Solved

Why is the _msdcs zone also stored as subdomain in every forword lookup zone?

Posted on 2016-07-26
5
54 Views
Last Modified: 2016-09-02
whats the reason, that the _msdcs zone is also available as a subdomain in every forward lookup zone?
0
Comment
Question by:Thomas_1991
5 Comments
 
LVL 13

Expert Comment

by:cshepfam
ID: 41729593
The msdcs zone is extremely important.  Without it workstations wouldn't know which DC to authenticate to.  

That's why all your child domains have them.  The place where you can control what DC a workstation should authenticate to is by looking in _msdcs > dc > sites > [childdomain] > tcp

You'll see the Kerberos and LDAP record.  Those records should point to the DC in that specific domain
0
 
LVL 40

Expert Comment

by:footech
ID: 41729631
You'll have to describe what you're seeing better (screenshots would be good).

You can create any new forward lookup zone and _msdcs will not be present inside it, so your question is not clear, particularly when you refer to "every forward lookup zone".

In the zone corresponding to your domain, there should be a _msdcs subdomain, or a delegation for _msdcs along with a separate zone for _msdcs.yourdomain.com.
0
 

Author Comment

by:Thomas_1991
ID: 41729978
Sorry, the question should be, why the subdomain is also in the DNS zone from my domain.

So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

Why is that subdomain there?
Because the _msdcs.asd.intra on top level is forest wide available?
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 41731383
I couldn't say what exactly resulted in what you're seeing.  The default for a new domain used to be to create the _msdcs subdomain, but this was changed with Server 2003 to creating a separate zone.  But existing setups would not be change when upgrading from say, Win2K to Win2K3.  Even with current Windows Server DCs, if the _msdcs zone is not present it will automatically create the _msdcs subdomain.

Since the separate zone is present, I would delete the subdomain, followed by a restart of the Netlogon service (causing the DC to re-register any records if needed).  Then I would create a delegation in place of the deleted subdomain with the name "_msdcs" and add entries for each of your DCs/DNS that hold a copy of the _msdcs zone.
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41742914
So if i have a domain asd.intra, in the Forward lookup zone "asd.intra" will be a subdomain _msdcs.

A screenshot of this would be helpful. Is there a full subdomain present there (in other words, are there records contained within that subdomain), or is it just a gray folder? If it's just a gray folder, that's a delegation record which should be left alone. If it's a full subdomain, it's redundant. Follow footech's advice above to remove it.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question