_msdcs Zone Question tman <naves.tom[ at ]gmail.com> 6/30/2007 5:47:01 PM We recently did an upgrade of our NT 4 domain. We now have two Windows 2003 DCs each of which is a DNS server. The zones are AD integrated. We are still in interim mode. We only have one domain. Everthing works properly. I set up a couple of DCs on a VMware system to practive disaster recover. I noticed a difference between these and our domain with respect to DNS. The dns servers in our upgraded domain do not have the _msdcs forward lookup zone along with the forward lookup zone for our domain. There is a _msdcs zone inside our domain forward look up zone however. Is this a problem and if so, how do I get the _msdcs forward lookup zone added? Thanks

Re: _msdcs Zone Question "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 7/1/2007 1:01:00 AM Read inline please. In news:1183225621.812066.109920[ at ]o11g2000prd.googlegroups.com, tman <naves.tom[ at ]gmail.com> typed: [Quoted Text] > We recently did an upgrade of our NT 4 domain. We now have two > Windows 2003 DCs each of which is a DNS server. The zones are AD > integrated. We are still in interim mode. We only have one domain. > Everthing works properly. I set up a couple of DCs on a VMware system > to practive disaster recover. I noticed a difference between these > and our domain with respect to DNS. > > The dns servers in our upgraded domain do not have the _msdcs forward > lookup zone along with the forward lookup zone for our domain. There > is a _msdcs zone inside our domain forward look up zone however. > > Is this a problem and if so, how do I get the _msdcs forward lookup > zone added? It is not a big problem as long as you have a single domain and the _msdcs sub domain in the zone for your AD domain is actually a sub domain with all the Netlogon registered SRV, CNAME and A records. If the _msdcs, is a delegation, containing only NS records, then you need to go ahead and create the _msdcs.<ADForestName> Forward Lookup zone, store it in AD replicate it to all DNS servers in the forest. then run ipconfig /flushdns and restart the Netlogon service on all DCs. Otherwise, if you want it to have the zone to replicate the default behavior, create the new zone as noted previously, then delete the _msdcs sub domain in the domain zone, and create a _msdcs Delegation with NS records for all DCs in the Forest. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: _msdcs Zone Question tman <naves.tom[ at ]gmail.com> 7/1/2007 7:05:26 PM On Jun 30, 6:01 pm, "Kevin D. Goodknecht Sr. [MVP]" <a...[ at ]nospam.WFTX.US> wrote: [Quoted Text] > Read inline please. > > Innews:1183225621.812066.109920[ at ]o11g2000prd.googlegroups.com, > tman <naves....[ at ]gmail.com> typed: > > > We recently did an upgrade of our NT 4 domain. We now have two > > Windows 2003 DCs each of which is a DNS server. The zones are AD > > integrated. We are still in interim mode. We only have one domain. > > Everthing works properly. I set up a couple of DCs on a VMware system > > to practive disaster recover. I noticed a difference between these > > and our domain with respect to DNS. > > > The dns servers in our upgraded domain do not have the _msdcs forward > > lookup zone along with the forward lookup zone for our domain. There > > is a _msdcs zone inside our domain forward look up zone however. > > > Is this a problem and if so, how do I get the _msdcs forward lookup > > zone added? > > It is not a big problem as long as you have a single domain and the _msdcs > sub domain in the zone for your AD domain is actually a sub domain with all > the Netlogon registered SRV, CNAME and A records. If the _msdcs, is a > delegation, containing only NS records, then you need to go ahead and create > the _msdcs.<ADForestName> Forward Lookup zone, store it in AD replicate it > to all DNS servers in the forest. then run ipconfig /flushdns and restart > the Netlogon service on all DCs. > > Otherwise, if you want it to have the zone to replicate the default > behavior, create the new zone as noted previously, then delete the _msdcs > sub domain in the domain zone, and create a _msdcs Delegation with NS > records for all DCs in the Forest. > > -- > Best regards, > Kevin D. Goodknecht Sr. [MVP] > Hope This Helps > > =================================== > When responding to posts, please "Reply to Group" > via your newsreader so that others may learn and > benefit from your issue, to respond directly to > me remove the nospam. from my email address. > ===================================http://www.lonestaramerica.com/http://support.wftx.us/http://message.wftx.us/ > =================================== > Use Outlook Express?... Get OE_Quotefix: > It will strip signature out and morehttp://home.in.tum.de/~jain/software/oe-quotefix/ > =================================== > Keep a back up of your OE settings and folders > with OEBackup:http://www.oehelp.com/OEBackup/Default.aspx > =================================== In my Forward Lookup Zones there is only one zone: mydomain.com. Inside of it there is the _msdcs folder (zone? subdomain?) Inside this folder are 4 others: dc, domains, gc, and pdc. there are also 2 CNAME records. They are encrypted and one refers to one of my two DCs and one refers to the other. The _msdcs folder is replicated to the dns server on the other DC. Does this sound correct? Will this be a problem if I add another domain later? I am sorry but I did not understand your explanation above. Thanks.

Re: _msdcs Zone Question "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 7/1/2007 7:43:23 PM Read inline please. In news:1183316726.090958.189940[ at ]e9g2000prf.googlegroups.com, tman <naves.tom[ at ]gmail.com> typed: [Quoted Text] > In my Forward Lookup Zones there is only one zone: mydomain.com. > Inside of it there is the _msdcs folder (zone? subdomain?) Inside > this folder are 4 others: dc, domains, gc, and pdc. there are also 2 > CNAME records. They are encrypted and one refers to one of my two DCs > and one refers to the other. The _msdcs folder is replicated to the > dns server on the other DC. Does this sound correct? It sounds OK. What is the Replication set to on this zone? > > Will this be a problem if I add another domain later? I am sorry but > I did not understand your explanation above. Answer: It depends on what replication partition the mydomain.com zone is in. If you add another domain later, there are records that must be registered by all DC in the _msdcs subdomain. So if the mydomain.com zone doesn't replicate to the DCs in the new domain it will be a problem. The reason there should be a delegated _msdcs.mydomain.com zone is because this zone is supposed to be in the ForestDNSZones replication partition, which would replicate too all Win2k3 DCs w/DNS installed in the entire forest. By default the mydomain.com zone, is in the MicrosoftDNS Partition, which replicates to all Domain Controllers in its domain (including Win2k DCs). While neither the ForestDNSZones nor DomainDNSZones partitions will replicate to Win2k. If however, the Mydomain.com zone is in the ForestDNSZones partition, this conversation is moot because the entire mydomain.com zone will replicate to all Win2k3 DC's w/DNS installed in the forest. Which would be just as well as long as you have no Win2k DCs as DNS servers. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================

Re: _msdcs Zone Question tman <naves.tom[ at ]gmail.com> 7/2/2007 1:20:34 AM On Jul 1, 12:43 pm, "Kevin D. Goodknecht Sr. [MVP]" <a...[ at ]nospam.WFTX.US> wrote: [Quoted Text] > Read inline please. > > Innews:1183316726.090958.189940[ at ]e9g2000prf.googlegroups.com, > tman <naves....[ at ]gmail.com> typed: > > > In my Forward Lookup Zones there is only one zone: mydomain.com. > > Inside of it there is the _msdcs folder (zone? subdomain?) Inside > > this folder are 4 others: dc, domains, gc, and pdc. there are also 2 > > CNAME records. They are encrypted and one refers to one of my two DCs > > and one refers to the other. The _msdcs folder is replicated to the > > dns server on the other DC. Does this sound correct? > > It sounds OK. What is the Replication set to on this zone? > > > > > Will this be a problem if I add another domain later? I am sorry but > > I did not understand your explanation above. > > Answer: It depends on what replication partition the mydomain.com zone is > in. How do I tell what replication partition a zone is in. Is it in the properties of the zone where it says: Replication: To all DNS servers in the Active Directory domain or Replication: To all DNS servers in the Active Directory forest? I am oviously new to Active Directory DNS. Thanks

Re: _msdcs Zone Question "Kevin D. Goodknecht Sr. [MVP]" <admin[ at ]nospam.WFTX.US> 7/2/2007 5:41:16 AM Read inline please. In news:1183339234.021276.296110[ at ]x35g2000prf.googlegroups.com, tman <naves.tom[ at ]gmail.com> typed: [Quoted Text] >>> Will this be a problem if I add another domain later? I am sorry >>> but I did not understand your explanation above. >> >> Answer: It depends on what replication partition the mydomain.com >> zone is in. > > How do I tell what replication partition a zone is in. Is it in the > properties of the zone where it says: > > Replication: To all DNS servers in the Active Directory domain or > Replication: To all DNS servers in the Active Directory forest? Yes. But I don't recommend switching it from one partition to another without first pointing all DCs to just one. Then on that DC, clear the Store in Active Directoy box, then forcing replication and waiting until the zone disappears on the other DCs. After the zone disappears on the other DCs, then change the zone back to AD, set your replication to the correct partition. After the zone reappears on the other DCs, you can start pointing them to each other. If you don't do this, you can end up with the zone in two partitions causing a zone conflict error which can be even more difficult to clear up. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This Helps =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oehelp.com/OEBackup/Default.aspx ===================================