Question : Why delegate _msdcs to a DNS Zone?

I ran across this setup at a clients site. Its a very small site- they could have run the application on a workstation. Anyway; another companys I.S. guy setup and ran a DCpromo on a new Windows 2003 box. I understand (book learned) about delegating a DNS zone but Im not sure about why you would delegate _msdcs to a zone.

For example:
Domain name- contoso.msft
delegated- _msdcs.contoso.msft

I'm not sure if the delegation was done prior to the Dcpromo or not- all the AD records look good in DNS and dcdiag came back OK. There are no problems with the box, or DNS/AD. I just wanted to know what the benefit is to doing this, if there where any issues doing it or not doing it this way. Are there any Microsoft docs on delegating _msdcs? Also, any other info anyone could share would me greatly appreciated. Thanks!

Answer : Why delegate _msdcs to a DNS Zone?

Don't sweat the questions, you are warranted! [smile!]

Let me start by saying you are absolutely right, and there is nothing wrong with doing it the way you do it. But let me offer some clarification.

First, don't confuse my saying ROOT to mean ROOT DNS, but rather ROOT DOMAIN.
In the domain hierarchy, you can have a root domain [domain.com] and it not be the DNS [.] root for that domain.

Ideally, you will see delegation take place if you have child domains of the root and you want to make DNS servers in those child domains authoritative for their respective domains. For example, we could have domain.com with a DNS server call CONTROLLER1 and child domains child1.domain.com and child2.domain.com with DNS servers CONTROLLER2 and CONTROLLER3 respectively. I could create the domains child1.domain.com and child2.domain.com on CONTROLLER1 and delegate them to CONTROLLER2 and CONTROLLER3 respectively. On CONTROLLER2 I would have to create:
Forward lookup zone: child1.domain.com
Then:
_tcp.child1.domain.com
_udp.child1.domain.com
_sites.child1.domain.com
_msdcs.child1.domain.com

And the same on CONTROLLER3 for the child2.domain.com domain.

However, if you only have one domain and one domain controller, the only reason you would delegate the _msdcs subdomain is if you had another DNS server handling SRV lookups and all clients are pointed to that server and perhaps the DC as a backup.

Not the most rational way of doing this, but it is possible. Because you have to remember, DNS on the DC is not a requirement for AD. You could have a UNIX box providing DNS service [as long as it can handle SRV records and ideally, dynamic updates], in which case, going through installing DNS on the server and testing it before running DCPROMO, as you do, would be unnecessary. In fact, I don't do it the way you do, instead, I allow the DCPROMO process to install and configure DNS for me. There's nothing wrong with either approach.

As for your "big network guru guy", only he and the networking Gods may truly know why he delegated the _msdcs subdomain out. Where did he delegate it to? Are there other DNS servers on the domain? You mention that it was small, so I am assuming not? At any rate, you shouldn't hurt anything undelegating the zone as long as you create one under your domain zone. Then to the uninitiated, you can chastise this guy's poor networking expertise and charge your clients a modest rate for the fix!

Random Solutions

CPropertySheet vs. CTabCtrl

How to use Decimal Data Type in VBA code

Access 2007 RunTime - "The command or action 'Find' isn't available now."

Need a SSIS walk through help on downloading an Excel file using a url

Error 1332: No mapping between account names

MS Access Powerpoint VBA

Sending Email From Alias or Distribution Group

Update Temp Recordset using VBA

changing AD login names

Argument not specified for parameter 'sender' of 'Protected Sub EmailRegAttendeeNotices_Cl<wbr />ick(sender<wbr /> As Object, e As System.EventArgs)'.