henz99
asked on
ID 4010 in DNS zone _msdcs.domain.local 2003 after create this zone manually
Hello All, I did install new 2003 server and by acident I delete _msdcs.domain.local zone in the root of forward lookup zone. Tried to fix it by recreating _msdcs zone folder under domain.local forward lookup zone and it successfully did it the same way as win2000 server dns structure, but not like required by win2003 server. After reading some articles I create _msdcs.domain.local manually and register dns, stop and start netlogon services and DNS zone folders return to the original 2003 server configuration, all dcdiag test is passed, but each time I restart DNS I have error msg ID 4010 about The DNS server was unable to create a resource record for 96ad9995-4c01-42c7-99a8-85
ASKER
If understand this right I need to delete _msdcs (gray out color) under my domain.local and do not touch _msdcs.domain.local I create manually?
henz99
no, the other way around.
The gray one is the delegation - it should delegate to the server you tried to create it manually on. If you delete this then a new yellow one (sub-domain) will be created in it's place at the same level, and that's not what you want.
The yellow one that you created is the one that will be recreated.
Cheers
JamesDS
no, the other way around.
The gray one is the delegation - it should delegate to the server you tried to create it manually on. If you delete this then a new yellow one (sub-domain) will be created in it's place at the same level, and that's not what you want.
The yellow one that you created is the one that will be recreated.
Cheers
JamesDS
ASKER
I have this current DNS structure like this:
Forward Lookup Zones
_msdcs.domain.local
domain.local
_msdcs(gray)
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
I follow your recommendation and delete _msdcs.domain.local after the fact it didn't recreat _msdcs.domain.local, so I have to do this manual and problem is come back when you stop and start DNS
Forward Lookup Zones
_msdcs.domain.local
domain.local
_msdcs(gray)
_sites
_tcp
_udp
DomainDnsZones
ForestDnsZones
I follow your recommendation and delete _msdcs.domain.local after the fact it didn't recreat _msdcs.domain.local, so I have to do this manual and problem is come back when you stop and start DNS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It is only one AD server in this domain, what i did now is add manualy in _msdcs folder under domain.local statment 96ad9995-4c01-42c7-99a8-85
henz99
The _MSDCS zone should contain several sub-domains as well as the resource record you just created.
Running the commands I gave you will put these back.
Cheers
JamesDS
The _MSDCS zone should contain several sub-domains as well as the resource record you just created.
Running the commands I gave you will put these back.
Cheers
JamesDS
I followed these steps. I found that they did not fix my problem, which was the same as the one discussed here. This information, however, put me on the right path to fixing it for my system. First, I will share my analysis and conclusions, then I will tell you how I fixed it (and hopefully you can too!).
1) It is significant that the error I had was also generated on the DNS record that contains the long GUID value in it. The error message says that "The Active Directory definition of this resource record is corrupt or contains an invalid DNS name." So, I assumed something about this message was true, and I searched for what the corruption or invalid DNS name could be. I had the luxury of having another almost-identical server with which to compare settings and values that was not having the error. Because I could see no corruption or invalid DNS name for the record when checking it using DNS Manager, I looked for a way to examine the underlying Active Directory entry, to see if it would show me the corruption or invalid DNS name that was causing the problem. So, I used adsiedit.msc on both servers to look at the Active Directory entries. I browsed down to the following folder: Domain/DC=mydomain,DC=com/
Note: Please read all the following steps and understand them before trying to follow them. If they are confusing or baffling to you, please get a technically-knowledgeable friend to help you fix the error and not make it worse.
2) Here's how I fixed it: I remembered that there are three different AD containers in which DNS information is stored, the "Active Directory Zone Replication Scopes". This problem happens when the sub-domain zone is configured to use the legacy Windows 2000 DNS Server-compatible container. I fixed the error by deleting and recreating my main domain zone and the sub-domain zone to use the correct containers, and letting Windows repopulate the zone with dynamic update records. So here's what I did:
A) I made a record of all the manually-added resource records in my main domain zone and my sub-domain zone. In my case, only one resource record had been manually added, the rest were created by Windows from dynamic updates. It's likely that your situation is the same. You should also record all customized settings for the two zones.
B) I then deleted the main domain zone (mydomain.local) and the sub-domain zone (_msdcs.mydomain.local). The only sure way to fix this problem is to delete and recreate the zones. Do not delete your Reverse DNS zone, leave it alone.
C) I then ran the DNS wizards for two new zones and one new delegation. I did not leave it up to Windows to create the zones, only the records in the zones! This part can be a bit tricky, I had to delete and create my zones several times before I got the structure I wanted.
First, we'll create the sub-domain zone. Select "Forward Lookup Zones", right-click to choose "New Zone...". For Zone Type, choose Primary zone and Store the zone in Active Directory. This is important--for "Active Directory Zone Replication Scope" you must choose the first choice, "To all DNS servers in the Active Directory FOREST mydomain.local" for the sub-domain zone. Zone Name has this structure: _msdcs.mydomain.local (you put your domain in place of "mydomain"). Choose "Allow only secure dynamic updates", and complete the wizard.
Second, we'll create the main domain zone. Select "Forward Lookup Zones", right-click to choose "New Zone...". For Zone Type, choose Primary zone and Store the zone in Active Directory. This is important--for "Active Directory Zone Replication Scope" you must choose the second choice, "To all DNS servers in the Active Directory DOMAIN mydomain.local" for the main domain zone. Zone Name has this structure: mydomain.local (you put your domain in place of "mydomain"). Choose "Allow only secure dynamic updates", and complete the wizard.
