DNS Records Registered by Active Directory Domain Controllers

  • Post author:
  • Post category:Microsoft

This is a re-post from this article

All SRV and A resource records (20 in total, if the domain controller is a Global Catalog server; 15 if it is not) that each Active Directory domain controller must register on a DNS server, are contained in the %SystemRoot%\system32\config\ netlogon.dns file. (If your DNS server does not support dynamic records update, you need to manually manage these records.) An example of such a file is presented below.

Note It is possible to set a group policy that will prohibit registration of some or all SRV records by Windows .Net domain controllers. This policy, DC Locator DNS records not registered by the DCs, is located in the Computer Configuration | Administrative Templates | System | Net Logon | DC Locator DNS Records node of a Group Policy Object (GPO).

In this example: server name — netdc2.subdom.net.dom, domain name — subdom.net.dom, root domain name — net.dom, site name — .NET-Site. The records are sorted for clarity. The real order will differ, but this does not matter. The records for a global catalog server are shown in bold. You can verify resource records with the DNS snap-in.

subdom.net.dom. 600 IN A 192.168.1.102 laffcd49-c47f-4499-82b8-4872led1c799._msdcs.net.dom.

600 IN CNAME netdc2.subdom.net.dom. _ldap.tcp.subdom.net.dom. 600 IN SRV 0 100 389 netdc2.subdom.net.dom. _ldap._tcp.dc._msdcs.subdom.net.dom. 600 IN SRV 0 100 389

netdc2.subdom.net.dom. _ldap._tcp.pdc._msdcs.subdom.net.dom. 600 IN SRV 0 100 389

netdc2.subdom.net.dom. _ldap._tcp.gc._msdcs.net.dom. 600 IN SRV 0 100 3268

netdc2.subdom.net.dom. _ldap._tcp. 729173d2-f48b-4655-ac5c-

5f1c0c93cbdd.domains._msdcs.net.dom. 600 IN SRV 0 100 389 netdc2.subdom.net.dom. _ldap._tcp.NET-Site._sites.subdom.net.dom. 600 IN SRV 0 100 389

netdc2.subdom.net.dom. _ldap._tcp.NET-Site._sites.dc._msdcs.subdom.net.dom.

600 IN SRV 0 100 389 netdc2.subdom.net.dom. _ldap._tcp.NET-Site._sites.gc. _msdcs.net.dom.

600 IN SRV 0 100 3268 netdc2.subdom.net.dom. gc._msdcs.net.dom. 600 IN A 192.168.1.102 _gc._tcp.net.dom. 600 IN SRV 0 100 3268 netdc2.subdom.net.dom. _gc._tcp.NET-Site._sites.net.dom. 600 IN SRV 0 100 3268

netdc2.subdom.net.dom. _kerberos._tcp.subdom.net.dom. 600 IN SRV 0 100 88

netdc2.subdom.net.dom. _kerberos._udp.subdom.net.dom. 600 IN SRV 0 100 88

netdc2.subdom.net.dom. _Kerberos.tcp.dc._msdcs.subdom.net.dom. 600 IN SRV 0 100 88

netdc2.subdom.net.dom. _Kerberos._tcp.NET-Site._sites.dc._msdcs.subdom.net.dom.

600 IN SRV 0 100 88 netdc2.subdom.net.dom. _kpasswd._tcp.NET-Site._sites.subdom.net.dom.

600 IN SRV 0 100 88 netdc2.subdom.net.dom. _kpasswd._tcp.subdom.net.dom. 600 IN SRV 0 100 464

netdc2.subdom.net.dom. _kpasswd._udp.subdom.net.dom. 600 IN SRV 0 100 464 netdc2.subdom.net.dom.

As you can see, the first two r cords are of the A (host) and CNAME (alias) types, respectively; the other records are of the SRV (service location) type. Let us discuss the purpose of every record in the order that they are presented in the listing above. DNSDomainName is the name of the current domain, e.g., subdom.net.dom. DNSRootName is the name of the forest root domain (it can be also a tree root domain name if there is only one tree in the domain structure), e.g., net.dom.

