Question : How do I split the _msdcs section from the root domain DNS zone?

I inherited an AD 2003 environment and I've come to realize that the _msdcs.rootdomain.com subdomain/records is contained within the rootdomain.com DNS zone. It is my understanding that by default (and best practice) the _msdcs.rootdomain.com is usually it's own DNS zone under the ForestDNSZones partition of AD.

My question is how do I get back to default/best practice? My fear is that my only option is to manually create the _msdcs.rootdomain.com DNS zone, then delete the subfolder from the rootdomain.com DNS zone, and then go around running ipconfig /flushdns, and restarting netlogon service on every DC in the forest (including sub domains). I fear due to the inherent lag with replication and need of this zone for proper replication that I will find myself in some sort of catch-22 and replication of this zone will not complete successfully thus causing other AD issues.

Note: I have upwards of 30-40 DCs spread out amongst many sites (globally) and subdomains.

What is the best way to handle this?

TIA,
MCDONAMW

Answer : How do I split the _msdcs section from the root domain DNS zone?

Well, it looks like simply delegating the _msdcs.rootdomain.com using the delegation wizard will not work since the _msdcs subfolder of the rootdomain.com zone already contains the authoritative NS records, etc. I get an error citing the zone is already delegated and that if I want to change a DNS domain into a delegation, I must first delete the domain, and then create the delegation. Doing this will lose my records.

So it would seem, no matter what I do I have to lose the existing dynamic records and they will then need to be repopulated by the system. I will also require forcing replication between servers to speed up the process to avoid further replication issues during this transition.

To sum up:
Manually created the _msdcs.rootdomain.com zone on Server1
it automatically populates the zone with all the SRV records for Server1, but all of my SRV records for other servers are missing.
_msdcs subfolder of rootdomain.com zone is automatically changed to be greyed out and only contains NS record for Server1. That is the zone is automatically delegated to Server1.
Manually edit delegation of the _msdcs subfolder under rootdomain.com zone to add delegation for Server2 and any other server needing to be authoritative for this zone.
Force replication using Replmon
Once zone hits the other servers, all SRV records for those servers are added to the zone.
Another replication may need to happen to force these SRV records to show on all DNS servers hosting the zone.
My only concern now would be if it's possible for me to force the replication I need fast enough. With how AD creates its own replication links between servers, I may have no recourse but to load all DCs up under replmon and then force replication to all servers it's linked up with and work my way down the line. Hopefully this amount of replication won't bring my networks to a crawl!
I'm going to leave this open for a little bit in case someone has some more information to debate or provide a more simple method than what I have above (using PaciB's suggestions of course!). If nothing else comes through I will close this out and award PaciB the points.
Thanks again!
-MCDONAMW

Random Solutions

Downgrading from a domain to a workgroup

Old Computer in DNS and DHCP Scope leases IP

slow network through routers, latency issue?

Can we make a jar file compatible between two application servers?

How can I delete an IPSEC Policy that was Deleted before it was completely Unassigned?

Am receiving a valid IP but not getting internet access

How to disguise my ip address?

tracking down a username without NET SEND

G.729 Bandwidth Calculation - CCVP Practice Question