[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


_MSDCS Problem on 2008 R2

Posted on 2014-01-26
Medium Priority
Last Modified: 2014-01-26
We upgraded our 2003 Enterprise server to a new 2008 R2 Enterprise server several years ago.  The old 2003 server is still a backup DC, but serves no other purpose.

During the December holidays, there were several Microsoft updates and software updates to Symantec Backup Exec 2012.  I think I may have also turned off IPv6 at our primary NIC.  (We have a second NIC that is primarily used for external access.  IPv6 is still active on that NIC.)  I also did some other maintenance on the server.

The Primary NIC's address is the address of our internal DNS server and includes a loopback as the second address.  We also have WINS active.  The second NIC uses the primary NIC as its DNS server.

We had replication issues from the beginning.  Some of those were related to our Exchange server being moved to the new 2008 R2 server and deactivated on the old server.  I worked with Microsoft tech support to get everything working properly when we created the new 2008 R2 server.

It should be pointed out that we are a small office.  Our server does everything including file server, web server, FTP server, Exchange Server.  We have always operated that way and it has always done a great job.  I know it is not the recommended configuration, but it does not make sense for us to pay for multiple servers.  It keeps everything simple including our ability to backup the entire system to tape.

After the updates during the holidays, we noticed that the server was not as responsive as it had been.  It was typically as fast as always, but there would sometimes be delays when you tried to do something as simple as open a directory.  I also noted that when I was working on the server, it was not as responsive as it had been.

Interestingly, we do not get many error messages once the server has been booted up.

I believe the problem is in DNS.  I have tried several things to solve the problem.  One site suggested fixing _MSDCS by recreating _MSDCS in a new zone.  That worked ok.  _MSDCS is now greyed out under the domain name in dns and a new zone was created above the domain name.

However, that has created a few other problems.  SRV is not being found by the client computers.  All of the shares are available and very responsive.  Outlook on my client computer works, but now has a security window that pops up that says connecting to ...  However, Outlook is still connected and working properly.

Mobile devices are all connecting and working as well as always.

I tried to reconnect my username and computer under Advanced System Settings.  I get the error message "An Active Directory Domain Controller (AD DC) for the domain *** could not be contacted.  Sometimes if I enter the domain name as the NETBIOS name, it will work, other times I get the same error message.

I believe this is a simple fix, but I have not found it.  Plus I want to avoid creating a bigger problem.  Any help would be appreciated.
Question by:ArchitectChuck
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 41

Accepted Solution

footech earned 1500 total points
ID: 39810346
The only time it's OK to have Exchange on a DC is with SBS, otherwise I say no way.  Another problem is with having more than one active NIC on a DC.  See this link for information, and if you must keep the 2nd NIC verify that you have disabled its ability to register in DNS, NetBIOS, etc.

I think it's likely that you have multiple problems from your description.  Make sure that in your _msdcs zone there aren't any records which point to the 2nd NIC.  Also make sure that there aren't any for it under under the forward lookup zone for your internal domain which correspond with "same as parent".  Make sure to run dcdiag /v and dcdiag /v /test:dns on both DCs to check for issues.  The Outlook issue may be due to autodiscover.  If you're noticing slowness when just connected to the console, that seems like it may be unrelated, but may depend on what operation you were doing.

Author Comment

ID: 39810380
Thank you footech.

The dcdiag /v /test:dns completed with no errors.

 Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            Domain: ***.com

               Srv1d                        PASS PASS PASS PASS PASS PASS n/a  
         ......................... ***.com passed test DNS

      Test omitted by user request: LocatorCheck

      Test omitted by user request: Intersite

I am reviewing the results for dcdiag /v

Author Comment

ID: 39810425
DCDIAG Summary:

The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

SRV1D failed test NCSecDesc   -  Seems to be related to failed relication of directory

SRV1D failed test Replications

These were the only errors, all pointing to the replication failure to the old server.  

Directions are given in the first error to fix the replication problem.  Should I proceed with making those corrections.  It basically asked to make a registry entry to force the replication to the other server.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

ID: 39810468
The FRSEvent fix is to change the registry entry:


            Click down the key path:


            Double click on the value name

               "Enable Journal Wrap Automatic Restore"

            and update the value.


            If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

It does not say what DC to do this on.  I have confidence in Srv1d.  I do not have confidence in the older server Srv1c.  Does it make a difference which server I make this registry entry on?
LVL 41

Expert Comment

ID: 39810554
Unfortunately the advice in the event is outdated, and really should not be applied except in cases where you only have a single DC.  It's best to try a non-authoritative restore first, and if that doesn't work, then an authoritative restore.  See these links for more info.

Failing the NCSecDesc is expected if you haven't run adprep /rodcprep.

Author Comment

ID: 39810640
I proceeded with the Registry modification, and the replication was successful.

I then say you note above, and tried the adprep /forestprep from a copy of the installation DVD on the I drive on the server and received the following error message:
The procedure entry point I_netpathtype could not be located in the dynamic link library NETAPI32.dll

I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS.  Does that make sense?

Author Comment

ID: 39810737
I have since removed IPv6.  That seems to have solved many problems.  I  am still working on this.
LVL 41

Assisted Solution

footech earned 1500 total points
ID: 39810770
I believe that the relocation of _MSDCS in DNS has made it difficult for process to find the correct path to _MSDCS. Does that make sense?
No, having _msdcs as a zone is perfectly normal and is the default for a new domain installed with server 2003+, and it poses no problem to convert between having it as a separate zone or a subdomain.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Know what services you can and cannot, should and should not combine on your server.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question