Forest root _msdcs zone & replication/transfer

03/04/2008, 23h58

What is the present-day advice in regards to replication/transfer of the
_msdcs domain for the forest root? Replicate it only to the DNS servers in
the forest root, or all DNS servers in the forest? I'm having a heck of a
time keeping our own _msdcs forest root zone correct on our 130'ish domain
controllers. It seems like gc _ldap and the GUID CNAME records mysteriously
disappear now and then for some DCs. Secure-only dynamic updates are
enabled.

04/04/2008, 03h04

Read inline please.

In news:C5132CEA-63B9-4385-8F36-4861ADE671AB@microsoft.com,
Brian Day <bdaytech@verizon.net> typed:
> What is the present-day advice in regards to replication/transfer of
> the _msdcs domain for the forest root? Replicate it only to the DNS
> servers in the forest root, or all DNS servers in the forest? I'm
> having a heck of a time keeping our own _msdcs forest root zone
> correct on our 130'ish domain controllers. It seems like gc _ldap and
> the GUID CNAME records mysteriously disappear now and then for some
> DCs. Secure-only dynamic updates are enabled.

Actually this zone must be available to every DC and Client in the entire
forest, even sister domains and child domains. Changing this zone can cause
replication to fail across the entire forest because every DC in the forest
has records registered in this zone.
I would suggest finding the DNS server that has scavenging enabled on this
zone, it may not be easy with 130ish DCs, but there must be at least one DNS
with Scavenging enabled on the zone. I guess you've noticed that every DC
has records in this zone, regardless of domain, and it is these records that
not only clients use to locate their DCs, but these records are used by DCs
for AD replication.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This s

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oe.com/OEBackup/Default.aspx
===================================

04/04/2008, 14h37

Hi Kevin,

I fully understand what the zone does and what it affects. I am simply
curious if there is one opinion greater than the other currently in regards
to these two options;

1) Replicate to only DNS Servers in Forest Root Domain (4 DCs, all available
to all DCs in forest for lookups)

2) Replicate to all DNS Servers in Forest (in our case, 13 domains and 130+
DCs)

We changed from option 1 to 2 a few months ago and that is when it started
getting interesting. Checking for savenging is going to be fun on all these
things.

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:uHpK9gflIHA.696@TK2MSFTNGP05.phx.gbl...
> Read inline please.
>
> In news:C5132CEA-63B9-4385-8F36-4861ADE671AB@microsoft.com,
> Brian Day <bdaytech@verizon.net> typed:
>> What is the present-day advice in regards to replication/transfer of
>> the _msdcs domain for the forest root? Replicate it only to the DNS
>> servers in the forest root, or all DNS servers in the forest? I'm
>> having a heck of a time keeping our own _msdcs forest root zone
>> correct on our 130'ish domain controllers. It seems like gc _ldap and
>> the GUID CNAME records mysteriously disappear now and then for some
>> DCs. Secure-only dynamic updates are enabled.
>
> Actually this zone must be available to every DC and Client in the entire
> forest, even sister domains and child domains. Changing this zone can
> cause
> replication to fail across the entire forest because every DC in the
> forest
> has records registered in this zone.
> I would suggest finding the DNS server that has scavenging enabled on this
> zone, it may not be easy with 130ish DCs, but there must be at least one
> DNS
> with Scavenging enabled on the zone. I guess you've noticed that every DC
> has records in this zone, regardless of domain, and it is these records
> that
> not only clients use to locate their DCs, but these records are used by
> DCs
> for AD replication.

03/04/2008, 23h58	#1
Brian Day Messages: n/a Hébergeur:	Forest root _msdcs zone & replication/transfer What is the present-day advice in regards to replication/transfer of the _msdcs domain for the forest root? Replicate it only to the DNS servers in the forest root, or all DNS servers in the forest? I'm having a heck of a time keeping our own _msdcs forest root zone correct on our 130'ish domain controllers. It seems like gc _ldap and the GUID CNAME records mysteriously disappear now and then for some DCs. Secure-only dynamic updates are enabled.

04/04/2008, 03h04	#2
Kevin D. Goodknecht Sr. [MVP] Messages: n/a Hébergeur:	Re: Forest root _msdcs zone & replication/transfer Read inline please. In news:C5132CEA-63B9-4385-8F36-4861ADE671AB@microsoft.com, Brian Day <bdaytech@verizon.net> typed: > What is the present-day advice in regards to replication/transfer of > the _msdcs domain for the forest root? Replicate it only to the DNS > servers in the forest root, or all DNS servers in the forest? I'm > having a heck of a time keeping our own _msdcs forest root zone > correct on our 130'ish domain controllers. It seems like gc _ldap and > the GUID CNAME records mysteriously disappear now and then for some > DCs. Secure-only dynamic updates are enabled. Actually this zone must be available to every DC and Client in the entire forest, even sister domains and child domains. Changing this zone can cause replication to fail across the entire forest because every DC in the forest has records registered in this zone. I would suggest finding the DNS server that has scavenging enabled on this zone, it may not be easy with 130ish DCs, but there must be at least one DNS with Scavenging enabled on the zone. I guess you've noticed that every DC has records in this zone, regardless of domain, and it is these records that not only clients use to locate their DCs, but these records are used by DCs for AD replication. -- Best regards, Kevin D. Goodknecht Sr. [MVP] Hope This s =================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue, to respond directly to me remove the nospam. from my email address. =================================== http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/ =================================== Use Outlook Express?... Get OE_Quotefix: It will strip signature out and more http://home.in.tum.de/~jain/software/oe-quotefix/ =================================== Keep a back up of your OE settings and folders with OEBackup: http://www.oe.com/OEBackup/Default.aspx ===================================

04/04/2008, 14h37	#3
Brian Day Messages: n/a Hébergeur:	Re: Forest root _msdcs zone & replication/transfer Hi Kevin, I fully understand what the zone does and what it affects. I am simply curious if there is one opinion greater than the other currently in regards to these two options; 1) Replicate to only DNS Servers in Forest Root Domain (4 DCs, all available to all DCs in forest for lookups) 2) Replicate to all DNS Servers in Forest (in our case, 13 domains and 130+ DCs) We changed from option 1 to 2 a few months ago and that is when it started getting interesting. Checking for savenging is going to be fun on all these things. "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message news:uHpK9gflIHA.696@TK2MSFTNGP05.phx.gbl... > Read inline please. > > In news:C5132CEA-63B9-4385-8F36-4861ADE671AB@microsoft.com, > Brian Day <bdaytech@verizon.net> typed: >> What is the present-day advice in regards to replication/transfer of >> the _msdcs domain for the forest root? Replicate it only to the DNS >> servers in the forest root, or all DNS servers in the forest? I'm >> having a heck of a time keeping our own _msdcs forest root zone >> correct on our 130'ish domain controllers. It seems like gc _ldap and >> the GUID CNAME records mysteriously disappear now and then for some >> DCs. Secure-only dynamic updates are enabled. > > Actually this zone must be available to every DC and Client in the entire > forest, even sister domains and child domains. Changing this zone can > cause > replication to fail across the entire forest because every DC in the > forest > has records registered in this zone. > I would suggest finding the DNS server that has scavenging enabled on this > zone, it may not be easy with 130ish DCs, but there must be at least one > DNS > with Scavenging enabled on the zone. I guess you've noticed that every DC > has records in this zone, regardless of domain, and it is these records > that > not only clients use to locate their DCs, but these records are used by > DCs > for AD replication.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email