Important Do not confuse a tree root domain name (there may be a few in the forest) with the forest root domain name (only one). For example, a forest may include two domain trees with the root domains net.dom and net2.dom. Only the first created domain — net.dom — will be the forest root domain. Therefore, if the Global Catalog servers appear in the net2.dom domain (or in any child domains), they will still register the appropriate records in the net.dom DNS zone.

<DNSDomainName> — a client can use this A record to find a domain controller in the domain by using a normal host record lookup.

<NTDSSettingsGUID>._msdcs.<DNSRootName> — each domain controller registers this CNAME record for its child object (Directory System Agent, DSA), CN=NTDS Settings, CN=<DCName>, CN=Servers, CN=<SiteName>, CN=Sites, CN=Configuration, DC=<DomainName>, which uniquely identifies this controller in the Active Directory replication topology. A client can use this CNAME record to find a specific DC in the forest.

_ldap._tcp.<DNSDomainName> — a client can use this record to find a LDAP server in the specified domain. Each domain controller registers this record.

_ldap._tcp.dc._msdcs.<DNSDomainName> — allows a client to find a DC in the specified domain. Each domain controller registers this record. This record (with appropriate domain names) is used for joining a domain, a tree, or a forest; the current, parent, or root domain name is specified, respectively.

_ldap._tcp.pdc._msdcs.<DNSDomainName> — a client can use this record to find the Primary Domain Controller (PDC) Emulator in a mixed-mode domain. Only the PDC masters register this record.

_ldap._tcp.gc._msdcs.<DNSRootName> — a client can use this record to locate a Global Catalog (GC) server in the forest. Only GC servers register this record.

_ldap._tcp.<DomainGUID>.domains._msdcs.<DNSRootName> — a client can use this record to locate a domain controller in the domain specified by the domain GUID. Each domain controller registers this record.

_ldap._tcp.<SiteName>._sites.<DNSDomainName> — a client can use this record to find an LDAP server (not necessarily a DC) in the specified domain and site. Each Active Directory DC registers this record for its site.

_ldap._tcp.<SiteName>.sites.dc._msdcs.<DNSDomainName> — a client can use this record to locate a domain controller in the specified domain and site. Each domain controller registers this record.

_ldap._tcp.<SiteName>.sites.gc._msdcs.<DNSRootName> — allows a client to find a GC server for the forest in the specified site. Only GC servers register this record for their site.

gc._msdcs.<DNSRootName> — allows a non-SRV-aware client to find a GC server for the forest.

_gc._tcp.<DNSRootName> — a client can use this record to locate a GC server (not necessarily a DC) in the forest. Only an LDAP server that is the GC server registers this record.

_gc._tcp.<SiteName>._sites.<DNSRootName> — allows a client to find a GC server (not necessarily a DC) for the forest in the specified site.

_ldap._tcp.<SiteName>._sites.<DNSRootName> — a client can use this record to find a LDAP server (not necessarily a DC) in the forest.

_kerberos._tcp.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos Key Distribution Center (KDC) service in the specified domain. Each Active Directory DC registers this record.

_kerberos._udp.<DNSDomanName> — the same as above, but for the UDP protocol.

_kerberos._tcp.dc._msdcs.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos KDC service in the specified domain and site. Each DC registers this record.

_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DNSDomanName> — a client can use this record to locate Active Directory DC that is running the Kerberos KDC service in the specified domain. Each DC regisders this record.

_kerberos._tcp.<SiteName>._sites.<DNSDomanName> — a client can use this record to locate an Active Directory DC that is running the Kerberos KDC service in the specified domain and site. Each DC registers this record.

_kpasswd._tcp.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos Password Change service in the specified domain. Each Active Directory DC that is running the Kerberos KDC service registers this record.

_kpasswd._udp.<DNSDomanName> — the same as above, but for the UDP protocol.

Note Notice that all records for global catalog servers refer to the forest root domain name.