Solved

DNS is missing _msdcs folder under the domain within Forward lookup zone on Server 2003 standard SP2

Posted on 2012-03-29
20
4,509 Views
Last Modified: 2016-09-08
Hello Experts!

I've inherited the following situation: Two domains with a trust between them, one DC for each domain, both DC are Windows Server 2003 Standard SP2. The previous sysadmin tried to migrate one of the DC's to Server 2008 R2 but had many issues after and none of the hosts could find the global catalog\name server\domain controller. I am very comfortable when it comes to adprep, dcpromo, transferring FSMO roles, etc and don't usually have issues with that. However that all went fine supposedly for the previous guy who tried this migration. Supposedly it was DNS that broke things.

All the DNS I've managed in the past has had a gray color "_msdcs" folder underneath the domain zone. However neither of these 2 DNS servers (1 in each domain) have this.

ABC.Domain1. has the "_msdcs.ABC.Domain1" folder under the forward lookup zone, and no _.msdcs folder under the domain zone.

XYZ.Domain2.local. has the "_msdcs" folder under the domain zone (but it's not gray) and does not have a "_msdcs.XYZ.Domain2.local" folder at all.

Please advise what they SHOULD look like, and how to correct them.
ABC.Domain1.png
XYZ.Domain2.local.png
0
Comment
Question by:EndTheFed
  • 9
  • 4
  • 3
  • +3
20 Comments
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37783353
0
 

Author Comment

by:EndTheFed
ID: 37783478
I did read through that documentation. Thank you for the refresher. However I do understand how DNS works and integrates with AD. I've setup and customized DNS within Windows 2003 many times. My question is why these servers are not configured the way I've always seen them in the past in regards to the _msdcs folders and how to fix it. Here is a picture of a different site I manage which looks normal to me.
normal-example.png
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37783540
You're on target with your example of what a "healthy" AD DNS looks like...

Have you looked at this...?

http://www.bhcblog.com/2009/04/23/fixing-active-directory-dns-_msdcs-_sites-_tcp-_udp/
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 16

Expert Comment

by:R. Andrew Koffron
ID: 37783637
have you tried removing the DNS Server on one of the 2008 boxes and putting it back in as AD-intagrated?
0
 

Author Comment

by:EndTheFed
ID: 37783643
I tried following those directions (already had support tools installed), but unfortunately it did not change anything on either server. They still look identical to the screenshots. :(
0
 

Author Comment

by:EndTheFed
ID: 37783662
The one 2008 R2 box I have does not have AD or DNS on it. It was completely backed out by the previous sysadmin. It is not listed as a NS in any of the DNS. I need to get my DNS cleaned up before I attempt the previously failed migration to 2k8 again.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 37783668
Having _msdcs as a subfolder of your "domain.com" forward lookup zone (FLZ), or as a separate FLZ are both valid configurations.  If your domain was upgraded from Win2K you'll likely see it as a subfolder.  By default for a new domain created on Win2K3 or later, _msdcs will be created as a separate FLZ, with its replication set to "All DNS servers in this Forest", and there will be a delegation created under your "domain.com" FLZ (this is the grayed out icon).

I prefer having it as a separate zone.  To create it as such, you can delete the subfolder called _msdcs of your domain.com FLZ, then create a new FLZ named "_msdcs.<yourdomain.com>".  Select your domain.com FLZ, and create a new delegation, enter "_msdcs" and the IPs of your DNS servers.  Then restart the netlogon service and the records will auto-populate into the _msdcs zone.

Here's a link that provides some more background info.
http://support.microsoft.com/kb/817470
0
 

Author Comment

by:EndTheFed
ID: 37783734
footech

Hmmm.. I've never heard before that having the _msdcs in either of those 2 locations is a valid config. I'm accustomed to seeing it in both locations.

