/ Insights / Domain Controller DNS Record Registration Insights Domain Controller DNS Record Registration January 28, 2019 Concurrency DNS plays a central part in Active Directory. Clients use DNS records to discover and communicate with domain controllers which, in turn, allows for proper domain functionality. Let’s take a look at the key DNS records and some other helpful information for troubleshooting DNS issues. Core DNS Records There are 7 types of DNS records that get registered by the DCs in a domain. They are: PDC SRV Record: _ldap._tcp.pdc._msdcs.domain.com One per domain Global Catalog SRV Records: _ldap._tcp.gc._msdcs.domain.com One per global catalog domain controller Kerberos SRV Records: _kerberos._tcp.dc._msdcs.domain.com One per domain controller DC SRV Records: _ldap._tcp.dc._msdcs.domain.com One per domain controller DC A Records: domaincontroller.domain.com One per domain controller Global Catalog A Records: gc._msdcs.domain.com One per domain controller Domain Controller CNAME Records: dcguid._msdcs.domain.com One per domain controller In addition to the above, some records also have site-specific DNS entries: Kerberos SRV Records: _kerberos._tcp.sitename._sites.dc._msdcs.domain.com One per domain controller DC SRV Records: _ldap._tcp.sitename._sites.dc._msdcs.domain.com One per domain controller Global Catalog SRV Records: _ldap._tcp.sitename._sites.gc._msdcs.domain.com One per global catalog domain controller To summarize with an example, a DC named mydc01 in the domain contoso.com would register the following records: _ldap._tcp.gc._msdcs.contoso.com – SRV record pointing to mydc01 _kerberos._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.dc._msdcs.contoso.com – SRV record pointing to mydc01 mydc01.contoso.com – A record pointing to IP of mydc01 gc._msdcs.contoso.com – A record pointing to IP of mydc01 90f50531-96cf-4ffe-ab5e-9ce96f2580d1._msdcs.contoso.com – CNAME record pointing to mydc01 _kerberos._tcp.site1._sites.dc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.site1._sites.dc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.site1._sites.gc._msdcs.contoso.com – SRV record pointing to mydc01 _ldap._tcp.pdc._msdcs.contoso.com – SRV record pointing to mydc01 Only registered if mydc01 is the PDCe for the domain Re-registering Records A domain controller can be forced to re-register its DNS records with two commands: ipconfig /registerdns This will register the DCs A record (mydc01.contoso.com). net stop netlogon && net start netlogon This will restart the netlogon service. When the netlogon service starts up, it will automatically try to register the rest of the DC’s DNS records. An important point to note is that these processes will use the preferred DNS server on the NIC settings to do the registration. If the NIC has invalid DNS servers configured, the record registration will fail. Troubleshooting If any of the required DNS entries are missing and running the above commands doesn’t resolve it, check for the following: The System event log will contain entries from the NETLOGON source if the service has an issue registering the SRV and related DNS records The System event log will contain entries from the DNS Client Events source if there’s an issue with the standard A record registration Enable Netlogon debug logging and check the netlogon.log file Run Nltest /DBFlag:2080FFFF to enable debug logging for the netlogon service Restart the netlogon service to force re-registration Check the C:\Windows\debug\netlogon.log file for errors Run Nltest /DBFlag:0x0 to disable debug logging when done Ensure that the DNS Servers on the DC’s NIC are configured correctly. Since the NETLOGON DNS record registration uses the primary DNS servers on the NIC, a misconfiguration here can cause failures. For example, make sure that the DNS settings are pointed to valid, online DNS servers.
