If this zone is not functioning properly, if the records are missing in the zone, domain members may not be able to contact the Domain Controller and thus may not be able to access users/device authentication in the domain.
If all other steps failed to fix the problem, you need to delete and recreate the _msdcs zone zone.
Before deleting the zone, backup the existing Active directory data ( copy in the contents of the %windir%\System32\dns folder and backup the system state of a DC which is in DNS server)
Follow the following steps to delete and recreate the _msdcs zone:
- Open the DNS console (Administrative Tools-> DNS or run dnsmgmt.msc). Right-click on the _msdcs zone folder and Delete.
- Right-click Forward Lookup Zones in and select New Zone.
- Use that wizard to create the new zone.
- Name new zone _msdcs.<domain>, The domain should be in full DNS name of your AD domain. Example, if your domain is domain.local, the new zone name should be _msdcs.domain.local
- Right-click your server and select All Tasks -> Restart to restart the DNS service.
- Open a CMD and run the followings:
ipconfig /flushdns
ipconfig /registerdns
net stop netlogon
net start netlogon
- Wait a sometime and refresh the DNS console. It will take sometime to populate the new _msdcs zone.
If you have multiple Domain Controllers in the domain, run step 5 again on each one to register and refresh the DNS server.
answered 10/11/2023 08:13