Now create a new delegation. Right-click on the "mydomain.local" folder and choose "New Delegation...". For the Deligated domain, enter _msdcs so that the FQDN matches the name of the first zone you created, _msdcs.mydomain.local. For Name Servers, add the fully qualified domain name and the internal IP address of the server you are working on, because it will host the delegated zone for you. Check your settings and complete the wizard.
You are done--now you want to see it populate correctly. First, the two zone folders you made are yellow and the delegation is a gray sub-folder beneath your main domain zone folder. If not, you need to do the steps over with adjustments to timing and such to get this result.
D) Restart netlogon service on all of your domain controllers. Run ipconfig/flushdns and ipconfig/registerdns on your server. Wait up to 5 minutes for Windows to make initial updates to your zones, then right-click on each of your two zones and choose "Reload..." (BTW, this reload is very poorly explained by the DNS program. Unless you already know the answer, you can't figure out where the zone will be reloaded from or to...). This will reload the DNS zone data you are looking at with current data stored in Active Directory. (If you assumed it would keep them real-time synced for you, you would be wrong.) If all is well, you should see your DNS records and folders appear.
E) To prove that you have fixed the problem, restart the DNS Server service and examine the DNS Server event log to confirm that the error did not occur.
Also, you will want to re-enter your custom DNS records into your newly-generated zones.
I hope that these details help you fix this error as easily as possible.
1) It is significant that the error I had was also generated on the DNS record that contains the long GUID value in it. The error message says that "The Active Directory definition of this resource record is corrupt or contains an invalid DNS name." So, I assumed something about this message was true, and I searched for what the corruption or invalid DNS name could be. I had the luxury of having another almost-identical server with which to compare settings and values that was not having the error. Because I could see no corruption or invalid DNS name for the record when checking it using DNS Manager, I looked for a way to examine the underlying Active Directory entry, to see if it would show me the corruption or invalid DNS name that was causing the problem. So, I used adsiedit.msc on both servers to look at the Active Directory entries. I browsed down to the following folder: Domain/DC=mydomain,DC=com/
Note: Please read all the following steps and understand them before trying to follow them. If they are confusing or baffling to you, please get a technically-knowledgeable friend to help you fix the error and not make it worse.
2) Here's how I fixed it: I remembered that there are three different AD containers in which DNS information is stored, the "Active Directory Zone Replication Scopes". This problem happens when the sub-domain zone is configured to use the legacy Windows 2000 DNS Server-compatible container. I fixed the error by deleting and recreating my main domain zone and the sub-domain zone to use the correct containers, and letting Windows repopulate the zone with dynamic update records. So here's what I did:
A) I made a record of all the manually-added resource records in my main domain zone and my sub-domain zone. In my case, only one resource record had been manually added, the rest were created by Windows from dynamic updates. It's likely that your situation is the same. You should also record all customized settings for the two zones.
B) I then deleted the main domain zone (mydomain.local) and the sub-domain zone (_msdcs.mydomain.local). The only sure way to fix this problem is to delete and recreate the zones. Do not delete your Reverse DNS zone, leave it alone.
C) I then ran the DNS wizards for two new zones and one new delegation. I did not leave it up to Windows to create the zones, only the records in the zones! This part can be a bit tricky, I had to delete and create my zones several times before I got the structure I wanted.
First, we'll create the sub-domain zone. Select "Forward Lookup Zones", right-click to choose "New Zone...". For Zone Type, choose Primary zone and Store the zone in Active Directory. This is important--for "Active Directory Zone Replication Scope" you must choose the first choice, "To all DNS servers in the Active Directory FOREST mydomain.local" for the sub-domain zone. Zone Name has this structure: _msdcs.mydomain.local (you put your domain in place of "mydomain"). Choose "Allow only secure dynamic updates", and complete the wizard.
Second, we'll create the main domain zone. Select "Forward Lookup Zones", right-click to choose "New Zone...". For Zone Type, choose Primary zone and Store the zone in Active Directory. This is important--for "Active Directory Zone Replication Scope" you must choose the second choice, "To all DNS servers in the Active Directory DOMAIN mydomain.local" for the main domain zone. Zone Name has this structure: mydomain.local (you put your domain in place of "mydomain"). Choose "Allow only secure dynamic updates", and complete the wizard.
Now create a new delegation. Right-click on the "mydomain.local" folder and choose "New Delegation...". For the Deligated domain, enter _msdcs so that the FQDN matches the name of the first zone you created, _msdcs.mydomain.local. For Name Servers, add the fully qualified domain name and the internal IP address of the server you are working on, because it will host the delegated zone for you. Check your settings and complete the wizard.
You are done--now you want to see it populate correctly. First, the two zone folders you made are yellow and the delegation is a gray sub-folder beneath your main domain zone folder. If not, you need to do the steps over with adjustments to timing and such to get this result.
D) Restart netlogon service on all of your domain controllers. Run ipconfig/flushdns and ipconfig/registerdns on your server. Wait up to 5 minutes for Windows to make initial updates to your zones, then right-click on each of your two zones and choose "Reload..." (BTW, this reload is very poorly explained by the DNS program. Unless you already know the answer, you can't figure out where the zone will be reloaded from or to...). This will reload the DNS zone data you are looking at with current data stored in Active Directory. (If you assumed it would keep them real-time synced for you, you would be wrong.) If all is well, you should see your DNS records and folders appear.
E) To prove that you have fixed the problem, restart the DNS Server service and examine the DNS Server event log to confirm that the error did not occur.
Also, you will want to re-enter your custom DNS records into your newly-generated zones.
I hope that these details help you fix this error as easily as possible.
delete the _MSDCS sub zone you created and do this:
restart the netlogon service on each one of your domain controllers.
IPCONFIG /flushDNS
IPCONFIG /REGISTERDNS
AD will put the missing records back for you.
Cheers
JamesDS