on our DCs the BPA comes up the the error in the subject.
From what I understand this is because this is an old domain and meanwhile you store the _msdcs.domain.com zone directly under "Forward Lookup Zones" and not only at the "zone name" as we old folks learned. I get why and now want to fix this.
It would be great if someone could double check the way I consider to do this:
- I delete the _msdcs.domain.com folder folder under domain.com
- I add a new primary zone "_msdcs.domain.com" directly under at the Forward Lookup Zones
- This Zone will be available for all DCs in the forrest and I will allow only secure updates
- Now I would restart Netlogon & DNSServer service
- Delete local cache: ipconfig /flushdns
- Log into all other DCs, restart DNS & Netlogon Service and delete Cache.
Is this how it is done? Do I have to prepare anything else? Do I have to delete the DNS entries of the DCs?
Edit: And another question: What happens when I restart DNS & Netlogon Service. How much impact is this for the user?
Additional question: my _msdcs folder contains some entries of the same DC in upper AND in lower case.. is there an explanation why this happens? the timestamps are different for this entries.