My company has a mixed 2003/2008 AD environment whose FSMO roles are currently hosted on a 2003 DC. The 2008 DC's are reporting issues where entries for the domain GUID not resgistered in DNS. In actuality, they are registered in DNS, but it's registered under a different domain GUID. My concern is that I may have problems when I move the FSMO roles to one of the 2008 DC's and/or demote the 2003 DC's.
The dcdiag and BPA on the 2008 DC's are looking for this record:
_ldap._tcp.88ce7205-xxxx-xxxx-xxxx-8bf4bea37768.domains._msdcs.domain.com
In DNS, the following records are being registered by each DC (2008 and 2003):
_ldap._tcp.4702b1c2-xxxx-xxxx-xxxx-2cc62ce567d1.domains._msdcs.domain.com
Best Practices Analyzer error:
Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.
Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.88ce7205-xxxx-xxxx-xxxx-8bf4bea37768.domains._msdcs.domain.com",
pointing to the local domain controller "2K8-DC1.domain.com", is registered in DNS.
[note: DcByGuid" is NOT configured in our "DnsAvoidRegisteredRecords" list]
dcdiag /test:dns result:
TEST: Records registration (RReg)
Network Adapter [00000012] vmxnet3 Ethernet Adapter:
Error:
Missing SRV record at DNS server <IP of 2k8-DC1>:
_ldap._tcp.88ce7205-xxxx-xxxx-xxxx-8bf4bea37768.domains._msdcs.domain.com
Error:
Missing SRV record at DNS server <IP of 2k8-DC2>:
_ldap._tcp.88ce7205-xxxx-xxxx-xxxx-8bf4bea37768.domains._msdcs.domain.com
The 2003 servers don't report this error.
Also, when you go into ADSI Edit on any of the DC's and look at the attribute for objectGUID on the domain, the value shows up as the GUID that's missing from DNS.
Here are two others who have similar issues that are unsolved, and possibly need the same fix:
