Basic DNS records for Active Directory DCs

Be careful with the Active Directory Wizard, it may generate incorrect entries. This tip tells you what to look for to make sure your DNS records are correct.

When you install a domain controller, the Active Directory Wizard that performs the configuration and setup of the Active Directory structure will also register RR (resource record) and SRV (service record) records for the DC with DNS. Use this list of standard DNS records to compare and contrast your DNS configuration. If you see blatant differences, you may need to manually fine tune your DNS records.

If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of 10.19.174.98, then the RR records created during the installation process will be:

dcsA.corp.mycompany.com. A 10.19.174.98
_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com

If you don't see these records in DNS for each DC, then you need to manually correct or add them.

The NetLogon Service will register various SRV DNS records for the DC depending on what services or capabilities the system hosts:
(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for the actual globally unique identifier for the domain.)

_ldap._tcp.corp.mycompany.com
(used for finding an LDAP server) - registered by all DCs and servers

_ldap._tcp.SITE._sites.corp.mycompany.com
(used for finding an LDAP server in a particular site) - registered by all DCs

_ldap._tcp.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain) - registered by all DCs

_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain and site) - registered by all DCs

_ldap._tcp.pdc._msdcs.corp.mycompany.com
(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators

_ldap._tcp.gc._msdcs.mycompany.com
(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers

_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com
(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers

_gc._tcp.mycompany.com
(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server

_gc._tcp.SITE._sites.mycompany.com
(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC server

_ldap._tcp.GUID.domains._msdcs.mycompany.com
(used for finding a domain using a GUID—used only if the domain name has been changed) - registered by all DCs

_kerberos._tcp.corp.mycompany.com
(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers with Kerberos

_kerberos._udp.corp.mycompany.com
(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos

_kerberos._tcp.SITE._sites.corp.mycompany.com
(used for finding a KDC in the domain and site) - registered by all servers with Kerberos

_kerberos._tcp.dc._msdcs.corp.mycompany.com
(used for finding a KDC in the domain) - registered by all DCs with Kerberos

_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos

_kpasswd._tcp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers with Kerberos

_kpasswd._udp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by all servers with Kerberos


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in December 2003

Dig deeper on Domain Name System (DNS)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close