I don’t usually post much about Windows, but this is something that I ran into and it took some searching to find the answer. If you try to run “dcdiag” and get a message something like “missing CNAME record: <guid>._msdcs.mydomain” and it is unable to run the DNS checks this might help you. This is the method I used to fix the problem on my Domain Controller.

The Problem in DNS

The problem is that your DNS isn’t working right because it is missing a CNAME record. You can look for it by opening the DNS Manager, opening your server, then “Forward Lookup Zones”, under your domain you will find a folder called “_msdcs” in there you should see a CNAME record pointing the GUID.yourdomain to servername.yourdomain. In this case you probably wont find it. Creating the key yourself wont always work so here is the process to fix it.

The Fix

To set that CNAME record, we need to Allow dynamic updates temporarily you can do that by right clicking on your domain under “Forward Lookup Zone and choosing Properties. In the window that pops up on the General tab you need to set “Dynamic updates” to “Nonsecure and secure” then click “OK”.

Now you just need to restart the DNS and NETLOGON services, you can do that through “services.msc” or by running the following in a command prompt (Running as Administrator):

net stop dns

net start dns

net stop netlogon

net start netlogon

Now you can go back into the DNS Manager, open the domain properties window again, and set Dynamic updates back to “Secure Only”. When you run “dcdiag” or “dcdiag /test:dns” it should be successful.

I hope this helps at least a few people, I had to search for a while so I decided to post the solution that worked here.