Solved

Why is the _msdcs zone also stored as subdomain in every forword lookup zone?

Posted on 2016-07-26
5
41 Views
Last Modified: 2016-09-02
whats the reason, that the _msdcs zone is also available as a subdomain in every forward lookup zone?
0
Comment
Question by:Thomas_1991
5 Comments
 
LVL 13

Expert Comment

by:cshepfam
ID: 41729593
The msdcs zone is extremely important.  Without it workstations wouldn't know which DC to authenticate to.  

That's why all your child domains have them.  The place where you can control what DC a workstation should authenticate to is by looking in _msdcs > dc > sites > [childdomain] > tcp

You'll see the Kerberos and LDAP record.  Those records should point to the DC in that specific domain
0
 
LVL 39

Expert Comment

by:footech
ID: 41729631
You'll have to describe what you're seeing better (screenshots would be good).

You can create any new forward lookup zone and _msdcs will not be present inside it, so your question is not clear, particularly when you refer to "every forward lookup zone".

In the zone corresponding to your domain, there should be a _msdcs subdomain, or a delegation for _msdcs along with a separate zone for _msdcs.yourdomain.com.
0
 

Author Comment

by:Thomas_1991
ID: 41729978
Sorry, the question should be, why the subdomain is also in the DNS zone from my domain.

So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

Why is that subdomain there?
Because the _msdcs.asd.intra on top level is forest wide available?
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 41731383
I couldn't say what exactly resulted in what you're seeing.  The default for a new domain used to be to create the _msdcs subdomain, but this was changed with Server 2003 to creating a separate zone.  But existing setups would not be change when upgrading from say, Win2K to Win2K3.  Even with current Windows Server DCs, if the _msdcs zone is not present it will automatically create the _msdcs subdomain.

Since the separate zone is present, I would delete the subdomain, followed by a restart of the Netlogon service (causing the DC to re-register any records if needed).  Then I would create a delegation in place of the deleted subdomain with the name "_msdcs" and add entries for each of your DCs/DNS that hold a copy of the _msdcs zone.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41742914
So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

A screenshot of this would be helpful. Is there a full subdomain present there (in other words, are there records contained within that subdomain), or is it just a gray folder? If it's just a gray folder, that's a delegation record which should be left alone. If it's a full subdomain, it's redundant. Follow footech's advice above to remove it.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question