missing NS records in _msdcs zone on a SBS 2008 domain

cpservice
cpservice used Ask the Experts™
on
Ok, so this is a fun one.  I am working with a customer who recently had an independent audit done, and has a whole list of things they need to confirm as resolved within their Windows network.  Of the some 40 things on the list, only 1 has me completely puzzled.  After quite a bit of Google time I am stumped so here I am!

This domain contains 2 domain controllers, 1 SBS 2008 and 1 Windows Server 2008, both functioning as global catalog servers.  SBS 2008 holds all the FSMO roles.  The reason for the 2 domain controllers is because of 2 physical locations (point to point circuit between them).  Both servers are functioning DNS servers and network properties on physical interfaces on the 2 servers have 127.0.0.1 as the primary and the secondary as the IP of the other DC.

What I am running into is that within DNS under the forest name, within the _msdcs zone there are no NS records.  Now as I understand without these records there is all kinds of bad juju that could happen.  Under normal circumstances I would add a new other record, however there is not the option to add a new NS record here.  In fact I cannot even right click properties either to modify the NS records for this zone like i would on a normal zone.  Now there are 2 CNAME records within this zone (one for each DC) which is why I’m assuming AD is still functioning, but the auditor is specifically complaining about the missing NS records.

Any ideas on how i can get these records added so they will leave me alone?

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You should set the DNS server entry to the IP of the physical NIC and let the second empty.
The replication of DNS data is done by AD Replication Methodes.
The correct Entríes in DNS you should get by restarting the netlogon service on a DC or by running netdiag /fix on an DC

Author

Commented:
I am effectively doing that (127.0.0.1 for the primary and ip addres for the other DC as the secondary).

netdiag is depreciated within server 2008 and dcdiag /fix and a netlogon restart do not correct the issue.  any other ideas?  perhaps a way to resolve this via ADSI edit?

Commented:
Forget putting localhost use the IP of the physical NIC it is not the same. This should be the only DNS server that is entered. Not secondary DNS server.
Do this on all machines then try rebooting everyone.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
im struggling to understand why this would affect the configuration within the DNS Server and within active directory...  this is a production environment rebooting is not  an option during business hours.

127.0.0.1 is in place as that was one of the other requirements.  for the sake of testing I have replaced 127.0.0.1 with the IP address of the physical NIC.  again a dcdiag /fix and a restart of netlogon and still no dice.

any other ideas?

Commented:
MS recommend the use of the IP.
You see only 2 cnames but not NS records and no SOA records. just checked my DNS on 2008 R2.
If you go to the properties of the _msdcs zone and check the Nameserver Tab, what do you see?

Commented:
And also check the SOA Tab

Author

Commented:
there is no properties option for _msdcs.  i am logged on as a user who is a member of the domain admins group, as well as the DNSadmins group.
dns1.PNG
Henrik JohanssonSystems engineer
Top Expert 2008
Commented:
If _msdcs is a subdomain inside the DNS-zone for the AD-domain, it's not expected to have any NS records. Without seeing the rest of DNS MMC in the screenshot, it sounds like that scenario when not finding the properties option in the context menu.

The NS record only exist if you delegate the _msdcs out of AD's DNS-zone.
Normally no nead to delegate the _msdcs to its own DNS zone if it's hosted on the same DNS server as the parent zone.

Author

Commented:
my only concern with that is, the Microsoft Small Business Server BPA knocks the server for not having NS records within the _msdcs zone.  This is one of the things the company that did the audit said needed to be addressed per the BPA.  attached is the full image.

top blocked out line is the internal domain name.  bottom blocked out line is the SBS configured external url.
dns1.PNG
Commented:
You can delete the msdcs folder safely,restart dns server & netlogon service it will be created again.
Rename netlogon.dnb & netlogon.dns file,restart same service dns & netlogon,file will be recreated.
The msdcs folder will be shown inside root domain of your zone,expand & right click look for NS tab,if entry is not there,create it.
run dcdiag /test:dns & dcdiag /fix.
Like henjoh09 says, in your case the _msdcs should not have the NS listed. Here is a ss of my lab DNS to confirm.
dns.jpeg
and Name Servers listed under the Forward Lookup Zone
dns2.jpeg

Commented:
Of course there is
DNS-Properties.JPG
L0n3W0lfDate, as long as  _msdcs is a forward lookup zone as in your case it will have NS's listed. If it's a subdomain of your Forward Lookup Zone it will not have NS's listed as the parent will.

The authors _msdcs is a subdomain.

and if you delete the _msdcs zone and restart netlogon like Awinish mentioned. The _msdcs domain will recreate as a sub domain within the domain.com Forward Lookup Zone. (and the _msdcs zone will not have NS registered)

Author

Commented:
Rename netlogon.dnb & netlogon.dns file,restart same service dns & netlogon,file will be recreated.  next time might tell where these files are.

Commented:
Netlogon.dnb & netlogon.dns reside in config  folder under windows,system32.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial