Windows Server 2003
--
Questions
--
Followers
Top Experts
Missing _MSDCS.Domain.Local in DNS
I have been having problems with wsus, after investigation it seems that the problem boils down to DNS.
First I found that the DHCP client was turned off in the GPO, so I re-enabled this. When looking at my DNS configuration I have notiched that I am missing the _msdcs.domain.local forward lookup zone, However the sub-directory under the _domain.local is not delegated pointer (Gray) instead it has all the normal entries you would see in the _msdcs.domain.local zone.
Domain.Local
_msdcs (Yellow)
- dc
- domains
- gc
- pdc
Then as I drill down further I find the following issues
_msdcs
- dc
- _sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- Domain
- GUID
- _tcp
- _Ldap DC1
- _Ldap DC2
- GC
- _Sites
- Domain-Site-1
- _tcp
- _Ldap DC2
- _tcp
- _Ldap DC2
- pdc
- _tcp
- _Ldap DC1
So as you can see its a bit messed up. I have tried flushing dns on both the DC and re-registering dns but noting changes and no errors are being generated.
Any suggestions on how to recreate the missing zone and correct the delegation.
Thanks
Garry
First I found that the DHCP client was turned off in the GPO, so I re-enabled this. When looking at my DNS configuration I have notiched that I am missing the _msdcs.domain.local forward lookup zone, However the sub-directory under the _domain.local is not delegated pointer (Gray) instead it has all the normal entries you would see in the _msdcs.domain.local zone.
Domain.Local
_msdcs (Yellow)
- dc
- domains
- gc
- pdc
Then as I drill down further I find the following issues
_msdcs
- dc
- _sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- Domain
- GUID
- _tcp
- _Ldap DC1
- _Ldap DC2
- GC
- _Sites
- Domain-Site-1
- _tcp
- _Ldap DC2
- _tcp
- _Ldap DC2
- pdc
- _tcp
- _Ldap DC1
So as you can see its a bit messed up. I have tried flushing dns on both the DC and re-registering dns but noting changes and no errors are being generated.
Any suggestions on how to recreate the missing zone and correct the delegation.
Thanks
Garry
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
You can manually create any zone inlcuding msdcs just by typing _msdcs.domain.local etc etc when creating the zone. (just enter the full zone name as (_msdcs.domain.local) or whatever it is you want.
Howerver just start by creating a new delegation for the child domain. When you are done and happy that replication has taken place use dcidag /test:dns on child and parent dns server to diagnose any issues.
Howerver just start by creating a new delegation for the child domain. When you are done and happy that replication has taken place use dcidag /test:dns on child and parent dns server to diagnose any issues.
> I have notiched that I am missing the _msdcs.domain.local forward lookup zone
From your description this is not a problem at all.
_msdcs exists as a separate zone in new deployments because it allows it to be managed separately from domain.local. However, the separation is not required, nor will it give you much in a single-domain forest.
If you wish to delegate _msdcs as a sub-domain then by all means do, there's no harm in that but it remains optional.
Are you having problems with the domain?
Chris
Hi,
The command below could resolve this issue.
netdiag /fix
Cheers,
Prem
The command below could resolve this issue.
netdiag /fix
Cheers,
Prem
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Mojo
I have already tried this but get 4010 & 7062 event errors. I have also found this post with the same issue but the fix is not working.
https://www.experts-exchange.com/questions/21385996/ID-4010-in-DNS-zone-msdcs-domain-local-2003-after-create-this-zone-manually.html
I have already tried this but get 4010 & 7062 event errors. I have also found this post with the same issue but the fix is not working.
https://www.experts-exchange.com/questions/21385996/ID-4010-in-DNS-zone-msdcs-domain-local-2003-after-create-this-zone-manually.html
Premglitz:
Netdiag /Fix returns the following error
DNS Test ...... Failed
[WARNING] The DNS entries for this DC cannot be verified right now on DNS server x.x.x.x, ERROR_TIMEOUT
[FATEL] No DNS servers have the DNS records for this DC registered.
Netdiag /Fix returns the following error
DNS Test ...... Failed
[WARNING] The DNS entries for this DC cannot be verified right now on DNS server x.x.x.x, ERROR_TIMEOUT
[FATEL] No DNS servers have the DNS records for this DC registered.
Also I have now noticed that the _msdcs zone under the domain.local zone is now GRAY and only has the NS records for both DC's. But don't have a _msdcs.domain.local at the root os the forward lookup zones.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
If it's grey then the delegation should be ok
run dcdiag /test:dns on the root and the child dns servers and post results.
run dcdiag /test:dns on the root and the child dns servers and post results.
All grey means is that you've created a delegation. If the _msdcs.domain.local zone does not exist you should create it. The fix options quoted above may well do that for you.
Chris
Mojo
When I run dcdiag /test:connectivity on both DC it returns the follwoing error.
Testing Server: Domain-Site-1:DC
Starting Test: Connectivity
The host GUID._msdcs.domain.local could not be resolved to an IP Address. Check the DNS server, DHCP, Server name, etc
Although the GUID DNS name (GUID._msdcs.domain.local)
............. DC Failed testing Connectivity
Chris, As I said in a previous post, when I add the zone manually I then get event 4010 errors.
When I run dcdiag /test:connectivity on both DC it returns the follwoing error.
Testing Server: Domain-Site-1:DC
Starting Test: Connectivity
The host GUID._msdcs.domain.local could not be resolved to an IP Address. Check the DNS server, DHCP, Server name, etc
Although the GUID DNS name (GUID._msdcs.domain.local)
............. DC Failed testing Connectivity
Chris, As I said in a previous post, when I add the zone manually I then get event 4010 errors.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
try running "net stop netlogon && net start netlogon" this should register any missing records.
Still would like to see the outputs of "dcdiag /test:dns" on both root and child.
Still would like to see the outputs of "dcdiag /test:dns" on both root and child.
My apologies, I had missed that.
It is possible that you have a version of the zone lingering somewhere in AD, that may need to be cleared out if it will not permit you to create the zone. The event log message explicitly complains about the _msdcs zone? And are you able to show the full message text?
Chris
BTW if your looking on one of the root dc's open the zone for domain.dom (or whatever it is)
Do you see a grey delegation for _msdcs AND childomain?
If you look on the child domain controller do you see the zones for
_msdcs.parent.com
and
child.parent.com (under this should be _msdcs folder)
?
Do you see a grey delegation for _msdcs AND childomain?
If you look on the child domain controller do you see the zones for
_msdcs.parent.com
and
child.parent.com (under this should be _msdcs folder)
?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Chris No prob
I can't post the exact message as I'm unable to remove data from the system, but I'm getting multiple 7062 event errors for Kerberos and Ldap the details are all around the following
The DNS server encountered a packet addressed to itself on IP address x.x.x.x The packet is for DNS namd "(_Ldap or _Kerberos)_tcp.domain-site
I think it might have something to the zone configuration as I still have multiple sites listed in following subfolders.
domain.local
- _Sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- GC DC2
- _DomainDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
- _ForestDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- _Ldap DC2
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
I can't post the exact message as I'm unable to remove data from the system, but I'm getting multiple 7062 event errors for Kerberos and Ldap the details are all around the following
The DNS server encountered a packet addressed to itself on IP address x.x.x.x The packet is for DNS namd "(_Ldap or _Kerberos)_tcp.domain-site
I think it might have something to the zone configuration as I still have multiple sites listed in following subfolders.
domain.local
- _Sites
- Default-First-Site-Name
- _tcp
- _Kerberos DC1
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Kerberos DC1
- _Kerberos DC2
- _Ldap DC1
- _Ldap DC2
- GC DC2
- _DomainDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
- _ForestDNZZones
- _Sites
- Default-First-Site-Name
- _tcp
- _Ldap DC1
- _Ldap DC2
- Domain-Site-1
- _tcp
- _Ldap DC1
- _Ldap DC2
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
MoJo
I don't have a dcdiag /test:dns ?
Update this morning.
I once again have a _msdcs as a subfolder to the Domain.Local zone. However even though I deleted the additional sites I sill have them in as listed as per my last post. This still seems to be confusing things.
I don't have a dcdiag /test:dns ?
Update this morning.
I once again have a _msdcs as a subfolder to the Domain.Local zone. However even though I deleted the additional sites I sill have them in as listed as per my last post. This still seems to be confusing things.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
You need to install the server 2003 support tools, this will help greatly in working out your problem.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Mojo,
I have the support tools installed but when i run dcdiag /test:dns is says this is not a valid test. The only test options are
Connectivity
Replication
Topology
CuttOffServers
NCSecDesc
NetLogons
Advertising
KnowsofRoleHolders
Intersite
FSMO Check
Ridmanager
MachineAccount
Services
OutboundSecureChannel
ObjectReplication
Frssysvol
Kccevent
Systemlog
DCPromo
RegisterInDNS
CrossRefValidation
CheckSDRefDom
VerifyReplicas
VerifyReferences
VerifyEnterpriseReferences
Is this a new test in SR2 ?
I have the support tools installed but when i run dcdiag /test:dns is says this is not a valid test. The only test options are
Connectivity
Replication
Topology
CuttOffServers
NCSecDesc
NetLogons
Advertising
KnowsofRoleHolders
Intersite
FSMO Check
Ridmanager
MachineAccount
Services
OutboundSecureChannel
ObjectReplication
Frssysvol
Kccevent
Systemlog
DCPromo
RegisterInDNS
CrossRefValidation
CheckSDRefDom
VerifyReplicas
VerifyReferences
VerifyEnterpriseReferences
Is this a new test in SR2 ?
