Windows Server 2003
--
Questions
--
Followers
Top Experts
First I found that the DHCP client was turned off in the GPO, so I re-enabled this. When looking at my DNS configuration I have notiched that I am missing the _msdcs.domain.local forward lookup zone, However the sub-directory under the _domain.local is not delegated pointer (Gray) instead it has all the normal entries you would see in the _msdcs.domain.local zone.
Domain.Local
_msdcs (Yellow)
- dc
- domains
- gc
- pdc
Then as I drill down further I find the following issues
_msdcs
- dc
- _sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- Domain
- GUID
- _tcp
- _Ldap DC1
- _Ldap DC2
- GC
- _Sites
- Domain-Site-1
- _tcp
- _Ldap DC2
- _tcp
- _Ldap DC2
- pdc
- _tcp
- _Ldap DC1
So as you can see its a bit messed up. I have tried flushing dns on both the DC and re-registering dns but noting changes and no errors are being generated.
Any suggestions on how to recreate the missing zone and correct the delegation.
Thanks
Garry
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Howerver just start by creating a new delegation for the child domain. When you are done and happy that replication has taken place use dcidag /test:dns on child and parent dns server to diagnose any issues.
> I have notiched that I am missing the _msdcs.domain.local forward lookup zone
From your description this is not a problem at all.
_msdcs exists as a separate zone in new deployments because it allows it to be managed separately from domain.local. However, the separation is not required, nor will it give you much in a single-domain forest.
If you wish to delegate _msdcs as a sub-domain then by all means do, there's no harm in that but it remains optional.
Are you having problems with the domain?
Chris
The command below could resolve this issue.
netdiag /fix
Cheers,
Prem






EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I have already tried this but get 4010 & 7062 event errors. I have also found this post with the same issue but the fix is not working.
https://www.experts-exchange.com/questions/21385996/ID-4010-in-DNS-zone-msdcs-domain-local-2003-after-create-this-zone-manually.html
Netdiag /Fix returns the following error
DNS Test ...... Failed
[WARNING] The DNS entries for this DC cannot be verified right now on DNS server x.x.x.x, ERROR_TIMEOUT
[FATEL] No DNS servers have the DNS records for this DC registered.

Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
run dcdiag /test:dns on the root and the child dns servers and post results.
All grey means is that you've created a delegation. If the _msdcs.domain.local zone does not exist you should create it. The fix options quoted above may well do that for you.
Chris
When I run dcdiag /test:connectivity on both DC it returns the follwoing error.
Testing Server: Domain-Site-1:DC
Starting Test: Connectivity
The host GUID._msdcs.domain.local could not be resolved to an IP Address. Check the DNS server, DHCP, Server name, etc
Although the GUID DNS name (GUID._msdcs.domain.local)
............. DC Failed testing Connectivity
Chris, As I said in a previous post, when I add the zone manually I then get event 4010 errors.






EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Still would like to see the outputs of "dcdiag /test:dns" on both root and child.
My apologies, I had missed that.
It is possible that you have a version of the zone lingering somewhere in AD, that may need to be cleared out if it will not permit you to create the zone. The event log message explicitly complains about the _msdcs zone? And are you able to show the full message text?
Chris
Do you see a grey delegation for _msdcs AND childomain?
If you look on the child domain controller do you see the zones for
_msdcs.parent.com
and
child.parent.com (under this should be _msdcs folder)
?

Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I can't post the exact message as I'm unable to remove data from the system, but I'm getting multiple 7062 event errors for Kerberos and Ldap the details are all around the following
The DNS server encountered a packet addressed to itself on IP address x.x.x.x The packet is for DNS namd "(_Ldap or _Kerberos)_tcp.domain-site
I think it might have something to the zone configuration as I still have multiple sites listed in following subfolders.
domain.local
- _Sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- GC DC2
- _DomainDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
- _ForestDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- _Ldap DC2
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
I don't have a dcdiag /test:dns ?
Update this morning.
I once again have a _msdcs as a subfolder to the Domain.Local zone. However even though I deleted the additional sites I sill have them in as listed as per my last post. This still seems to be confusing things.






EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I have the support tools installed but when i run dcdiag /test:dns is says this is not a valid test. The only test options are
Connectivity
Replication
Topology
CuttOffServers
NCSecDesc
NetLogons
Advertising
KnowsofRoleHolders
Intersite
FSMO Check
Ridmanager
MachineAccount
Services
OutboundSecureChannel
ObjectReplication
Frssysvol
Kccevent
Systemlog
DCPromo
RegisterInDNS
CrossRefValidation
CheckSDRefDom
VerifyReplicas
VerifyReferences
VerifyEnterpriseReferences
Is this a new test in SR2 ?
You mean these?
> Domain-Site-1
> Default-First-Site-Name
Yes, I have checked Sites and Services and it is configured as Domain-Site-1 instead of Default-First-Site-Name as per my other system. I have now deleted the references to the Default-First-Site-Name, restarted the servers and all is now looking sorted.
I have checked the netlogon.dns and that now looks the same as DNS.
Think it might be sorted as I am not getting an error on startup. Just need to sort WSUS out now.
Chris

Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Event 4014
The DNS Server has encountered a critical error from Active Directory. Check that the Active Directory is functioning properly. The extended error degug information (which might be empty) is "".
The for each Forward & Reverse Lookup Zones
Event 4004
The DNS Server was unable to complet directory service enumeration of zone (ZONE). This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of this zone. The extended error degug information (which might be empty) is "".
DC1 seem to be OK
When I run that command I get the error Test not found, Please re-enter a valid test name.
The server is Enterprise Edition SP2, I have checked the version which is 5.2.3790
I try downloading and reinstalling the tools and see if that makes any difference.
Ok installed and tested and the results for both DC are the same and listed below
Test:Forwards/Root Hints (Forw)
All root hints failed (This is due to a closed network)
Summary
Domain: Domain.Local Auth Basc Forw Del Dyn RReg Ent
Pass Pass Fail Pass Pass Pass n/a
................ Domain Failed test DNS






EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
If your network is closed and not having forwarding is expected (in fact correct) behaviour then it would appear that you do not actually have a problem, expect of course for that fact that you will never get wsus to go off to the internet for updates.
So what is the problem you are having with wsus that you thought might be DNS related?
I've had lots of problems with wsus as I've had to configure it as a standalone server. Then import the updates and metadata from a testing server with internet access. See the following EE link
https://www.experts-exchange.com/questions/25290971/Wsus-Configuration.html
I now have a server with the updates waiting to be authorised, however my clients have not checked into wsus.
are you using the correct path for the update server in the GPO settings? "http://servername" ?
how often are clients set to look for updates?
is there anything in the windowsupdate.log in the system folder on the clients that could give you a clue?

Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
DNS checked and all seem sorted now, I will close this call. If you can help with the WSUS stuff please comment on the other link.
Thanks
Garry
Windows Server 2003
--
Questions
--
Followers
Top Experts
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).