_MSDCS Problem on 2008 R2

We upgraded our 2003 Enterprise server to a new 2008 R2 Enterprise server several years ago.  The old 2003 server is still a backup DC, but serves no other purpose.

During the December holidays, there were several Microsoft updates and software updates to Symantec Backup Exec 2012.  I think I may have also turned off IPv6 at our primary NIC.  (We have a second NIC that is primarily used for external access.  IPv6 is still active on that NIC.)  I also did some other maintenance on the server.

The Primary NIC's address is the address of our internal DNS server and includes a loopback as the second address.  We also have WINS active.  The second NIC uses the primary NIC as its DNS server.

We had replication issues from the beginning.  Some of those were related to our Exchange server being moved to the new 2008 R2 server and deactivated on the old server.  I worked with Microsoft tech support to get everything working properly when we created the new 2008 R2 server.

It should be pointed out that we are a small office.  Our server does everything including file server, web server, FTP server, Exchange Server.  We have always operated that way and it has always done a great job.  I know it is not the recommended configuration, but it does not make sense for us to pay for multiple servers.  It keeps everything simple including our ability to backup the entire system to tape.

After the updates during the holidays, we noticed that the server was not as responsive as it had been.  It was typically as fast as always, but there would sometimes be delays when you tried to do something as simple as open a directory.  I also noted that when I was working on the server, it was not as responsive as it had been.

Interestingly, we do not get many error messages once the server has been booted up.

I believe the problem is in DNS.  I have tried several things to solve the problem.  One site suggested fixing _MSDCS by recreating _MSDCS in a new zone.  That worked ok.  _MSDCS is now greyed out under the domain name in dns and a new zone was created above the domain name.

However, that has created a few other problems.  SRV is not being found by the client computers.  All of the shares are available and very responsive.  Outlook on my client computer works, but now has a security window that pops up that says connecting to ...  However, Outlook is still connected and working properly.

Mobile devices are all connecting and working as well as always.

I tried to reconnect my username and computer under Advanced System Settings.  I get the error message "An Active Directory Domain Controller (AD DC) for the domain *** could not be contacted.  Sometimes if I enter the domain name as the NETBIOS name, it will work, other times I get the same error message.

I believe this is a simple fix, but I have not found it.  Plus I want to avoid creating a bigger problem.  Any help would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The only time it's OK to have Exchange on a DC is with SBS, otherwise I say no way.  Another problem is with having more than one active NIC on a DC.  See this link for information, and if you must keep the 2nd NIC verify that you have disabled its ability to register in DNS, NetBIOS, etc.

I think it's likely that you have multiple problems from your description.  Make sure that in your _msdcs zone there aren't any records which point to the 2nd NIC.  Also make sure that there aren't any for it under under the forward lookup zone for your internal domain which correspond with "same as parent".  Make sure to run dcdiag /v and dcdiag /v /test:dns on both DCs to check for issues.  The Outlook issue may be due to autodiscover.  If you're noticing slowness when just connected to the console, that seems like it may be unrelated, but may depend on what operation you were doing.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArchitectChuckAuthor Commented:
Thank you footech.

The dcdiag /v /test:dns completed with no errors.

 Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ***.com

               Srv1d                        PASS PASS PASS PASS PASS PASS n/a  
         ......................... ***.com passed test DNS

      Test omitted by user request: LocatorCheck

      Test omitted by user request: Intersite

I am reviewing the results for dcdiag /v
ArchitectChuckAuthor Commented:
DCDIAG Summary:

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

SRV1D failed test NCSecDesc   -  Seems to be related to failed relication of directory

SRV1D failed test Replications

These were the only errors, all pointing to the replication failure to the old server.  

Directions are given in the first error to fix the replication problem.  Should I proceed with making those corrections.  It basically asked to make a registry entry to force the replication to the other server.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

ArchitectChuckAuthor Commented:
The FRSEvent fix is to change the registry entry:


            Click down the key path:


            Double click on the value name

               "Enable Journal Wrap Automatic Restore"

            and update the value.


            If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

It does not say what DC to do this on.  I have confidence in Srv1d.  I do not have confidence in the older server Srv1c.  Does it make a difference which server I make this registry entry on?
Unfortunately the advice in the event is outdated, and really should not be applied except in cases where you only have a single DC.  It's best to try a non-authoritative restore first, and if that doesn't work, then an authoritative restore.  See these links for more info.

Failing the NCSecDesc is expected if you haven't run adprep /rodcprep.
ArchitectChuckAuthor Commented:
I proceeded with the Registry modification, and the replication was successful.

I then say you note above, and tried the adprep /forestprep from a copy of the installation DVD on the I drive on the server and received the following error message:
The procedure entry point I_netpathtype could not be located in the dynamic link library NETAPI32.dll

I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS.  Does that make sense?
ArchitectChuckAuthor Commented:
I have since removed IPv6.  That seems to have solved many problems.  I  am still working on this.
I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS. Does that make sense?
No, having _msdcs as a zone is perfectly normal and is the default for a new domain installed with server 2003+, and it poses no problem to convert between having it as a separate zone or a subdomain.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.