This article describes less of a crucial task in the maintenance of an Active Directory 2003 network, but more of an aesthetic one. If you are well-seasoned in installing brand new Active Directory domains, then you will probably know what I am talking about when I describe the seperate _msdcs.domain.name zone in DNS. This zone is created when you let the Active Directory Installation Wizard configure DNS for you (I always do), and in my opinion if much neater than leaving the _msdcs folder inside the domain name's zone.
So, if you have found yourself rebuilding DNS and having the _msdcs folder pop back into your domain zone, I will explain how to pull that folder back out into a seperate zone once again below.
Note: First off, I should say that this process gets more and more risky as the number of clients (and Domain Controllers more importantly) increases. This is because it involves deleting the SRV records for every DC in DNS. These are easily restored by restarting the netlogon service, especially when only one DC is involved. In all cases, make a system state backup of the domain controller, so that if something does go wrong you can restore the DNS data. This process will not enhance the operation of your network, it is simply an aesthetic issue which I, being as stupid as I am, felt I had to correct - no matter what the risks involved were!
So that said, here we go:
Firstly, take the seemingly drastic step of deleting the _msdcs folder in your DNS zone.
Once that's gone, we need to replace it with a delegation, to point to the new zone. So, right click your DNS zone and select New Delegation from the context menu.
Click next at the first screen of the wizard when it appears, and enter _msdcs in the "Delegated Domain" box on the second screen. The bottom box should then read "_msdcs.domain.name" (where domain.name is your full domain name of course).
Then, add the list of your DNS servers into the next screen. I only have one, my DC, so this was a simple process. This is where that note comes in - the more DCs, DNS Servers, and clients you have, the more complicated this whole process becomes. Once that's done, finish the wizard, and you should see something like this:
Now all that's left to do is to create the new zone to hold the _msdcs data, and populate it. So, create a new DNS zone, make it a Primary, Active Directory Integrated zone. Next, choose where to replicate it to - all DNS Servers in the domain, or all in the forest. This should really just be the same as your originial zone, which will normally be "All DNS Servers in the Domain". Call the zone _msdcs.domain.name again where domain.name is your full domain name (or FQDN - Fully Qualified Domain Name). In my case, it was _msdcs.golding.local. Click next, then leave the default of "Allow only secure dynamic updates" selected, and finish the wizard.
Now you will have an empty zone called _msdcs.domain.name. To populate it with that all-important data, simply restart the netlogon service on all the DCs - making sure they are pointing to this server for resolution (which they should be anyway). Once the service restarts, your shiny new zone should be full of SRV records. A bit like this hopefully:
And there we are. Although this process doesn't make DNS work any better than it did before, I just think it looks much neater, and I much prefer it to the alternative configuration. Of course, this is a matter of opinion and I am certainly not recommending everyone out there follow this process - as it is not without its risks.
Related Articles: