_msdcs.domain.com question

[David Adner]

I'm reading something on AD and DNS and it mentions that each of the DNS
servers should have a _msdcs.domain.com forward lookup zone. This zone
contains an SOA record and NS records for each DNS server in the
domain. Is this true? I don't have such a zone, although I do a
sub-zone(?) called _msdcs under my domain.com forward lookup zone.

 

[Ulf B. Simon-Weidner]

I'm reading something on AD and DNS and it mentions that each of the DNS
servers should have a _msdcs.domain.com forward lookup zone. This zone
contains an SOA record and NS records for each DNS server in the
domain. Is this true? I don't have such a zone, although I do a
sub-zone(?) called _msdcs under my domain.com forward lookup zone.

Hi David,

the main reason that this zone is should be available at all DNS-Servers is
that the Global Catalog Servers for the enterprise are looked up by the clients
using this zone. The clients need the GCs for logon when you are running in
native mode.

In a default configured Windows 2000 DNS you have the _msdcs as a domain in
your forestroot-zone. However it's recommended that you have a separate
_msdcs.forestroot-fqdn zone which is delegated from the forestroot-fqdn-zone to
the same server. Therefore you are able to have a secondary zone of this zone
on all dns-servers in the enterprise.

In a default WS2k3 DNS this is done, and the zone is additional held in the
forestDnsZones Application Partition of the Active Directory which is
replicated to all DNS-Domain Controllers. So that zone is here available by
default.

But however, you need to keep the zone available only if you are working with
multiple domains and multiple sites. If you have just one domain, you usually
have the forestroot-zone available in the other sites anyways, if you are
running within one site that you can assume that those dns-servers are
available all the time anyways (no WAN-failures).

I hope this helps you.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[David Adner]

Ok, I got it. I knew the _msdcs domain should be available to all DNS
servers; I just hadn't thought it through and figured out that this is
how you accomplish it.

 

[Kevin D. Goodknecht [MVP]]

In David Adner <[email protected]> posted a question
Then Kevin replied below:
: I'm reading something on AD and DNS and it mentions that each of the
: DNS servers should have a _msdcs.domain.com forward lookup zone.
: This zone contains an SOA record and NS records for each DNS server
: in the domain. Is this true? I don't have such a zone, although I
: do a sub-zone(?) called _msdcs under my domain.com forward lookup
: zone.

You posted this in the Win2000 group this zone applies to Windows server
2003.
Do you have Win2k?

 

[David Adner]

W2K

 

[Kevin D. Goodknecht [MVP]]

In David Adner <[email protected]> posted a question
Then Kevin replied below:
: W2K

Win2k does not have this zone, you have the subzones.

 

[Ulf B. Simon-Weidner]

In David Adner <[email protected]> posted a question
Then Kevin replied below:
: W2K

Win2k does not have this zone, you have the subzones.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

Hi Kevin,

I'm sure you know it, but to clarify for David: if you have W2k and multiple
domains create the _msdcs.%forestroot-fqdn% yourself and do a zone transfer to
the other domains, see me post prior in this thread.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

 

[David Adner]

What we did, which is probably a bit unorthodox and maybe foolish, is:

Forest Root (company.com)
Corp (corp.company.com)

Made all the corp.mandtbank.com DNS servers primary for both company.com
and corp.company.com. We have 2 of the FR DC/DNS servers as secondary
DNS servers in case all of the Corp DNS servers were to ever all go down
simultaneously.

I'd do it the way described in this thread if I were doing it all over
again. Then again, is our design really that bad? It seems to work
fine for us, but I'm not sure if we're setting ourselves up for problems
in the future.

 

[Kevin D. Goodknecht [MVP]]

In David Adner <[email protected]> posted a question
Then Kevin replied below:
: What we did, which is probably a bit unorthodox and maybe foolish, is:
:
: Forest Root (company.com)
: Corp (corp.company.com)
:
: Made all the corp.mandtbank.com DNS servers primary for both
: company.com and corp.company.com. We have 2 of the FR DC/DNS servers
: as secondary DNS servers in case all of the Corp DNS servers were to
: ever all go down simultaneously.
:
: I'd do it the way described in this thread if I were doing it all over
: again. Then again, is our design really that bad? It seems to work
: fine for us, but I'm not sure if we're setting ourselves up for
: problems in the future.
:
No I don't think it is so bad, I probably would have done it differently. I
would have made the forrect root DNS servers the company wide DNS. It is
unlikely that you will have a DNS failure unless you are forwarding them to
each other. Losing the Global Catalog server can cause a bigger problem than
losing a DNS. That is because unless you have added a Global Catalog to any
of your DCs, you probably only have one. DCPROMO only puts the Global
Catalog on the first DC in the forrest, the GC is required for machine and
user logon, it is also required before Exchange will start.
You can loose you GC for a few days before it will affect current users
because your credentials are cached, but new users cannot logon without the
GC unless you override the GC requirement. Exchange will just flatly refuse
to start.
Personally I would keep the GC and DNS on the FR DCs, and have a FR DC at
all locations. But that is just my choice and my oppinion. Under most
circumstances though the FR DC doesn't do much because most of the users are
in the child domains.

 

[David Adner]

: Made all the corp.company.com DNS servers primary for both

: company.com and corp.company.com. We have 2 of the FR DC/DNS servers
: as secondary DNS servers in case all of the Corp DNS servers were to
: ever all go down simultaneously.

No I don't think it is so bad, I probably would have done it differently. I
would have made the forrect root DNS servers the company wide DNS. It is
unlikely that you will have a DNS failure unless you are forwarding them to
each other. Losing the Global Catalog server can cause a bigger problem than
losing a DNS. That is because unless you have added a Global Catalog to any
of your DCs, you probably only have one. DCPROMO only puts the Global
Catalog on the first DC in the forrest, the GC is required for machine and
user logon, it is also required before Exchange will start.
You can loose you GC for a few days before it will affect current users
because your credentials are cached, but new users cannot logon without the
GC unless you override the GC requirement. Exchange will just flatly refuse
to start.
Personally I would keep the GC and DNS on the FR DCs, and have a FR DC at
all locations. But that is just my choice and my oppinion. Under most
circumstances though the FR DC doesn't do much because most of the users are
in the child domains.

We have all DC's as GC's atm, so that shouldn't be a concern. Our
forest root is empty, so I don't want to deploy those DC's throughout
the enterprise, which is why we made the corp DC's hold the root and
corp DNS zones.

 

[Ace Fekay [MVP]]

In

We have all DC's as GC's atm, so that shouldn't be a concern. Our
forest root is empty, so I don't want to deploy those DC's throughout
the enterprise, which is why we made the corp DC's hold the root and
corp DNS zones.

David, didn't we have a similar discussion in the AD newsgroups about
delegation?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

David, didn't we have a similar discussion in the AD newsgroups about
delegation?

Maybe? I ask a lot of questions. I know our design is unorthodox
and I'd do it differently a second time.

Do delegations work differently than establishing secondaries?

 

[Ace Fekay [MVP]]

In

Maybe? I ask a lot of questions. I know our design is unorthodox
and I'd do it differently a second time.

Do delegations work differently than establishing secondaries?

Delegations are for allowing a child domain DNS server to control the child
domain's zone. You have to tell it the parent DNS server that the child DNS
server is controlling that zone. Then you would forward to the parent from
teh child DNS server, then from the parent DNS server, you would forward to
the ISP.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

Delegations are for allowing a child domain DNS server to control the child
domain's zone. You have to tell it the parent DNS server that the child DNS
server is controlling that zone. Then you would forward to the parent from
teh child DNS server, then from the parent DNS server, you would forward to
the ISP.

255248 - HOW TO Create a Child Domain in Active Directory and Delegate the
DNS Namespace to the Child Domain:
http://support.microsoft.com/?id=255248

I actually read this article the other night from another thread. If
I understand it right, the delegation is just a wizard-like way of
creating a child zone that knows how to refer to its parent zone...?
Like, I can create the child zones like normal and manually create the
appropriate records so they know how to find the parent zone, right?
Besides being easier, does the delegation thing do anything else?