Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why is the _msdcs zone also stored as subdomain in every forword lookup zone?

Posted on 2016-07-26
5
Medium Priority
?
101 Views
Last Modified: 2016-09-02
whats the reason, that the _msdcs zone is also available as a subdomain in every forward lookup zone?
0
Comment
Question by:Thomas_1991
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 13

Expert Comment

by:cshepfam
ID: 41729593
The msdcs zone is extremely important.  Without it workstations wouldn't know which DC to authenticate to.  

That's why all your child domains have them.  The place where you can control what DC a workstation should authenticate to is by looking in _msdcs > dc > sites > [childdomain] > tcp

You'll see the Kerberos and LDAP record.  Those records should point to the DC in that specific domain
0
 
LVL 41

Expert Comment

by:footech
ID: 41729631
You'll have to describe what you're seeing better (screenshots would be good).

You can create any new forward lookup zone and _msdcs will not be present inside it, so your question is not clear, particularly when you refer to "every forward lookup zone".

In the zone corresponding to your domain, there should be a _msdcs subdomain, or a delegation for _msdcs along with a separate zone for _msdcs.yourdomain.com.
0
 

Author Comment

by:Thomas_1991
ID: 41729978
Sorry, the question should be, why the subdomain is also in the DNS zone from my domain.

So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

Why is that subdomain there?
Because the _msdcs.asd.intra on top level is forest wide available?
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 41731383
I couldn't say what exactly resulted in what you're seeing.  The default for a new domain used to be to create the _msdcs subdomain, but this was changed with Server 2003 to creating a separate zone.  But existing setups would not be change when upgrading from say, Win2K to Win2K3.  Even with current Windows Server DCs, if the _msdcs zone is not present it will automatically create the _msdcs subdomain.

Since the separate zone is present, I would delete the subdomain, followed by a restart of the Netlogon service (causing the DC to re-register any records if needed).  Then I would create a delegation in place of the deleted subdomain with the name "_msdcs" and add entries for each of your DCs/DNS that hold a copy of the _msdcs zone.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41742914
So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

A screenshot of this would be helpful. Is there a full subdomain present there (in other words, are there records contained within that subdomain), or is it just a gray folder? If it's just a gray folder, that's a delegation record which should be left alone. If it's a full subdomain, it's redundant. Follow footech's advice above to remove it.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question