_msdcs in AD integrated zone (2008) doesnt rebuild correctly

We are currently running 4 DCs in our environment.
It seems that "someone" deleted the _msdcs within the Windows DNS.

There was just a greyed-out _msdcs Folder within my Zone domain.com
I did the following procedure:
- recreate the zone _msdcs.domain.com in the Forward lookup zones
- on the DC(s) execute dcdiag /fix, ipconfig /flushdns, ipconfig /registerdns and stop + start the netlogon service.
- Afterwards tried a restart as well

The result is that the DCs are listed in the root folder of _msdcs.domain.com, that’s it.
The Subfolders like domain, dc, pdc are not created.
Furthermore I guess there should be some CNAME entries as well with their GUID?
Cause for the moment if I run dcdiag the DCs could even not resolve themselves.

Doing initial required tests

   Testing server: Site\SERVERDC1
      Starting test: Connectivity
         The host 12345678-1234-1234-1234-111111111111._msdcs.domain.com
         could not be resolved to an IP address. Check the DNS server, DHCP,
         server name, etc.
         ......................... SERVERDC1 failed test Connectivity

If I manually enter the alias for the DCs they can resolve again and this error disappear.

In the DNS settings dynamic updates are set to "nonsecure and secure"

Since that issue I get a lot of 4013 and 4010 events when restarting netlogon service or rebooting the server.

EVENT 4013, DNS-Server-Service <- disappear after 3-4 retries
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.


EVENT 4010, DNS-Server-Service <- a lot of different records he is unable to create
The DNS server was unable to create a resource record for  2a0fc0e5-e2eb-4e4b-a1c3-72b6a58d86ea._msdcs.domain.com. in zone domain.com. The Active Directory definition of this resource record is corrupt or contains an invalid DNS name. The event data contains the error.

So, if you have any idea I would be glad if you can help me!
Of course that happened in the productive environment ... how else could it be ...

If you need any further information, please let me know.

Regards
meneckAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
The best solution would be to delete the domain.com zone you would then recreate this zone which would create the msdcs folder under the domain.com zone.

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

If you want to delegate the msdcs again you can but I would just leave it under the domain.com zone.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
meneckAuthor Commented:
Hi Darius,

is there any other possibility than delete and recreate the main domain.com zone?
Yesterday I recreated manually the complete _msdcs as I run into problems with missing entries (Lync Server etc).
But as you can aspect its not my favourite way to handle now all settings manually.

Attached a picture of the DNS and the errors.
Are there anywhere fragments of the "old" msdcs that he cannot access or overwrite?!

Errors with broken _msdcs

Regards,
Marco
0
Darius GhassemCommented:
The safest way to make sure you don't have to manually update is to remove then recreate
0
meneckAuthor Commented:
Well, in this case I would have to do a LOT of static entries and alias again, puh .....
I can export of course the entries out of the existing zone from GUI, but is there a good way to review the export (Edit with Editor, review / delete unneeded entries) and IMPORT it again into the new created zone?
This would safe me a lot of time as I can prepare everything ....

Furthermore would I like to know what would be the recommended way in this case (remove and recreate).
- All DCs in domain stay online, replication enabled
- Delete both zones (domain.com and _msdcs.domain.com), wait for replication
  - Is there anything else I have to do for a really "clean" deletion of everything?
- Create new AD integrated zone domain.com (Or a primary local and afterwards deploy to AD?)
  - Is there anything that has to be done manually except the static entries and alias? _sites, _tcp etc is build up
     again automatically with all entries?
- Is there a preferred DC where you would do the operation? There are 2 DCs which were updated from 2003 to 2008 (32 Bit, one of them is the PDC and holds the FSMO roles), 2 DCs are 2008 SP1 64bit ....

Another point is that no Windows DHCP is used for all clients, till now a Linux based DHCP is used, I guess all Clients (Win7) will pull their information at next login, or do you expect some problems?
0
Darius GhassemCommented:
You would only have to create the static entries in the zone you don't have to worry about msdcs, etc. Doesn't really matter DC you do this on since all are Writeable DNS zones if you are using AD integrated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.