Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 24, 2014 2:49 PM
Hi
We are in the midst of a slow domain migration from Server 2003 to Server 2008. Two are now 2008, the rest are still 2003. We're 2003 native
Whilst diagnosing a fault, a dcdiag /test:dns, I found a delegation issue.
Running enterprise tests on : domain.local
Starting test: DNS
Test results for domain controllers:
DC: home-srv-dc02.domain.local
Domain: domain.local
TEST: Delegations (Del)
Error: DNS server: sco-srv-dc01.domain.local. IP:10.150.20.1
[Broken delegated domain _msdcs.domain.local.]
Error: DNS server: eng-srv-dc01.domain.local. IP:10.160.20.2
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: eng-srv-dc02.domain.local. IP:10.160.20.3
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: ire-srv-dc01.domain.local. IP:10.140.20.2
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: ire-srv-dc02.domain.local. IP:10.140.20.4
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: home-srv-dc01.domain.local. IP:10.180.20.1
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: home-srv-dc02.domain.local. IP:10.180.20.2
[Broken delegated domain domain.local.domain.local.]
Error: DNS server: lon-srv-dc01.domain.local. IP:10.0.11.253
[Broken delegated domain domain.local.domain.local.]
FLZ > _msdcs.domain.local is okay
However, FLZ > domain.local > _msdcs contains only 1 NS record for domain controller "sco-srv-dc01", which is dead (meta data clean-up was other wise done successfully)
Do I need to worry about the delegated FLZ > domain.local > _msdcs? There seems to be no issue is how the domain is working, it appears. Will it sort itself out when we're moved entirely to 2008? Or I need to fix it, how?
All replies (8)
Wednesday, June 25, 2014 12:05 PM âś…Answered
I think this threadmay answer my query
i.e. delete, redelegate, restart DNS and netlogon
Tuesday, June 24, 2014 2:58 PM
In my opinion, a clean DNS ensures that you don't run into unanswered referrals. I would clean it up. In support I've seen this type of minor thing turn out to bite customers in strange ways.
Right-click on the zone/Properties/Name Servers tab, and remove the record for the DC that is no longer in service.
Wednesday, June 25, 2014 7:02 AM
Hello,
if DCs are listed in DNS and they don't exist anymore remove them from the DNS server list and also check AD sites and services if it still is listed there. AD sites and services is nor cleaned with metadata cleanup.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Wednesday, June 25, 2014 8:46 AM
Hi
Everything else is ok, let's assume that for the minute, but there's an old DC under FLZ > domain.local > _msdcs
I can remove this (no problem) but do I need to add my name servers to this delegated zone, based on my environment and if so, how?
Wednesday, June 25, 2014 9:22 AM
Hello,
you should see below forward lookup zones:
_msdcs.domain.local
and
domain.local
If this isn't the case please use http://support.microsoft.com/kb/817470/en-us to create it correct.
But all records for the existing DCs are located in domain.local zone?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Wednesday, June 25, 2014 10:43 AM
Hi Meinolf :-)
Yes all the DCs (NS and CNAME records) to appear under FLZ > _msdcs.domain.local. There are no old records
When you traverse through FLZ> domain.local > _msdcs, that's grey i.e. delegated and so exists. There's only one record here, which is an NS of an old DC.
Thanks
Neil
Wednesday, June 25, 2014 11:15 AM
Hello,
it is the grey delegated icon BUT this is the OLD way and should be changed as described in the article so you have to real FLZ.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Wednesday, June 25, 2014 11:55 AM
Thanks
So we appear to be a Case 1. Replication is forest-wide, so the way I read it, the only thing I have to do is to remove the grey delegated folder ( FLZ> domain.local > _msdcs)?
I'd post an image but I appear to be blocked from doing that :-\