How to reconfigure an _msdcs subdomain to a forest-wide DNS application directory partition when you upgrade from Windows 2000 to Windows Server 2003

SUMMARY

This step-by-step article describes how to make the forest-wide locator records under the _msdcs.ForestName DNS zone available on every DNS server in the forest when you upgrade domain controllers that are running the DNS Server service from Microsoft Windows 2000 to Microsoft Windows Server 2003.

Background information

Windows 2000 behavior

When a server that is running Microsoft Windows 2000 is promoted as the first domain controller in a new Active Directory directory service forest, the Windows 2000 Active Directory Installation Wizard (Dcpromo.exe) creates a DNS forward lookup zone that is named after the first domain in the forest (ForestName), and it creates a subdomain and names it _msdcs.ForestName. For example, if your Active Directory forest name is reskit.com, the Installation Wizard creates the reskit.com DNS zone and the _msdcs.reskit.com subdomain as a child of the forest root domain zone.

The forest domain zone hosts the DNS resource records for each Active Directory domain controller in the domain. The _msdcs.ForestName subdomain hosts the domain controller locator DNS resource records for all the domain controllers in an Active Directory forest. It is also used to locate domain controllers that have specific roles in the Active Directory domain or in the Active Directory forest, and to locate a domain controller by searching for its GUID when a domain has been renamed.

Windows Server 2003 behavior

When the DNS root domain of a new Active Directory forest is created on a Windows Server 2003-based domain controller, two DNS zones are automatically created. One zone is created for the forest root domain; this zone is replicated between all domain controllers in that domain. The other zone is created for the _msdcs.ForestName subdomain; this zone is stored in the forest-wide DNS application directory partition. This partition replicates to all Windows Server 2003-based domain controllers in the forest that are running the Windows Server 2003 DNS Server service.

Upgrading domain controllers from Windows 2000 to Windows Server 2003

If you upgrade from Windows 2000 to Windows Server 2003, your DNS zone configuration is not modified, and the _msdcs.ForestName zone is stored on your Windows Server 2003-based domain controller in one of the following ways:

• Case 1: The _msdcs.ForestName zone is a subdomain of your Active Directory-integrated forest root DNS zone, and the secondary _msdcs.ForestName zones are stored in your child domains (if child domains are present).
• Case 2: The _msdcs.ForestName is a subdomain of your Active Directory-integrated forest root DNS zone.

After all the DNS servers in the forest root domain are running the Windows Server 2003 DNS Server service, configure your ForestName zone to be stored in an Active Directory-integrated domain-wide application partition. Similarly, configure your DNS records for the _msdcs.ForestName domain name to be stored in a separate _msdcs.ForestName zone that you store in an Active Directory-integrated forest-wide application partition.

Case 1: Configure the domain-wide _msdcs.ForestName zone to the forest-wide DNS application directory partition

1. In the DNS console, right-click the _msdcs.ForestName zone, and then click Properties.
2. On the General tab, note the current zone replication type, and then do one of the following:
   • If the type is not the forest-wide replication scope, click Change, and then go to step 3.
   • If the type is the forest-wide replication scope, skip this step, and then go to step 4.
3. Select the forest-wide replication scope for the zone.
4. Delete any secondary _msdcs.ForestName zones that are stored in your child domains.

Notes

• To perform this procedure, you must be a member of the DnsAdmins or the Domain Admins security group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using the Secondary Logon service command to perform this procedure. You can access this command through the built-in Runas.exe command.
• When you change the storage of a zone from the domain partition to an application directory partition (for example, after you promote a new Windows Server 2003-based domain controller in an existing Windows 2000 domain), the domain controller that holds the domain naming master role must be running Windows Server 2003 for the DNS application directory partitions to exist. If you receive an error when you change the storage of a zone from the domain partition to an application directory partition, transfer the domain naming master role to a domain controller that is running Windows Server 2003, create the default DNS application directory partitions, and then try again.
• After the new forest-wide zone is propagated to the application partition of all the DNS servers in the forest, delete the previous secondary zone. To delete the zone, right-click the zone in the DNS console, and then click Delete.
• The zone replication type change is made one time per forest; however, you must delete the secondary zones from each DNS server individually.

Case 2: Configure the Windows 2000 _msdcs subdomain to a Windows Server 2003 zone that is stored in the forest-wide DNS application directory partition

The following steps assume that the DNS zones for the Active Directory forest root domain were created during the promotion of a Windows 2000-based domain controller, and that all domain controllers in the forest root domain that host the DNS server have been upgraded to Windows Server 2003.

The following is a summary of the procedure that you use to configure the subdomain. This procedure is described in detail after the notes.