Chris
You mean these?
> Domain-Site-1
> Default-First-Site-Name
Yes, I have checked Sites and Services and it is configured as Domain-Site-1 instead of Default-First-Site-Name as per my other system. I have now deleted the references to the Default-First-Site-Name, restarted the servers and all is now looking sorted.
I have checked the netlogon.dns and that now looks the same as DNS.
Think it might be sorted as I am not getting an error on startup. Just need to sort WSUS out now.
Chris
You mean these?
> Domain-Site-1
> Default-First-Site-Name
Yes, I have checked Sites and Services and it is configured as Domain-Site-1 instead of Default-First-Site-Name as per my other system. I have now deleted the references to the Default-First-Site-Name, restarted the servers and all is now looking sorted.
I have checked the netlogon.dns and that now looks the same as DNS.
Think it might be sorted as I am not getting an error on startup. Just need to sort WSUS out now.
Chris
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Looks like the last update might have been a bit premiture, on rebooting DC2 I get the following errors.
Event 4014
The DNS Server has encountered a critical error from Active Directory. Check that the Active Directory is functioning properly. The extended error degug information (which might be empty) is "".
The for each Forward & Reverse Lookup Zones
Event 4004
The DNS Server was unable to complet directory service enumeration of zone (ZONE). This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of this zone. The extended error degug information (which might be empty) is "".
DC1 seem to be OK
Event 4014
The DNS Server has encountered a critical error from Active Directory. Check that the Active Directory is functioning properly. The extended error degug information (which might be empty) is "".
The for each Forward & Reverse Lookup Zones
Event 4004
The DNS Server was unable to complet directory service enumeration of zone (ZONE). This DNS server is configured to use information obtained from Active Directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and repeat enumeration of this zone. The extended error degug information (which might be empty) is "".
DC1 seem to be OK
Mojo
When I run that command I get the error Test not found, Please re-enter a valid test name.
The server is Enterprise Edition SP2, I have checked the version which is 5.2.3790
I try downloading and reinstalling the tools and see if that makes any difference.
When I run that command I get the error Test not found, Please re-enter a valid test name.
The server is Enterprise Edition SP2, I have checked the version which is 5.2.3790
I try downloading and reinstalling the tools and see if that makes any difference.
Mojo,
Ok installed and tested and the results for both DC are the same and listed below
Test:Forwards/Root Hints (Forw)
All root hints failed (This is due to a closed network)
Summary
Domain: Domain.Local Auth Basc Forw Del Dyn RReg Ent
Pass Pass Fail Pass Pass Pass n/a
................ Domain Failed test DNS
Ok installed and tested and the results for both DC are the same and listed below
Test:Forwards/Root Hints (Forw)
All root hints failed (This is due to a closed network)
Summary
Domain: Domain.Local Auth Basc Forw Del Dyn RReg Ent
Pass Pass Fail Pass Pass Pass n/a
................ Domain Failed test DNS
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
If your network is closed and not having forwarding is expected (in fact correct) behaviour then it would appear that you do not actually have a problem, expect of course for that fact that you will never get wsus to go off to the internet for updates.
So what is the problem you are having with wsus that you thought might be DNS related?
Mojo,
I've had lots of problems with wsus as I've had to configure it as a standalone server. Then import the updates and metadata from a testing server with internet access. See the following EE link
https://www.experts-exchange.com/questions/25290971/Wsus-Configuration.html
I now have a server with the updates waiting to be authorised, however my clients have not checked into wsus.
I've had lots of problems with wsus as I've had to configure it as a standalone server. Then import the updates and metadata from a testing server with internet access. See the following EE link
https://www.experts-exchange.com/questions/25290971/Wsus-Configuration.html
I now have a server with the updates waiting to be authorised, however my clients have not checked into wsus.
Have you correctly configured the group polices associated with the windows update service?
are you using the correct path for the update server in the GPO settings? "http://servername" ?
how often are clients set to look for updates?
is there anything in the windowsupdate.log in the system folder on the clients that could give you a clue?
are you using the correct path for the update server in the GPO settings? "http://servername" ?
how often are clients set to look for updates?
is there anything in the windowsupdate.log in the system folder on the clients that could give you a clue?
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Mojo,
DNS checked and all seem sorted now, I will close this call. If you can help with the WSUS stuff please comment on the other link.
Thanks
Garry
DNS checked and all seem sorted now, I will close this call. If you can help with the WSUS stuff please comment on the other link.
Thanks
Garry
Windows Server 2003
--
Questions
--
Followers
Top Experts
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).