Hi All, I have an AD domain with AD Integrated DNS where the msdcs conatainer appears greyed out under the domain name. When I view the properties of the. Ok, so I just caught this. The DNS zone for the actual domain is not listed on the two new ADDNS servers. Only the MSDCS. gunton. DNS msdcs is greygray. Hi All,I have an AD domain with AD Integrated DNS where the msdcs conatainer appears greyed out under the domain name. When I view the properties of the greyed out msdcs, it shows the Name Server of a Domain Controller which crashed, on the Name Server tab, and which is currently offline and due to be manually removed from the domain. UQQvc5ywy8VnA0bqRwjp7ksyEOBsJVg0ofrqozAJqpm0W62cNO7nG_P0k-C3kbUuDItcax_3Rmv1xL4TWz8hQ/1%20-%20Create%20DNS%20_msdcs%20delegation.jpg?psid=1' alt='Active Directory Integrated Dns Zone _Msdcs Zone' title='Active Directory Integrated Dns Zone _Msdcs Zone' />The security tab generates the error The Requested security information is either unavailable or cant be displayed. As I am about to manually remove the metadata for the old crashed Domain controller I want to understand what the problem is with the msdcs container. As you can see from the first picture, I do have a FQDN entry for msdcs at the same heriarchical level as the domains forward lookup zone entry which contains all the service records for all the other domain controllers and DNS servers currently operating in the domain. Id really appreciate some advice on why the msdcs container is greyed out and how to remediate. Many Thanks in advance. How is DNS related to Active Directory and what are some common configurations that I should be aware of Active Directory relies on a properly configured and functional DNS infrastructure. If you have an Active Directory problem, chances are that you have a DNS problem. The first thing you should check is DNS. The second thing you should check is DNS. Source DNS Type Error Description The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. Forums/getfile/748646' alt='Active Directory Integrated Dns Zone _Msdcs Zone' title='Active Directory Integrated Dns Zone _Msdcs Zone' />Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management SIEM field, linking the collected Windows events. Using AD Recycle Bin to restore deleted DNS zones and their contents in Windows Server 2008 R2. Archived from groups microsoft. Hi all I have 2 windwos2003 dcs in a Windows2003 forest, one of them was the unique DNS and it crashed a few days ago. The third thing you should check is DNS. What exactly is DNS This is a site for professionals, so Ill assume youve at least read the excellent Wikipedia article. In short, DNS allows IP addresses to be found by looking up a device by name. Its critical for the Internet to function as we know it and its run on all but the smallest of LANs. DNS, at the most basic level is broken into three fundamental pieces DNS Servers these are the servers that hold records for all of the clients that they are responsible for. In Active Directory, you run the DNS Server role on a Domain Controllers. Zones Copies of zones are held by servers. Note. The SOA query for the mscs. DNS has a good forwarder or delegation for the msdcs. How DNS Works. Updated March 28, 2003. Applies To Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2. If you have an AD named ad. Domain Controllers that have DNS installed named ad. If you have a computer named computer and it was registered with that DNS server, it would create a DNS record named computer in ad. Fully Qualified Domain Name FQDN, which would be computer. Records As Ive mentioned above, zones hold records. TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/91/74/metablogapi/5123.image_thumb_538C2DB7.png' alt='Active Directory Integrated Dns Zone _Msdcs Zone' title='Active Directory Integrated Dns Zone _Msdcs Zone' />A record maps a computer or resources to a specific IP address. The most common kind of record is an A record, which contains a hostname and an IP address. The second most common are CNAME records. A CNAME contains a hostname and another hostname. I have inhertied an issue where my AD Integrated DNS Zone was deleted and there are no system state backups available. I have checked in AD, under DNS and there are. When you look up hostname. This is useful for obscuring resources like a web server or file share. If you have a CNAME for intranet. CNAME record to point to the new server. Useful huh Ok, how does this relate to Active Directory When you install Active Directory and the DNS Server role on your first Domain Controller in the domain, it automatically creates two forward lookup zones for your domain. If your AD domain is ad. Active Directory, youll have a zone for ad. What do these zones do GREAT QUESTION Lets start with the msdcs zone. It holds all of the records that your client machines need to find domain controllers. It includes records to locate AD sites. It has records for the different FSMO role holders. It even holds records for your KMS servers, if you run this optional service. If this zone didnt exist, then you wouldnt be able to log on to your workstations or servers. What does the ad. It holds all of the records for your client computers, member servers, and the A records for your Domain Controllers. Why is this zone importantSo that your workstations and servers can communicate with each other on the network. If this zone didnt exist, you could probably log in, but you wouldnt be able to do much else except browse the Internet. How do I get records in these zones Well, fortunately for you, thats easy. When you install and configure the DNS server settings during dcpromo, you should elect to allow Secure Updates Only if given the choice. This means that only known domain joined PCs can createupdate their records. Lets back up for a second. There are a few ways that a zone can get records in it They are automatically added by workstations that are configured to use the DNS server. This is the most common and should be used in tandem with Secure Updates Only in most scenarios. There are some edge cases where you dont want to go this way, but if you need the knowledge in this answer, then this is the way you want to do it. Adobe Reader Activation Key Free Download more. By default, a Windows workstation or server will update its own records every 2. IP address assigned to it, either via DHCP or statically. You manually create the record. This might happen if you need to create a CNAME or other type of record, or if you want an A record that isnt on a trusted AD computer, perhaps a Linux or OS X server that you want your clients to be able to resolve by name. You let DHCP update DNS when leases are handed out. You do this by configuring DHCP to update the records on behalf of the clients and add the DHCP server to the DNSUpdate. Proxy AD group. This isnt really a good idea, because it opens you up for zone poisoning. Zone poisoning or DNS poisoning is what happens when a client computer updates a zone with a malicious record and attempts to impersonate another computer on your network. There are ways to secure this, and it does have its uses, but youre better off leaving it alone if you dont know. So, now that we have that out of the way we can get back on track. Youve configured your AD DNS servers to only allow secure updates, your infrastructure is chugging along, and then you realize that you have a ton of duplicate recordsWhat do you do about this DNS Scavenging. This article is required reading. It details the best practices and settings that youll need to configure for scavenging. Its for Windows Server 2. Read it. Scavenging is the answer to the duplicate record problem posed above. Imagine that you have a computer that gets an IP of 1. It will register an A record for that address. Then, imagine that itd powered off for an extended period of time. When its back on, that address is taken by another machine, so it gets 1. Now there are A records for both of them. If you scavenge your zones, this wont be a problem. Stale records will be removed after a certain interval and youll be fine. Just make sure that you dont scavenge everything by accident, like using a 1 day interval. Remember, AD relies on these records. Definitely configure scavenging, but do it responsibly, as outlined in the article above. So, now you have a basic understanding of DNS and how it is integrated with Active Directory. I will add bits and pieces down the road, but please feel free to add your own work as well.