thanks for the post eaglesix. you can manually update the PDC record if you
like at any time during the day. in fact, i would strongly encourage you to
perform the update as soon as possible. the pdc role is absolutely critical
to your enviroment and the last thing that you want is any resource or
service unable to find this role.
the good news is, that it probably isn't affecting you quite as much as it
could be because many services lookup the pdc role holder through the
directory rather than through dns. however, there are times when either this
lookup then turns into a pdc-specific dns lookup, or a dns lookup is directly
performed. so, please adjust the pdc dns records as soon as possible.
that said, you may want to reconsider the decision to not enable secure
dynamic updates. it is likely that the consultant didn't want dynamic
updates for one of two reasons:
1. he didn't want regular domain clients to be able to register records in
the _msdcs zone.
2. he didn't want records for this zone to be scavenged
the second issue is easily solved by proper configuration. the first isn't
quite as easily solved but isn't as big of a concern as static zone
population is. it is possible that a domain member could flood your zone
with erroneous records. however, the likelihood of this happening is
astronomically lower than the likelihood of a condition much like the one
that you are in today. the pdc is only the tip of the iceberg. promotion of
new DCs, changes in service states and location, promotion to global
cataologs, and more are all represented in dns. this needs to be updated to
maximize the efficiency and value of the directory service.
for more info on the pdc and its impact:
http://cbfive.com/blog/post/The-Role...-PDC-FSMO.aspx
for more info on enabling secure only dynamic updates:
http://cbfive.com/blog/post/Enabling...y-Updates.aspx
--
hth.
/rich
http://cbfive.com
http://cbfive.com/blogs
"eaglesix" wrote:
> I have a 2003 AD network with three DC running 2003 AD mixed mode and
> one NT4 BDC. The person we had help setup the DNS advised we not set
> the msdcs forward zone as dynamic. The zones are all AD Integrated.
> But the _msdcs zone is set to allow no Dynamic Updates.
>
> My problem is the DNS entry for the PDC is pointing to the wrong DC.
> DNS is pointing to the machine that was the first DC in the domain and
> I assume the PDC entry pointing to it is in there due to that.
>
> Netdom and ntdsutil shows the role of the PDC with the correct DC.
>
> nslookup -type=SRV _ldap._tcp.pdc._msdcs.<domainname> pulls up the
> wrong PDC entry.
>
> I checked netlogon.dns on each of my DNS servers and they contain the
> correct entries. I believe it is just tied into the fact that the
> zone _msdcs isn't allowing the files to update the DNS server that is
> the problem.
>
> Can i just modify the DNS entry for the PDC to point to the new
> machine so everything matches? Do I need to wait until most users are
> off the network? Or can this be done at any time? The network has
> been working fine this way for quite awhile. But if machines query
> DNS for the DC offering the PDC service they will get the wrong
> machine.
>
> I appreciate any help as always
> .
>
Similar Threads
Linear Mode