1. Configure the primary DNS server setting in the network connections of all domain controllers in your forest with the IP address of a single root domain controller.
2. Create the _msdcs zone for the Active Directory forest name, and then store the _msdcs.ForestName zone in the DNS forest-wide application directory partition.
3. Force replication.
4. Delete the old _msdcs subdomain.
5. Return the primary DNS server setting in the network connections of all domain controllers in your forest to their previous settings.

Notes

• By default, only members of the Enterprise Admins security group can create a DNS application directory partition.
• When you change the storage of a zone from the domain partition to an application directory partition (for example, after you promote a new Windows Server 2003-based domain controller in an existing Windows 2000 domain), the domain controller that holds the domain naming master role must be running Windows Server 2003 for the DNS application directory partitions to exist. If you receive an error when you change the storage of a zone from the domain partition to an application directory partition, transfer the domain naming master role to a domain controller that is running Windows Server 2003, create the default DNS application directory partitions, and then try again.

To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps:

1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. At the command prompt, type the following command, and then press ENTER:
   net stop netlogon
3. Type net start netlogon, and then press ENTER.

If your _msdcs subdomain is still not populated, or if the TTL is smaller than the replication window, follow these steps to configure the _msdcs subdomain to a zone that is stored in the forest-wide DNS application partition:

1. On all the domain controllers in the forest, modify the network connection configuration on all domain controllers to point to a single DNS Server:
   1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
   2. Right-click the network connection that you want to configure, and then click Properties.
   3. On the General tab (for a local area connection), click Internet Protocol (TCP/IP), and then click Properties.
   4. Confirm that Use the following DNS server addresses is enabled.
   5. Make a note of the existing IP address that appears in the Preferred DNS server box. (You will need this address in a later step in this procedure.)
   6. In the Preferred DNS server box, type the IP address of a single root domain controller that is running the DNS Server service.
   7. Click OK.
   Note For large deployments, you may want to create a script to configure the IP address of a single root domain controller as the Preferred DNS server setting on all the domain controllers.
   
   Important You must use the same IP address of a single root domain controller for all domain controllers in the forest. The purpose of this configuration is to make sure that all domain controllers in the forest register their DNS resource records in copies of the same _msdcs.ForestName zone.
2. Log on to the Windows Server 2003-based root domain controller by using an account that is a member of the Enterprise Admins security group.
3. Verify that a Windows Server 2003-based domain controller holds the domain naming master role.
4. Verify that all DNS servers that currently host the _msdcs.ForestName subdomain in primary zones are running Windows Server 2003.
5. Start the DNS console. To do this, click Start, click Run, type dnsmgmt.msc, and then click OK.
6. In the DNS console, right-click Forward Lookup Zones, and then click New Zone. Click Next
7. On the Zone Type page in the New Zone Wizard, click Primary zone, and then click to select the Store the zone in Active Directory check box. Click Next
8. On the Active Directory Zone Replication Scope page, click To all DNS servers in the Active Directory forest ForestName.
9. On the Zone Name page, in the Zone Name box, type _msdcs.ForestName.
10. Complete the wizard by accepting all the default options.
    
    The zone is created, and the Net Logon service populates the zone with the _msdcs.ForestName resource records for the local domain controller.
11. The zone will now replicate to all other DNS servers in the replication scope by using the replication schedules and paths that are configured in the forest, or you can force replication. To force replication, use Active Directory Sites and Services, or use the Repadmin.exe tool:
    • To use Active Directory Sites and Services:
      1. Open Active Directory Sites and Services.
      2. In the console tree, click NTDS Settings for the server that you want to force replication from.
      3. In the details pane, right-click the connection that you want to replicate directory information over, and then click Replicate Now.
    • To use the Repadmin.exe tool:
      1. With the Support Tools installed, open a command prompt.
      2. At the command prompt, type the following, and then press ENTER:
         repadmin /syncall
         This will synchronize all the directory partitions.
12. Delete the old _msdcs subdomain from the zone where it was created before you upgraded. To do this:
    1. Open the DNS console.
    2. In the console tree, expand the zone that contains the _msdcs subdomain.
    3. Right-click the _msdcs subdomain folder, and then click Delete.
    Note This step is not mandatory because the DNS Server service will use the new _msdcs zone to answer any queries for names that start with _msdcs. Microsoft recommends that you delete the old _msdcs subdomain to maintain a more orderly DNS database.
13. After replication is confirmed for all the domain controllers in the forest, perform the following network connection configuration on all the domain controllers in the forest:
    1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
    2. Right-click the network connection that you want to configure, and then click Properties.
    3. On the General tab (for a local area connection), click Internet Protocol (TCP/IP), and then click Properties.
    4. Confirm that Use the following DNS server addresses is selected, and in the Preferred DNS server box, type the IP address that was used previously (that is, the one that you noted in step 1e).
    5. Click OK.

Note In Windows Server 2003 SP1, when you create a new forward lookup zone that is already under an existing zone, the wizard automatically creates a new delegation under the existing zone.