Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, December 12, 2013 4:15 AM
I have the _msdcs subfolder under my domain (the grey folder). example below
It has only one DC inside of it for a NS server. This DC is old and no longer exists. I checked my test environment and it has the same scenario (an old DC that does that not exist). example below
I'm just wondering:
1) Is this normal, should this folder update itself with other servers?
2) should I be adding one of my other DC's? and removing the original?
I have a single forest, single domain setup 2008 functional level. My normal _msdcs Zone does behave as expected and removes and add the appropriate records. Thanks.
All replies (16)
Friday, December 13, 2013 4:27 AM âś…Answered
And I hope I was able to answer all of your questions.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, December 12, 2013 5:55 AM
The current DC should have shown up as an NS record. Add the FQDN manually. It should resolve to the proper IP address. And there should only be one IP. If it two or more show up, then that means your DCs is multihomed, wich is not recommended, and may explain why it may not have properly registered automatically as an NS record.
And delete any old and nonexistent entries.
Also check the following to make sure the NS records are correct:
- parent.local
- DomainDnsZones subfolder
- ForestDnsZones subfolder
-
The fact that it didn't register, besides being multihomed, could also be attributed to other issues or config errors, such as:
- Multihomed DC (mentioned above)
- Using an external DNS address (such as an ISP's or router IP address) in the NIC
- Other ...
Any errors in the event logs? Please check all Event log error, such as the Application, System, and under Application and Services Logs on a DC for the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. Copy and paste the whole error into your post.
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, December 12, 2013 3:35 PM
All my other zones fine. My AD checks out 100% with dcdaig and repadmin. I guess my question is why is it only the original DC for the domain? And does that record apply to anything?
I've ran dcpromos on test environments and its the same outcome. I think it has to do with being the original delegate of that AD zone?
Thursday, December 12, 2013 4:56 PM
Ok,
So I deleted botht eh grey folder and the one at the root (_msdcs). when I restarted netlogon it only made one folder as the subdomain.
So it replaced the grey folder with the information from the folder originally listed at the root and does not recreate the one at the root.
Thursday, December 12, 2013 8:32 PM
I apologize for the late response. I see you've gone further than what I've recommended.
No, you shouldn't have deleted the _msdc.parent.local zone!!!!!! I'm not sure why you did that. Are you working with someone else on this that recommended to do that? If not, you're over-thinking it. I provide specifics to fix it by simply updating the NS records, that's it. If you only found the _msdcs folder had the wrong record, then that's all you had to change.
In cases where DCs are removed, replaced, upgraded, etc, it's also best practice to check a few things to make sure things are in order, and one of them is check the NS records on all zones and delegations. Delegation's NS records won't update automatically with changes, but zone NS records will if DCs are properly demoted.
The _msdcs delegated zone is required by Active Directory. And yes, based on your thread subject, it's best practice. When Windows 2000 came out, and IF you had created the initial domain with it, it did not have it this way, but all domains initially created with Windows 2003 and newer are designed this way. If you had upgraded from 2000 to 2003, then one of the steps that we must perform is to create the _msdcs delegation.
Please re-create it in this order:
- In the DNS console, right-click Forward Lookup Zones, and then click New Zone. Click Next
- On the Zone Type page in the New Zone Wizard, click Primary zone, and then click to select the Store the zone in Active Directory check box. Click Next
- On the Active Directory Zone Replication Scope page, click "To all DNS servers in the Active Directory forest parent.local.
- On the Zone Name page, in the Zone Name box, type _msdcs.parent.local
- Complete the wizard by accepting all the default options.
-
After you've done that:
- Delete the _msdcs subfolder under parent.local.
- Right-click parent.local, choose New Delegation.
- Type in _msdcs
- In the Nameserver page, type in the name of your server, and its IP address.
- Complete the wizard
- You should now see a grayed out _msdcs folder under parent.local.
- Go to c:\windows\system32\config\ folder
- Find netlogon.dns and rename it to netlogon.dns.old
- Find netlogon.dnb and rename it to netlogon.dnb.old
- Open a command prompt
- Run ipconfig /registerdns
- Run net stop netlogon
- Run net start netlogon
- Wait a few minutes, then click on the _msdcs.parent.local zone, and click the F5 button to refresh it.
- You should see the data populate.
-
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, December 12, 2013 10:08 PM
Oops...Its Ok it was just in a test environment. But I will run through your steps. Thanks.
So in my production environment:) I should remove the old server in the delegation and add another active AD server?
Friday, December 13, 2013 4:27 AM
Oh, this is a lab? Ok. And yes, you simply update the delegate(s).
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, December 13, 2013 4:28 AM
Thanks for your the insight. It was good to learn the rebuild process
Friday, December 13, 2013 5:25 AM
You are welcome! Glad to help any time!
Cheers!
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, December 3, 2014 12:46 PM
The question is - can we delete that delegation to _msdtc in domain.name zone?
By default this delegation always contains only on record to the first domain controller and becomes incorrect if it renamed or demoted. So this delegation isn't maintained after creation at all.
MCITP: EA, SA, EMA, LSA, VA; MCSA
Wednesday, December 3, 2014 4:55 PM
The question is - can we delete that delegation to _msdtc in domain.name zone?
By default this delegation always contains only on record to the first domain controller and becomes incorrect if it renamed or demoted. So this delegation isn't maintained after creation at all.
MCITP: EA, SA, EMA, LSA, VA; MCSA
Generally, you can add as many NS records in a delegation as you like. You can do that in the properties, by right-clicking on the _msdcs folder under the contoso.com **zone, **choose properties, click on the Nameservers tab, and add them under the Nameservers tab.
Please note, that this thread is a year old and has been answered. In most cases, it's best to start a new thread for your own specific issues, since in many cases, each issue is unique, and most of all, you control your own thread, mark or unmark as answers, etc.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, December 4, 2014 5:40 AM
Dear Ace, my question was not about how to add or edit those NS records. The question is - can we delete that delegation to _msdcs in domain.name zone and so eliminate any clues to _msdcs subdomain in domain.name zone?
This article says like we can do it http://support.microsoft.com/kb/817470
And the purpose of posting here -- to get you notified.
MCITP: EA, SA, EMA, LSA, VA; MCSA
Thursday, December 4, 2014 1:20 PM
I see. Yes, you can, essentially making it a separate zone, but I don't see why you would want to do that. What's your reason to delete it?
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, April 19, 2017 3:53 PM
Hello
I have the same problem as this post . I have a question ? I can remove name server old dc and I must add all Root DC and Child DC in here ? or only all root dc server ?
Friday, April 21, 2017 6:46 PM
Hello
I have the same problem as this post . I have a question ? I can remove name server old dc and I must add all Root DC and Child DC in here ? or only all root dc server ?
Remove any servers out of the Nameservers list that no longer exist. You must check each zone, including the properties of the DomainDnsZones and ForestDnsZones.
If you have a parent-child design, then which servers belong in the nameservers tab actually depends on if you have separate zones both replicated only domain wide, or if the parent and child are one zone replicated forest wide.
But keep in mind, if DNS is designed properly, the DCs should populate on their own.
Please provide info on how your DNS is deisnged to better answer that.
Ace Fekay
MVP, MCT, MCSE, 2016/2012/2008/2003/2000/NT4, Exchange 2016/2013/2010/2007/2003/2000/5.5
Microsoft Certified Trainer
Microsoft MVP: Enterprise Mobility
Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, April 17, 2018 1:11 PM
the main question remains to me: what is the delegation good for and what happens if you delete it permanently?
DCDIAG throws no error after deletion.
The problem with older AD installations and with multiple migration of DCs is, that the information under delegation ist just wrong and you have to fix it manually. Most people just forget it.
So maybe we can forget the delegation under the AD DNS zone completely?