Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 153
  • Last Modified:

Why is the _msdcs zone also stored as subdomain in every forword lookup zone?

whats the reason, that the _msdcs zone is also available as a subdomain in every forward lookup zone?
0
Thomas_1991
Asked:
Thomas_1991
1 Solution
 
cshepfamCommented:
The msdcs zone is extremely important.  Without it workstations wouldn't know which DC to authenticate to.  

That's why all your child domains have them.  The place where you can control what DC a workstation should authenticate to is by looking in _msdcs > dc > sites > [childdomain] > tcp

You'll see the Kerberos and LDAP record.  Those records should point to the DC in that specific domain
0
 
footechCommented:
You'll have to describe what you're seeing better (screenshots would be good).

You can create any new forward lookup zone and _msdcs will not be present inside it, so your question is not clear, particularly when you refer to "every forward lookup zone".

In the zone corresponding to your domain, there should be a _msdcs subdomain, or a delegation for _msdcs along with a separate zone for _msdcs.yourdomain.com.
0
 
Thomas_1991Author Commented:
Sorry, the question should be, why the subdomain is also in the DNS zone from my domain.

So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

Why is that subdomain there?
Because the _msdcs.asd.intra on top level is forest wide available?
0
 
footechCommented:
I couldn't say what exactly resulted in what you're seeing.  The default for a new domain used to be to create the _msdcs subdomain, but this was changed with Server 2003 to creating a separate zone.  But existing setups would not be change when upgrading from say, Win2K to Win2K3.  Even with current Windows Server DCs, if the _msdcs zone is not present it will automatically create the _msdcs subdomain.

Since the separate zone is present, I would delete the subdomain, followed by a restart of the Netlogon service (causing the DC to re-register any records if needed).  Then I would create a delegation in place of the deleted subdomain with the name "_msdcs" and add entries for each of your DCs/DNS that hold a copy of the _msdcs zone.
0
 
DrDave242Commented:
So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

A screenshot of this would be helpful. Is there a full subdomain present there (in other words, are there records contained within that subdomain), or is it just a gray folder? If it's just a gray folder, that's a delegation record which should be left alone. If it's a full subdomain, it's redundant. Follow footech's advice above to remove it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now