Although I admit between the two, the ABC.Domain1. looks much better since the _msdcs folder looks complete and is not missing any records (has a CNAME, NS, and SOA). The one that really scares me is the XYZ.Domain2.local. which as you can see in the _msdcs folder it only has a CNAME record and no SOA or NS records. That doesn't seem right at all.
0
 

Author Comment

by:EndTheFed
ID: 37783778
I did a dcdiag /test:DNS on both servers, see pics for results.
ABC.Domain1.dcdiag-DNS-test.png
XYZ.Domain2.local.dcdiag-DNS-tes.png
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 37783791
So... what is the current error condition in your network?  Are we troubleshooting the way the DNS "looks" - or is something actually failing at present?
0
 

Author Comment

by:EndTheFed
ID: 37783808
The error condition is that migrating the 2003 DC to a 2008 DC failed (not during the transition, that went smoothly), but none of the hosts could find the NS\DC. I don't want to attempt this migration until I know the DNS is ok. Just trying to rule out that my DNS isn't causing the issue. I will try as footech suggested and delete it and recreate it in the FLZ, at least that way the DNS between the domains will have a consistent setup.
0
 

Author Comment

by:EndTheFed
ID: 37783895
If one of my domains is SQ.SpeedyQuote.  that's not a single label domain right? It's not SQ.SpeedyQuote.local.  just SQ.SpeedyQuote.  Single label is a domain with no period?
0
 
LVL 40

Assisted Solution

by:footech
footech earned 500 total points
ID: 37784213
I don't have a DNS setup configured with _msdcs as a subfolder to look at, but I think what you're seeing in both cases is normal.  For the ABC domain, _msdcs is a zone, and so needs to be configured with NS and SOA records.  For the XYZ domain, _msdcs is a subfolder, and so uses the NS and SOA records of its parent.

I've never used single-label domains, but the way I understand it is that "SpeedyQuote" is a single-label, but "SQ.SpeedyQuote" is not.  Just has a very weird top-level domain name.  In this case I would assume that the NetBIOS domain name would be "SQ".

If the upgrade was attempted on the ABC network, it wouldn't surprise me if that one failed since it's missing the delegation.
0
 

Author Comment

by:EndTheFed
ID: 37784618
THANK YOU!!! This was exactly what I needed. And yes footech, the upgrade was attempted on the ABC network. I read many other peoples questions about this on EE and the rest of the web and nearly every answer had the steps to delete the _msdcs folder and recreate it under the FLZ, stop/start the netlogon, as well as ipconfig /flushdns ipconfig /registerdns, netdiag /fix, etc to let it regenerate the records. However I didn't read any that mentioned the "create new delegation" step, which is what I needed. (It also fixed the XYZ network, i just didnt include pics).
ABC.Domain1-Before.png
ABC.Domain1-After.png
0
 

Author Closing Comment

by:EndTheFed
ID: 37784621
I hope other people who have this issue find this question and answer!
0
 
LVL 40

Expert Comment

by:footech
ID: 37784709
Excellent!  Glad it's working for you now.
0
 

Expert Comment

by:jahatcher
ID: 39806811
I have a similiar issue but my issue is that

under "Mydomain"

the "domainsdnszones" and the "forestdnszones" folders are missing

I can create the deligation but they remain gray.

our domain was upgrade from 2000 to 2003 and now its all 2008 r2 controllers.

any insight would be greatly helpful..
0
 
LVL 40

Expert Comment

by:footech
ID: 39806990
Sounds like a different situation.
Please start a new question to get help.
0
 

Expert Comment

by:Fred Chafwa
ID: 41790651
under  DNS (dnsmgmt.msc) under Forward Lookup Zones I i can only see one  zones that is domain.local. Am missing the AD integrated DNS  listed below
_msdcs.domain.local

The zone is missing from all integrated dns

Please advise what they SHOULD look like, and how to correct them.
0
 

Expert Comment

by:Fred Chafwa
ID: 41790657
Am using windows server 2008 R2
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question