DNS server TEST: Delegations (Del) FAILED IP:<Unavailable> [Missing glue A record]

Hi All,

Can anyone here please share some way to fix the DNS Delegation test failure ?

TEST: Delegations (Del)
   Error: DNS server: PRODDC26-VM.MyDomain.com IP:<Unavailable> [Missing glue A record]

Open in new window


Because when I execute the command dcdiag /test:DNS in both my newly deployed and existing domain controller, it is FAIL on the Delegation test only.

I've checked:
Ping is succesful for PRODDC26-VM (server still exist and running as another DC/GC & DNS in another AD site).
There is A record in the DNS forward lookup domain MyDomain.com for PRODDC26-VM
There is another NS record under the "greyed out" _msdcs folder with NS (same as parent folder) static pointing to PRODDC26-VM.MyDomain.com
Mydomain.com.au
     _msdcs --> greyed out.

What is this delegation is for and can I safely delete it ? What's the impact ?

Thanks,
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
_msdcs delegation folder actually point to forestwide zone _msdcs.domain.com
This zone contains CNAME record for each DC, if you go to properties of CNAME record, you will see some guid._msdcs.domain.com
If you ping this record, it should resolve to actual DC FQDN and able to ping it.

So, this _mscdcs grayed out folder should point to PDC master server NS record

There is another way, if you don't want to keep this delegation
U can simply delete _msdcs.domain.com forest wide zone from PDC
Then delete _msdcs delegated folder from domain.com
Now restart netlogon service and you should find folder named _msdcs under domain.com zone
Now domain.com zone natively resolve _msdcs folder contents (basically AD sites and DC information)
The changes will get replicated to all DCs in all domains, so if you have any child domains, _msdcs.domain.com zone will get deleted from there as well.

Check below thread as well
https://www.experts-exchange.com/questions/28415910/The-Active-Directory-integrated-DNS-zone-msdcs-LOCAL-was-not-found.html

Mahesh.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Mahesh,

Thanks for the reply, so in this case which one can I safely delete:
DNS changeThe red one or the yellow box one ?

The server PRODDC26-VM is still running and holding all FSMO role hence it is very critical.
0
MaheshArchitectCommented:
It depends on what you wanted to do

1st option:
you can double click on name server record highlighted in yellow and you can choose another server there (this entry normally points o NS record of PDC server - root DC server)
Ensure that all AD ports are opened between DC servers

2nd option:
if you don't want this delegation (_msdcs) to delegate queries to _msdcs.domain.com zone in AD, simply delete _msdcs.domain.com zone from PDC master server
Then Delete _msdcs delegation folder (the one which is grayed out) itself under domain.com zone
Then restart netlogon service
This will populate _msdcs folder under domain.com zone
The above changes will replicate to all DC servers

Mahesh.
1
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Mahesh,

I'd like to remove the delegation feature since it does not give any benefits at all and it makes it more confusing when I decommission the PRODDC26-VM next week.

So can I just delete the grayed out folder and then let the AD replication running ?
Because if I delete the _msdcs.domain.com, right underneath the Forward Lookup Zones, the whole AD domain can be broken :-|
0
footechCommented:
I would advocate for keeping the _msdcs delegation and the separate _msdcs zone.  It is a standard, default configuration and as such I think you would do well to understand it.  However, it is true that in your setup, it may not actually provide any benefit to you.

If you delete the delegation, you have the _msdcs zone as well and have it recreated as a subdomain of the domain.com zone.

But like I said before I advocate keeping it and understanding the message.  A glue record is simply out of zone data, typically used with NS records so that they don't have to do an additional query.  When looking at the delegation properties, you can see which records don't have glue as they have a * next to them if you look in the GUI.   Just edit the properties of the delegation, and edit the nameservers.  Since you're going to decommission PRODDC26-VM, I would remove that and add both of your other DC/DNS servers.
1
MaheshArchitectCommented:
OK
The point of having this delegation is to avoid creation of same zone twice
I mean you already have _msdcs.domain.com forest wide zone
Now if you simply delete _msdcs delegated folder under domain.com and restart the netlogon service it will create folder named _msdcs underneath domain.com with all records, it like same records are getting created at two places
Now the impact of this is like, it would stop updating records created under newly created _msdcs folder under domain.com because you keep _msdcs.domain.com zone and that zone would be updated rather than to update records in _msdcs folder under domain.com

Hence the proper way is to
To avoid duplication and or inconsistencies keep _msdcs.domain.com zone and keep _msdcs delegated folder pointing PDC of domain
OR
delete _msdcs.domain.com zone from PDC master server
Then Delete _msdcs delegation folder (the one which is grayed out) itself under domain.com zone
Then restart netlogon service
This will populate _msdcs folder under domain.com zone
The above changes will replicate to all DC servers

If required you can test above with test lab DCs

Mahesh.
1
MaheshArchitectCommented:
before deleting _msdcs.domain.com zone, you will have to delete _msdcs delegation and restart netlogon service on PDC, this will create subdomain folder named _msdcs under domain.com, wait for it to replicate with all DCs with all DC CNMAE records etc
Once you sure that new sub folder got replicated to all DCs, go ahead and delete _msdcs.domain.com zone and nothing will break

Mahesh
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.