?
Solved

Windows 2008 R2 _MSDSC Delegation

Posted on 2016-11-05
8
Medium Priority
?
79 Views
Last Modified: 2016-11-10
When I look at my DNS Strucuture we have our Domain name Zone with the _MSDSC zone under it as expected. What I find interesting is the fact the _Msdcs does not show up a grayed which if I have read correctly would mean the zone is not delegated? When I click on the _MSDCS zone I do not have any NS or A records but my CNAME records for my DC's..

If this truely is the case have read it could be caused from upgrades from past version of WIndows?

What are the cons of leveling it not delegated? I only stated to look into this side we have found odd DNS query requset from some of our client when some whill be going to _ldap._tcp<our naming context_site.dc_msdcs  while others are going to ldap_.tcp.dc._msdsc.domainnam.com

Any yes all clients are  in the same site
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 79

Expert Comment

by:arnold
ID: 41875836
You can create/add a new AD zone _msdcs.domainname.com
The updates/etc will be reorder in the new location, the within donainname.com
Add _msdcs NS records as needed.

Pre 2003 sp1 I think the AD DNS did not separate the _msdcs as its own zone, the separation evolved from incompatibility of _ was not a valid character in DNS and thus was preventing Windows primary zones to ve shared/exported to subordinate bind pre version 9.
Bind with reject zones with _ in records as having a syntax/errors.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41876239
Thank you for my feedback. How can I confirm that my _msdsc zone is not delegated and what are the cons of not having it delegated in a Windows 2008 and newer  domain
0
 
LVL 79

Expert Comment

by:arnold
ID: 41876275
If you do not have
_msdcs.domainname.com
domainname.com
the _msdcs is subdomain witin the domainname.com zone file

Delegated has several meanings when usually used, means that some other DNS server/s provide services for it
i.e.mydomain.com and I want subdomain.mydomain.com to be hosted by and services by someprovider.com
so in mydomain.com zone I add a delegation for
subdomain IN NS ns1.someprovider.com.
subdomain IN NS ns2.someprovider.com.

When the domain and the subdomain are served by the same DNS server, the DELEGATION is merely a "formality"
Because when the dns server receives a request for SRV records _ldap._tcp.dc._msdcs.domainname.com
It does not go to the domainname.com but it hits the matched zone for _msdcs.domainname.com for the information.

Presumably, you only have one DC that you've upgraded ....

Often, when a second DC is added that starts with 2008, it complains about the DNS zone reference......


The _msdcs zone gets updated by DC and has DFS, AD DC, replication references,,, etc. and their updates
The domainname.com often gets updated less frequently when systems bootup and register their hostname if configured, as well as their reverse IP to hostname records .....

It also depends on whether you are using a public domain or a private domain for the AD purposes. i.e. using public domain name means that your internal users to access domain based resources hosted outside your organization will run into name resolution unless you maintain the same information on your internal DNS server as exist on the public one (that everyone else consults when they need to access your web site, or email you, etc.)
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 26

Expert Comment

by:DrDave242
ID: 41877464
what are the cons of not having it delegated in a Windows 2008 and newer  domain
In most cases, nothing. The only thing you gain by having _msdcs.domain.com exist as a separate (delegated) zone is the ability to store it in a different application directory partition, which can then be replicated to a different set of domain controllers from the ones that are replicating your domain's forward lookup zone. You could, for example, replicate the domain.com zone to all DCs in the domain.com domain (i.e., store it in the DomainDnsZones partition), but replicate _msdcs.domain.com to all DCs in the entire forest (i.e., store it in the ForestDnsZones partition). Of course, if the forest only contains one domain, those two sets of DCs are identical. Even in a single-domain forest, though, you could create custom application directory partitions that only replicate to a subset of your DCs. I can't think of a practical reason for that, but I'm certain that someone has done it at some point.

It goes without saying that if you only have one DC, none of this matters at all, as there's no replication happening.

I believe there's a glitch in the built-in DNS best practice analyzer (BPA) in Windows Server 2008 and later that will cause it to complain that _msdcs.domain.com doesn't exist if it's not a separate zone. If you run the BPA and see this result, you can ignore it if you know that _msdcs exists as a folder inside the domain.com zone and that it's populated with the appropriate records.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41879772
Great feedback everyone and much appreciated.  Our internal is a subdomain of our public DNS name. I was always under the impress that a delegate zone was always grayed out. My _msdsc is not what made me start to think about this.

I am still not fulling understand the value in have _msdsc delegated outside of the separate partition but maybe i just have to think about this some more for it to click
0
 
LVL 79

Expert Comment

by:arnold
ID: 41879956
It is not clear to me what your greyed out reference is
On DNS if you have zones
_msdcs.yourdomain
yourdomain
The _msdcs within your domain would appear as a reference to the outer defined zone.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 1000 total points
ID: 41881171
I was always under the impress that a delegate zone was always grayed out.

The delegation record (highlighted in red below) shows up in the console as a gray folder, but the delegated zone itself shows up normally:

Delegated _msdcs zone
0
 
LVL 79

Accepted Solution

by:
arnold earned 1000 total points
ID: 41881230
That is the point, the _msdcs within youdomain.com is merely a place holder/reference while the _msdcs.yourdomain.com is the actual zone into which records can be added and removed.

The equivalent is lets say you have a document reference folder.
As documents are being added a decision is made that one set of documents deserves its own folder, so the section of those documents is pulled from the document reference folder with a reference see document reference 2
A new document reference 2 folder is created with this section added.
If you have the two folders identified with their contents, few if any will look at document reference folder when they need to access the other......
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question