DNS: _msdcs is grey/gray
Hi All,
I have an AD domain with AD Integrated DNS where the _msdcs conatainer appears greyed out under the domain name.
When I view the properties of the greyed out _msdcs, it shows the Name Server of a Domain Controller which crashed, on the Name Server tab, and which is currently offline and due to be manually removed from the domain.
The security tab generates the error "The Requested security information is either unavailable or can't be displayed."
As I am about to manually remove the metadata for the old crashed Domain controller I want to understand what the problem is with the _msdcs container. As you can see from the first picture, I do have a FQDN entry for _msdcs at the same heriarchical level as the domains forward lookup zone entry which contains all the service records for all the other domain controllers and DNS servers currently operating in the domain.
I'd really appreciate some advice on why the _msdcs container is greyed out and how to remediate.
Many Thanks in advance :)
I have an AD domain with AD Integrated DNS where the _msdcs conatainer appears greyed out under the domain name.
When I view the properties of the greyed out _msdcs, it shows the Name Server of a Domain Controller which crashed, on the Name Server tab, and which is currently offline and due to be manually removed from the domain.
The security tab generates the error "The Requested security information is either unavailable or can't be displayed."
As I am about to manually remove the metadata for the old crashed Domain controller I want to understand what the problem is with the _msdcs container. As you can see from the first picture, I do have a FQDN entry for _msdcs at the same heriarchical level as the domains forward lookup zone entry which contains all the service records for all the other domain controllers and DNS servers currently operating in the domain.
I'd really appreciate some advice on why the _msdcs container is greyed out and how to remediate.
Many Thanks in advance :)
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
footech, I agree to your comment but is it not like if we only update _msdcs zone with correct dns server does not refresh the property of folder from being greyed although it will function properly, it will remain greyed untill or unless we recreate the zone,
and i believe question was all about folder being greyed out.
and i believe question was all about folder being greyed out.
you can delete the whole active directory zone, then run Netdiag /fix to recreate them
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi All,
Thanks for the inputs thus far!
The domain (forest of one domain) is 2008R2 functional level with exclusively 2012R2 domain controllers at this time.
I would like to avoid deleting things at the moment, we've experienced some issues of late and I'm not willing to take a chance on rocking the boat now we're operating with some stability.
If the grey _mscds folder is not a symptom of a problem (forgive my ignorance, I did not know this is usual for delegation) then I can try manually adding the valid domain controllers for the domain into the properties (Name Servers tab).
If _msdcs contains no valid domain controllers, which is true at this moment, is it even a problem?
Many Thanks
Thanks for the inputs thus far!
The domain (forest of one domain) is 2008R2 functional level with exclusively 2012R2 domain controllers at this time.
I would like to avoid deleting things at the moment, we've experienced some issues of late and I'm not willing to take a chance on rocking the boat now we're operating with some stability.
If the grey _mscds folder is not a symptom of a problem (forgive my ignorance, I did not know this is usual for delegation) then I can try manually adding the valid domain controllers for the domain into the properties (Name Servers tab).
If _msdcs contains no valid domain controllers, which is true at this moment, is it even a problem?
Many Thanks
In your case, I would say probably not. With a single domain in the forest, the usual scenario is for all of your DNS servers to be domain controllers, and all zones AD-integrated, thus the _msdcs zone should be replicated to every DC/DNS and from there it follows that every DNS has full knowledge of the contents of the _msdcs zone. A delegation typically comes into play when a DNS server is queried for records which it doesn't have - the delegation would tell it which DNS server to contact to look up those records. Forwarders and stub zones operate in a similar capacity.
For testing DC DNS records, I recommend running dcdiag /v /test:dns.
For testing DC DNS records, I recommend running dcdiag /v /test:dns.
ASKER
@footech Yup, running dcdiag /v /test:dns verifies broken delegation for the domain.
As you have pointed out, all DCs are DNS servers and therefore have a replicated copy of the DNS partition for the domain. It looks like this isn't causing any grief, and we could possibly add in valid DCs in order to alleviate the delegation error. Our other domains (Trusted Forests) have Conditional Forwarders to point at specified Domain Controllers (DNS Servers) in this domain.
For now though, I'm happy there is no issue and that the grey _msdcs folder simply denoted delegation. Thanks!
As you have pointed out, all DCs are DNS servers and therefore have a replicated copy of the DNS partition for the domain. It looks like this isn't causing any grief, and we could possibly add in valid DCs in order to alleviate the delegation error. Our other domains (Trusted Forests) have Conditional Forwarders to point at specified Domain Controllers (DNS Servers) in this domain.
For now though, I'm happy there is no issue and that the grey _msdcs folder simply denoted delegation. Thanks!
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
85K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
You can get reference from below post to understand why is it so. ?
https://www.experts-exchange.com/questions/28566411/Greyed-out-msdcs-container-under-my-dns-domain.html