DNS Records Registered by Active Directory Domain Controllers

Previous page
Table of content
Next page

All SRV and A resource records (20 in total, if the domain controller is a Global Catalog server; 15 if it is not) that each Active Directory domain controller must register on a DNS server, are contained in the %SystemRoot%\system32\config\ netlogon.dns file. (If your DNS server does not support dynamic records update, you need to manually manage these records.) An example of such a file is presented below.

Note 

It is possible to set a group policy that will prohibit registration of some or all SRV records by Windows .NET domain controllers. This policy, DC Locator DNS records not registered by the DCs, is located in the Computer Configuration | Administrative Templates | System | Net Logon | DC Locator DNS Records node of a Group Policy Object (GPO).

In this example: server name — netdc2.subdom.net.dom, domain name — subdom.net.dom, root domain name — net.dom, site name — .NET-Site. The records are sorted for clarity. The real order will differ, but this does not matter. The records for a global catalog server are shown in bold. You can verify resource records with the DNS snap-in.

 subdom.net.dom. 600 IN A 192.168.1.102    laffcd49-c47f-4499-82b8-4872led1c799._msdcs.net.dom.                  600 IN CNAME netdc2.subdom.net.dom.    _ldap.tcp.subdom.net.dom. 600 IN SRV 0 100 389 netdc2.subdom.net.dom.    _ldap._tcp.dc._msdcs.subdom.net.dom. 600 IN SRV 0 100 389                  netdc2.subdom.net.dom.    _ldap._tcp.pdc._msdcs.subdom.net.dom. 600 IN SRV 0 100 389                  netdc2.subdom.net.dom.    _ldap._tcp.gc._msdcs.net.dom. 600 IN SRV 0 100 3268                  netdc2.subdom.net.dom.    _ldap._tcp. 729173d2-f48b-4655-ac5c-                  5f1c0c93cbdd.domains._msdcs.net.dom. 600 IN SRV                  0 100 389 netdc2.subdom.net.dom.    _ldap._tcp.NET-Site._sites.subdom.net.dom. 600 IN SRV 0 100 389                  netdc2.subdom.net.dom.    _ldap._tcp.NET-Site._sites.dc._msdcs.subdom.net.dom.                  600 IN SRV 0 100 389 netdc2.subdom.net.dom.    _ldap._tcp.NET-Site._sites.gc. _msdcs.net.dom.                  600 IN SRV 0 100 3268 netdc2.subdom.net.dom.    gc._msdcs.net.dom. 600 IN A 192.168.1.102    _gc._tcp.net.dom. 600 IN SRV 0 100 3268 netdc2.subdom.net.dom.    _gc._tcp.NET-Site._sites.net.dom. 600 IN SRV 0 100 3268                  netdc2.subdom.net.dom.    _kerberos._tcp.subdom.net.dom. 600 IN SRV 0 100 88                  netdc2.subdom.net.dom.    _kerberos._udp.subdom.net.dom. 600 IN SRV 0 100 88                  netdc2.subdom.net.dom.    _Kerberos.tcp.dc._msdcs.subdom.net.dom. 600 IN SRV 0 100 88                  netdc2.subdom.net.dom.    _Kerberos._tcp.NET-Site._sites.dc._msdcs.subdom.net.dom.                  600 IN SRV 0 100 88 netdc2.subdom.net.dom.    _kpasswd._tcp.NET-Site._sites.subdom.net.dom.                  600 IN SRV 0 100 88 netdc2.subdom.net.dom.    _kpasswd._tcp.subdom.net.dom. 600 IN SRV 0 100 464                  netdc2.subdom.net.dom.    _kpasswd._udp.subdom.net.dom. 600 IN SRV 0 100 464                  netdc2.subdom.net.dom.

As you can see, the first two r cords are of the A (host) and CNAME (alias) types, respectively; the other records are of the SRV (service location) type. Let us discuss the purpose of every record in the order that they are presented in the listing above. DNSDomainName is the name of the current domain, e.g., subdom.net.dom. DNSRootName is the name of the forest root domain (it can be also a tree root domain name if there is only one tree in the domain structure), e.g., net.dom.

Important 

Do not confuse a tree root domain name (there may be a few in the forest) with the forest root domain name (only one). For example, a forest may include two domain trees with the root domains net.dom and net2.dom. Only the first created domain — net.dom — will be the forest root domain. Therefore, if the Global Catalog servers appear in the net2.dom domain (or in any child domains), they will still register the appropriate records in the net.dom DNS zone.

<DNSDomainName> — a client can use this A record to find a domain controller in the domain by using a normal host record lookup.

<NTDSSettingsGUID>._msdcs.<DNSRootName> — each domain controller registers this CNAME record for its child object (Directory System Agent, DSA), CN=NTDS Settings, CN=<DCName>, CN=Servers, CN=<SiteName>, CN=Sites, CN=Configuration, DC=<DomainName>, which uniquely identifies this controller in the Active Directory replication topology. A client can use this CNAME record to find a specific DC in the forest.

_ldap._tcp.<DNSDomainName> — a client can use this record to find a LDAP server in the specified domain. Each domain controller registers this record.

_ldap._tcp.dc._msdcs.<DNSDomainName> — allows a client to find a DC in the specified domain. Each domain controller registers this record. This record (with appropriate domain names) is used for joining a domain, a tree, or a forest; the current, parent, or root domain name is specified, respectively.

_ldap._tcp.pdc._msdcs.<DNSDomainName> — a client can use this record to find the Primary Domain Controller (PDC) Emulator in a mixed-mode domain. Only the PDC masters register this record.

_ldap._tcp.gc._msdcs.<DNSRootName> — a client can use this record to locate a Global Catalog (GC) server in the forest. Only GC servers register this record.

