Basic DNS records for Active Directory DCs
Be careful with the Active Directory Wizard, it may generate incorrect entries. This tip tells you what to look for to make sure your DNS records are correct.
When you install a domain controller, the Active Directory Wizard that performs the configuration and setup of...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
the Active Directory structure will also register RR (resource record) and SRV (service record) records for the DC with DNS. Use this list of standard DNS records to compare and contrast your DNS configuration. If you see blatant differences, you may need to manually fine tune your DNS records.
If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of 10.19.174.98, then the RR records created during the installation process will be:
dcsA.corp.mycompany.com. A 10.19.174.98
_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
If you don't see these records in DNS for each DC, then you need to manually correct or add them.
The NetLogon Service will register various SRV DNS records for the DC depending on what services or capabilities the system hosts:
(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for the actual globally unique identifier for the domain.)
_ldap._tcp.corp.mycompany.com
(used for finding an LDAP server) - registered by all DCs and servers
_ldap._tcp.SITE._sites.corp.mycompany.com
(used for finding an LDAP server in a particular site) - registered by all DCs
_ldap._tcp.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain) - registered by all DCs
_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain and site) - registered by all DCs
_ldap._tcp.pdc._msdcs.corp.mycompany.com
(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators
_ldap._tcp.gc._msdcs.mycompany.com
(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers
_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com
(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers
_gc._tcp.mycompany.com
(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server
_gc._tcp.SITE._sites.mycompany.com
(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC server
_ldap._tcp.GUID.domains._msdcs.mycompany.com
(used for finding a domain using a GUID—used only if the domain name has been changed) - registered by all DCs
_kerberos._tcp.corp.mycompany.com
(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers with Kerberos
_kerberos._udp.corp.mycompany.com
(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos
_kerberos._tcp.SITE._sites.corp.mycompany.com
(used for finding a KDC in the domain and site) - registered by all servers with Kerberos
_kerberos._tcp.dc._msdcs.corp.mycompany.com
(used for finding a KDC in the domain) - registered by all DCs with Kerberos
_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos
_kpasswd._tcp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers with Kerberos
_kpasswd._udp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by all servers with Kerberos
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.