
One last thing that I would like to bring to your attention is the records included in the _msdcs (grey folder under the local domain node). As you can see from the image below, it contains a single record corresponding to the old PDC.
My questions are:
- should I found more records in there?
- should I just get rid of that single record and leave this folder empty?
Thanks again for your kind support.
Friday, July 24, 2020 12:13 AM
Hi,
First , backup your DNS server./en-us/previous-versions/windows/it-pro/windows-server-2003/cc738755(v=ws.10)?redirectedfrom=MSDN
As you can see from the image below, it contains a single record in my lab also too.But it should about the new DC.
Delete the _msdca.domain.com and the _msdcs folder as following :
Recreate the _msdca.domain.com as following:
Refresh the DNS,then _msdca.domain.com and the _msdcs folder will be recreated .
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Sunday, July 26, 2020 11:41 PM
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, July 28, 2020 5:46 AM
Hi,
As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
Again thanks for your time and have a nice day!
Fan
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Wednesday, July 29, 2020 1:23 AM
Hi,
Thanks for your guidance about the _msdcs zone and folder. That was just a secondary concern since the records appear to be correctly showing in the _msdcs zone. However, it's worth to give it a try.
We can definitely consider my questions answered.
Regards.
Wednesday, July 29, 2020 5:07 AM
Hi ,
If there is anything else we can do for you, please feel free to post in the forum.
This "Directory Services" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.
Best Regards,
Fan
"Directory Services" forum will be migrating to a new home on Microsoft Q&A!
We invite you to post new questions in the "Directory Services" forum's new home on Microsoft Q&A!
For more information, please refer to the sticky post.