_ldap._tcp.<DomainGUID>.domains._msdcs.<DNSRootName> — a client can use this record to locate a domain controller in the domain specified by the domain GUID. Each domain controller registers this record.

_ldap._tcp.<SiteName>._sites.<DNSDomainName> — a client can use this record to find an LDAP server (not necessarily a DC) in the specified domain and site. Each Active Directory DC registers this record for its site.

_ldap._tcp.<SiteName>.sites.dc._msdcs.<DNSDomainName> — a client can use this record to locate a domain controller in the specified domain and site. Each domain controller registers this record.

_ldap._tcp.<SiteName>.sites.gc._msdcs.<DNSRootName> — allows a client to find a GC server for the forest in the specified site. Only GC servers register this record for their site.

gc._msdcs.<DNSRootName> — allows a non-SRV-aware client to find a GC server for the forest.

_gc._tcp.<DNSRootName> — a client can use this record to locate a GC server (not necessarily a DC) in the forest. Only an LDAP server that is the GC server registers this record.

_gc._tcp.<SiteName>._sites.<DNSRootName> — allows a client to find a GC server (not necessarily a DC) for the forest in the specified site.

_ldap._tcp.<SiteName>._sites.<DNSRootName> — a client can use this record to find a LDAP server (not necessarily a DC) in the forest.

_kerberos._tcp.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos Key Distribution Center (KDC) service in the specified domain. Each Active Directory DC registers this record.

_kerberos._udp.<DNSDomanName> — the same as above, but for the UDP protocol.

_kerberos._tcp.dc._msdcs.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos KDC service in the specified domain and site. Each DC registers this record.

_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DNSDomanName> — a client can use this record to locate Active Directory DC that is running the Kerberos KDC service in the specified domain. Each DC regisders this record.

_kerberos._tcp.<SiteName>._sites.<DNSDomanName> — a client can use this record to locate an Active Directory DC that is running the Kerberos KDC service in the specified domain and site. Each DC registers this record.

_kpasswd._tcp.<DNSDomanName> — a client can use this record to locate a server (not necessarily a DC) that is running the Kerberos Password Change service in the specified domain. Each Active Directory DC that is running the Kerberos KDC service registers this record.

_kpasswd._udp.<DNSDomanName> — the same as above, but for the UDP protocol.

Note 

Notice that all records for global catalog servers refer to the forest root domain name.

Resource Records for Application Partitions

If a Windows .NET domain controller holds one or more application directory partitions, it registers two SRV records and an A record for each partition in DNS. These records are not currently used by Active Directory; however, they allow other applications to find a server for a specific partition by using a DNS lookup operation. For example, if the DC netdc2.subdom.net.dom stores replicas of two built-in DNS application partitions, it will register the following records on the preferred DNS server:

    DomiainDnsZones.net.dom. 600 IN A 192.168.1.102    ForestDnsZones.net.dom. 600 IN A 192.168.1.102    _ldap._tcp.DomainDnsZones.net.dom. 600 IN SRV 0 100 389       netdc2.subdom.net.dom.    _ldap.tcp.NET-Site._sites.DomainDnsZones.net.dom. 600 IN SRV       0 100 389 netdc2.subdom.net.dom.    _ldap.tcp.ForestDnsZones.net.dom. 600 IN SRV 0 100 389       netdc2.subdom.net.dom.    _ldap._tcp.NET-Site._sites.ForestDnsZones.net.dom. 600 IN SRV       0 100 389 netdc2.subdom.net.dom.

Verifying and Updating DNS Registration

To test the DNS configuration for the entire forest, use the Nslookup command. The following sample dialog illustrates how to query the DNS server for the records registered by the Global Catalog servers. (Input commands are in bold.)

    C:\>nslookup    Default Server: netdc1.net.dom    Address: 192.168.1.2    > Set type=SRV    > _gc._tcp.net.dom    Server: netdc1.net.dom    Address: 192.168.1.2    _gc._tcp.net.dom SRV service location:              priority = 0              weight = 100              port = 3268              svr hostname = netdc2.subdom.net.dom    _gc._tcp.net.dom SRV service location:              priority = 0              weight = 100              port = 3268              svr hostname = netdc1.net.dom    netdc2.subdom.net.dom internet address = 192.168.1.102    netdc1.net.dom internet address = 192.168.1.2    >

The DCdiag command verifies DNS settings of a domain controller's replication partners and connectivity with them.

To verify DNS records registered by a specific domain controller, you can use on that DC the following commands:

  • netdiag /test:DNS (or netdiag /test:DNS /v) — a very powerful and trustworthy tool.

  • nitest /DSQUERYDNS — available on Windows .NET-based DCs; this command does not test SRV records for application partitions.

To re-register the register records on a DNS server (provided that it implements dynamic updating), one of the following methods can be used:

  • Run the ipconfig /registerdns or netdiag /fix command

  • Restart the Netlogon service in the Services snap-in

  • Enter net stop netlogon, then net start netlogon at the command prompt

  • On Windows .NET-based DCs, run the nltest /DSREGDNS command

For a Windows .NET domain controller, it is also possible to de-register (e.g., for the test purpose) all SRV records with the command

    C:\<nltest /DSDEREGDNS: netdc1. net.dom    The command completed successfully
Important 

When you are testing DNS, remember the cache of the DNS server as well as local DNS resolver. Its stale data can affect your test results. You might want to flush the cache after some DNS settings have been updated.


Previous page
Table of content
Next page
Windows .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154
Authors: Aleksey Tchekmarev
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Java for RPG Programmers, 2nd Edition
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Junos Cookbook (Cookbooks (OReilly))
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy