Your network contains an Active Directory forest.
The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.
The domain controllers in contoso.com host the zone for contoso.com.
The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit:
You need to ensure that all domain controllers in the forest host a writable copy of _msdcs.contoso.com.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Create a zone delegation record in the contoso.com zone.
B. Create a zone delegation record in the eu.contoso.com zone.
C. Create an Active Directory-integrated zone for _msdcs.contoso.com.
D. Create a secondary zone named _msdcs.contoso.com in eu.contoso.com.
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc753500.aspx
Create a Zone Delegation
You can divide your Domain Name System (DNS) namespace into one or more zones. You can delegate management of part of your namespace to another location or department in your organization by delegating the management of the corresponding zone.
When you delegate a zone, remember that for each new zone that you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone.
http://blogs.chrisse.se/2011/04/10/are-you-storing-your-ad-integrated-dns-zones-in-the-dns-application- partitions-ncs/
Are you storing your AD-Integrated DNS Zones in the DNS Application Partitions (NCs)?
1. Background
Overview
A partition is a data structure within Active Directory used to distinguish data for different replication purposes. Every domain controller contains the following three directory partitions: configuration, schema, and domain. A directory partition is also called the "naming context". Domain controllers in the same forest but in different domains share the same configuration and schema data, but they do not share the same domain data.
..
Every object created in the domain naming context, which includes DNS zones and nodes (DNS names, e.g., microsoft.com), are replicated to all the GC’s in the domain.
By using application directory partitions to store the DNS data, essentially all DNS objects are removed from the GC. This is a significant reduction in the number of objects that are normally stored in the GC
..
Additionally, an application directory partition that is replicated to all DNS servers in the forest can be used for zones like _msdcs.<forestname> which should be visible to the entire forest.
This is ideal because all DC’s register their DsaGuid CNAME resource record in the _msdcs.<forestname> zone.
…
http://standalonelabs.wordpress.com/2011/05/08/what-is-the-_msdcs-subdomain/
What is the _msdcs Subdomain?
Some of the materials I have read on Active Directory and DNS I feel have not done a clear job explaining exactly what the _msdcs subdomain is and how it is used in an Active Directory forest.
The following is my explanation which I hope makes some sense out of the issue.
_msdcs and Domain Controller Location
First, all domains in an Active Directory forest have a subdomain beneath them called _msdcs. To illustrate, if I create a domain called parent.local and a child domain called child.parent.local, those domains will each contain a subdomain: _msdcs.parent.local and _msdcs.child.parent.local respectively. You can see the
_msdcs subdomain of a domain in my Active Directory forest below:
This subdomain is reserved for the registration of DNS records for Microsoft specific services. For example, when looking for a domain controller, a client will need to query a LDAP service record. Microsoft is not the only software company who makes directory services software using the LDAP protocol. As such, there needs to be a way for a client to specifically request a Microsoft LDAP server (in other words a domain controller). Because the _msdcs domain is reserved specifically for Microsoft, clients can safely query this domain for LDAP service records and know they will be receiving the record for a Microsoft domain controller.
Take a closer look at the _msdcs subdomain. You’ll see it actually has several subdomains of its own.
One of these subdomains is the "dc" domain. The dc._msdcs domain contains two other subdomains called "_sites" and "_tcp."
When a client is querying DNS for a domain controller, if the client does not know what site it belongs to, it will request a _ldap service record from the _tcp.dc._msdcs.domain.tld zone.
If the client does know what site it belongs to, it can query for a _ldap record in the subdomain for that site. For example, _tcp.Default-First-Site-Name._sites.dc._msdcs.child.parent.local using the example pictured above.
_msdcs Subdomain of the Forest Root Domain
The _msdcs subdomain of the forest’s root domain is a little special.
First, if you look at the records registered in the root of the zone, you may see several CNAME (or alias) records. There is a CNAME record for each domain controller in the forest and this record maps the GUID of the domain controller to the fully-qualified domain name of the domain controller. These records are used by Active Directory for replication purposes. All writable domain controllers must register a record in this zone for proper replication.
Now, take a look at the _msdcs domain under the forest root domain in the DNS Server Manager. Notice how it is depicted as a gray icon.
This signifies _msdcs is a delegated domain. Recall that delegations are used to specify the IP address of another DNS server that will host the zone. In the case of the _msdcs domain, the delegation does not actually specify a different DNS server, but instead points to the local server as you can see from the properties of the delegation in the screen shot below:
So, what is the point of delegating this subdomain to the same server? Well, essentially by specifying the _msdcs domain as a delegation, you remove it from the parent zone on the DNS server allowing you to create an independent _msdcs zone. The screen shot below highlights this _msdcs zone:
Because this is now a separate zone, it is possible to change it’s replication scope. By default, the replication scope is set to all DNS servers in the forest.
In contrast, the parent domain’s replication scope is set to only the DNS servers in the domain by default.
Now, the _msdcs subdomain of the forest root has its own subdomain underneath it called "dc," like we looked at earlier, where DCs for the domain register their service records. But, because the _msdcs subdomain of the forest root domain is replicated to all DNS servers in the forest, it also make the perfect place for services that are needed throughout the forest to register their DNS records as well. For example, say the global catalog.
Looking at the subdomains in the _msdcs domain, you’ll see in addition to the "dc" domain, there is a subdomain called "domains" and another subdomain called "gc."
The domains._msdcs domain contains subdomains corresponding to all domains in the forest (labeled by the domain’s GUID). In these subdomains are service records for the DCs in those domains.
The gc._msdcs domain contains two subdomains of its own called "_sites" and "_tcp." These function the same way as the "_sites" and "_tcp" subdomains in the dc._msdcs domain function. When a client needs to find a global catalog in the forest, it can query for an _ldap record in the _tcp.gc._msdcs.forestroot.tld zone if it does not know what site it is in or it can query for a global catalog in a specific site by requesting an _ldap record in the _tcp.SiteName._sites.gc._msdcs.forestroot.tld zone.
I also want to make it clear, that because the _msdcs subdomain of the forest root is replicated to all DNS servers in the forest, this means every DNS server is authoritative for the _msdcs.forestroot.tld zone.
That concludes this look at the _msdcs domain. I hope this description was helpful.