Nice AD 2003 DNS Delegation Gotcha

DNS Delegation

Active Directory uses the _msdcs.domain.local sub-domain to host SRV records. Depending on your domain structure and upgrade path, you may find this domain delegated rather than held as part of your “domain.local” zone. The conditions are in this KB article.

Now lets get tricky. Let’s say your _msdcs is delegated as in the picture above. Let’s also say over the years you replace and upgrade servers as your network grows. Sooner or later you’ll most likely replace your original domain controllers.

Well – the delegation details don’t get automatically updated with the IP of every server that hosts the zone. Nup, they are static. This means that although you may have 10 replicas scattered across your network, only the original DNS servers will be the ones listed as Authoritative. When they are replaced – presto – broken DNS and all sorts of cool errors. I recommend DCDiag /test:dns to look for things like this.

So if you are adding or removing DC’s, add _msdcs delegation to your checklist.

Now why wouldn’t MS simply have any replica automatically be listed?

One of the errors is below – Event ID 2087

Active Directory could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.

Source domain controller:

 abcdc03

Failing DNS host name:

 568a7f0d-ef3a-4fad-b7bc-5d5d8ce17ba2._msdcs.abc.com.id

NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:

Registry Path:

HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client

User Action:

 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller’s metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.

 2) Confirm that the source domain controller is running Active directory and is accessible on the network by typing “net view \\<source DC name>” or “ping <source DC name>”.

 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller’s host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns

  dcdiag /test:dns

 4) Verify that that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:

  dcdiag /test:dns

 5) For further analysis of DNS error failures see KB 824449:

http://support.microsoft.com/?kbid=824449

Additional Data

Error value:

 11004 The requested name is valid, but no data of the requested type was found.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

One thought on “Nice AD 2003 DNS Delegation Gotcha”

Leave a Reply