This post contains information on troubleshooting DNS lookup of Domain Controllers in cross-forest trusts, relating primarily to to _msdcs sub-zones, and highlighting differences between Windows 2000 and 2003 DNS zone configuration .
In a Windows Server 2003 domain, the _msdcs zone is a separate zone in DNS to the parent domain. A delegated sub-zone is created in the parent domain, with static NS records indicating the DNS servers that can be used for the _msdcs zone. If these records are incorrect, problems will occur when identifying Active Directory domain information, particularly in cross-forest scenarios when trying to find a DC through DNS.
In Windows 2000 Server Active Directory, the _msdcs is a sub-zone of the parent domain, and replicated as a single entity, without the requirement for static NS records. While this configuration is simpler, it does not suit some environments, where not all DNS servers should have replicated copies of the _mcdcs zones.
In a cross-forest scenario, the 2003 domain was logging Event ID 5719:
This computer was not able to set up a secure session with a domain controllerUsing netlogon debugging (nltest /dbflag), errors were logged indicating something is not working:
in domain domain due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the
specified domain. Otherwise, this computer sets up the secure session to any
domain controller in the specified domain.
For more information, see
Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
In this example, cached information was being used:
01/01 08:00:00 [MISC] NetpDcGetName: domain.local using cached information
01/01 08:00:00 [MISC] domain: DsGetDcName function returns 0: Dom:domain.local Acct:(null) Flags: IP KDC
But as soon as the cache expired, problems started occurring:
01/01 09:31:17 [SESSION] domain: NETLOGON_CONTROL_TC_QUERY function received.
01/01 09:31:17 [CRITICAL] domain: NetrLogonControl can't find the client structure of the domain domain.local specified.
A test query using DNS directly was then performed, which failed in this case, as the single NS record in the _msdcs delegated sub-zone in domain.com.au was referring to a DC that had been decommissioned:
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com.au
*** dc01.domain.local can't find _ldap._tcp.dc._msdcs.domain.com.au: Server failed
Note that using the '-debug' switch in the nslookup command provides detailed information on the request and reply, for example, using the delegated sub-zone querying a secondary copy of domain.com.au:
nslookup -debug _msdcs.domain.com.au. dc01
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
_msdcs.domain.com.au, type = A, class = IN
ttl = 3600 (1 hour)
primary name server = dc01.domain.com.au
responsible mail addr = hostmaster
serial = 286
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.