re-creating _msdcs zone using dnscmd.exe

[Guest]

G'Day everyone

If the scripting list is more appropriate I apologise in advance - also names have been changed to protect the innocent ;-

The environment is comprised of W2K SP4 servers running in native mode, with two domains, a root place holder (example.com) and a child domain (child.example.com).

What I want to achieve is to redelegate the _msdcs node as a seperate AD zone replicated to the child domain. I have to perform this via automation. I use dnscmd.exe executed from within a vbscript (which does other installation and configuration also)

I have no problem performing this task via the GUI, however when I use the dnscmd.exe tool to configure this I get 4010 errors in the DNS Event Log. There are several variants on the same ID

Event Type: Erro
Event Source: DN
Event Category: Non
Event ID: 401
Date: 13/01/200
Time: 15:27:3
User: N/
Computer: SERVER
Description
The DNS server was unable to load a resource record (RR) from the directory at _ldap._tcp.dc._msdcs.example.com. in zone example.com. Use the DNS console to recreate this RR or check that the Active Directory is functioning properly and reload the zone. The event data contains the error.
Data
0000: 7b 00 00 00 {...

Event Type: Erro
Event Source: DN
Event Category: Non
Event ID: 401
Date: 13/01/200
Time: 15:27:3
User: N/
Computer: SERVER
Description
The DNS server was unable to load a resource record (RR) from the directory at _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.example.com. in zone example.com. Use the DNS console to recreate this RR or check that the Active Directory is functioning properly and reload the zone. The event data contains the error.
Data
0000: 7b 00 00 00 {...

Event Type: Erro
Event Source: DN
Event Category: Non
Event ID: 401
Date: 13/01/200
Time: 15:27:3
User: N/
Computer: SERVER
Description
The DNS server was unable to load a resource record (RR) from the directory at _ldap._tcp.gc._msdcs.example.com. in zone example.com. Use the DNS console to recreate this RR or check that the Active Directory is functioning properly and reload the zone. The event data contains the error.
Data
0000: 7b 00 00 00 {...

I can resolve this by
1) deleting the _msdcs.example.com zone, and the _msdcs (delegated) node under the example.com domain
2) stop and restart the netlogon servic

MANUAL PROCES
The _msdcs is replaced as a node beneath example.com again. Via the GUI I can delete this node, and create a new forward lookup zone called _msdcs.example.com and everything works fine (all the sub nodes beneath _msdcs are present). No further errors appear in the Event Log

AUTOMATED PROCES
The manual process above works fine. If I translate that into dnscmd.exe steps (below)
1) dnscmd.exe . /deletenode example.com _msdcs /
2) dnscmd.exe . /zoneadd _msdcs.example.com /DsPrimar

I appear to get the same result. The errors go away and the zone is present, however none of the nodes beneath _msdcs.example.com are present

I did a further test where I manually deleted the node (step 1 above) and used dnscmd.exe to recreate the zone, and the issue persisted. If I use the dnscmd.exe to delete the node and create it again by hand (step 2 above) it also works fine. This indicates that dnscmd.exe has an issue creating this zone correctly

Can anyone offer a solution to this, or provide further information? I am wondering if this might be better done through WMI

TI

Adam

 

[Kevin D. Goodknecht [MVP]]

In Adam Bell <[email protected]> posted a question
Then Kevin replied below:
: G'Day everyone,
:
: If the scripting list is more appropriate I apologise in advance -
: also names have been changed to protect the innocent ;-)
:
: The environment is comprised of W2K SP4 servers running in native
: mode, with two domains, a root place holder (example.com) and a child
: domain (child.example.com).
:
: What I want to achieve is to redelegate the _msdcs node as a seperate
: AD zone replicated to the child domain. I have to perform this via
: automation. I use dnscmd.exe executed from within a vbscript (which
: does other installation and configuration also).
:
: I have no problem performing this task via the GUI, however when I
: use the dnscmd.exe tool to configure this I get 4010 errors in the
: DNS Event Log. There are several variants on the same ID:
:
: Event Type: Error
: Event Source: DNS
: Event Category: None
: Event ID: 4010
: Date: 13/01/2004
: Time: 15:27:31
: User: N/A
: Computer: SERVER1
: Description:
: The DNS server was unable to load a resource record (RR) from the
: directory at _ldap._tcp.dc._msdcs.example.com. in zone example.com.
: Use the DNS console to recreate this RR or check that the Active
: Directory is functioning properly and reload the zone. The event data
: contains the error.
: Data:
: 0000: 7b 00 00 00 {...
:
: Event Type: Error
: Event Source: DNS
: Event Category: None
: Event ID: 4010
: Date: 13/01/2004
: Time: 15:27:31
: User: N/A
: Computer: SERVER1
: Description:
: The DNS server was unable to load a resource record (RR) from the
: directory at
: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.example.com. in
: zone example.com. Use the DNS console to recreate this RR or check
: that the Active Directory is functioning properly and reload the
: zone. The event data contains the error. Data: 0000: 7b 00 00 00
: {...
:
: Event Type: Error
: Event Source: DNS
: Event Category: None
: Event ID: 4010
: Date: 13/01/2004
: Time: 15:27:31
: User: N/A
: Computer: SERVER1
: Description:
: The DNS server was unable to load a resource record (RR) from the
: directory at _ldap._tcp.gc._msdcs.example.com. in zone example.com.
: Use the DNS console to recreate this RR or check that the Active
: Directory is functioning properly and reload the zone. The event data
: contains the error.
: Data:
: 0000: 7b 00 00 00 {...
:
: I can resolve this by:
: 1) deleting the _msdcs.example.com zone, and the _msdcs (delegated)
: node under the example.com domain. 2) stop and restart the netlogon
: service
:
: MANUAL PROCESS
: The _msdcs is replaced as a node beneath example.com again. Via the
: GUI I can delete this node, and create a new forward lookup zone
: called _msdcs.example.com and everything works fine (all the sub
: nodes beneath _msdcs are present). No further errors appear in the
: Event Log.
:
: AUTOMATED PROCESS
: The manual process above works fine. If I translate that into
: dnscmd.exe steps (below): 1) dnscmd.exe . /deletenode example.com
: _msdcs /f 2) dnscmd.exe . /zoneadd _msdcs.example.com /DsPrimary
:
: I appear to get the same result. The errors go away and the zone is
: present, however none of the nodes beneath _msdcs.example.com are
: present.
:
: I did a further test where I manually deleted the node (step 1 above)
: and used dnscmd.exe to recreate the zone, and the issue persisted. If
: I use the dnscmd.exe to delete the node and create it again by hand
: (step 2 above) it also works fine. This indicates that dnscmd.exe has
: an issue creating this zone correctly.
:
: Can anyone offer a solution to this, or provide further information?
: I am wondering if this might be better done through WMI?
:
: TIA
:
: Adam

This is something simular to the way that Win2k3 works but in win2k zone
will not replicate from the parent to the child.
That being said, this might work, in the example.com zone delegate _msdcs to
DNS servers on DCs in both the child and parent DNS servers, then create
_msdcs.example.com AD Integrated zones in both the child and parent DCs.
I haven't tried it, but it sounds like it might work.

 

[Guest]

Kevin,

Thanks for the reply.

This method of creating the _MSDC zone (instead of a node beneath the root domain) works fine, and I have been lead to believe this is an MS Best Practice (I am not responsible for the design of AD in this scenario).

My issue lies soley with the configuration via automation, in particular the dnscmd.exe utility.

I want to avoid cross posting, but I think it might be worth trying this against the Server Scripting group also.

Thanks for your help peeps

Adam