We are currently running 4 DCs in our environment.
It seems that "someone" deleted the _msdcs within the Windows DNS.
There was just a greyed-out _msdcs Folder within my Zone domain.com
I did the following procedure:
- recreate the zone _msdcs.domain.com in the Forward lookup zones
- on the DC(s) execute dcdiag /fix, ipconfig /flushdns, ipconfig /registerdns and stop + start the netlogon service.
- Afterwards tried a restart as well
The result is that the DCs are listed in the root folder of _msdcs.domain.com, that’s it.
The Subfolders like domain, dc, pdc are not created.
Furthermore I guess there should be some CNAME entries as well with their GUID?
Cause for the moment if I run dcdiag the DCs could even not resolve themselves.
Doing initial required tests
Testing server: Site\SERVERDC1
Starting test: Connectivity
The host 12345678-1234-1234-1234-111111111111._msdcs.domain.com
could not be resolved to an IP address. Check the DNS server, DHCP,
server name, etc.
......................... SERVERDC1 failed test Connectivity
If I manually enter the alias for the DCs they can resolve again and this error disappear.
In the DNS settings dynamic updates are set to "nonsecure and secure"
Since that issue I get a lot of 4013 and 4010 events when restarting netlogon service or rebooting the server.
EVENT 4013, DNS-Server-Service <- disappear after 3-4 retries
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.
EVENT 4010, DNS-Server-Service <- a lot of different records he is unable to create
The DNS server was unable to create a resource record for 2a0fc0e5-e2eb-4e4b-a1c3-72b6a58d86ea._msdcs.domain.com. in zone domain.com. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.
So, if you have any idea I would be glad if you can help me!
Of course that happened in the productive environment ... how else could it be ...
If you need any further information, please let me know.